Crume, Jeff
“Inside Internet Security --- What hackers don’t want you to know”
Addison-Wesley, Great Britain, 2000.
ISBN: 0-201-67516-1
270 p. 

Jeff Crume is a Certified Information Systems Security Professional (CISSP) with 18 years’ experience as a programmer, software designer and IT security specialist working for IBM and its Tivoli Systems subsidiary. During this time he has been involved in the development and technical support of systems and network management products such as NetView. His work in this area resulted in a US patent on loop detection. In addition, he has consulted with companies around the world as they develop secure e-commerce payment systems and designed networking infrastructures intended for e-business. He is a frequent speaker at international conferences and has published articles on cryptography and virtual private networking.
 

Review:

With the explosive growth of e-commerce and the opening up of corporate networks to external customers, security is now the number one issue for networking professionals. A number of books talk about the issues of Internet and information security. I read the book Inside Internet Security --- What hackers don’t want you to know, by Jeff Crume.

The book provides a practical guide for anyone designing or administrating a organization or e-business network that runs across a number of platforms via the internet. It tries to arm system administrators with a thorough understanding of the problems of network security and their solutions, and also tries to help realize the tremendous potential of e-business. In today’s “E-world”, concerns about hackers and the possible damage they can do to a business, and the potential vulnerabilities of a system can be overwhelming and can create an unhealthy business environment. However, a great deal of this fear is based on lack of information as to exactly how hackers approach their task, and of the exact vulnerabilities that they prey on. In this book, Jeff Crume dispels this fear by putting these threats into perspective and allowing realistic defence mechanisms to be created, to the extent that security becomes a business enabler, rather than inhibitor.

There two main parts in the book: “Sizing up the situation – security concepts” and “the hacker’s edge – Internet security vulnerability”. 

In the first part, the author talks about the issues of some basic definitions and the web architecture. First of all he introduces the nature of the Internet, its insecure beginnings, the definition of DSN, and routing system vulnerabilities. Then he mentions that it is difficult to improve a system’s security, which is the initial problem for Internet security. Therefore, the insecure elements allow the existence of the “hackers”. Then a history of hackers is shown to us: beginning with “novice hackers”, there appeared “intermediate hackers”, then “elite hackers”. He points that we can classify hackers not only based on their skill, but on the underlying psychology that drives them. As for the reason and motivation of the hackers’ attack is explained as: “most hackers attack just for the sheer fun of it. They saw themselves as electronic joy rider, having a great time on the information superhighway (page 27).” Then the author argues about the issues of analyzing the risks and the role of policy, concluding that people, policy, and tools are the three essential elements of effective security.

The second part begins with a warning that “what you don’t know can hurt you” (page 67). The authors lists the facts that hackers do not want us to know: 

• Firewalls are just the beginning of an effective defence system;
• Not all the bad guys are “out there”;
• Humans are the weakest link;
• Passwords are not secure;
• They can see you but you can’t see them;
• Down level software is vulnerable;
• Defaults are dangerous;
• It takes a thief to catch a thief;
• Attacks are getting easier;
• Virus defences are inadequate;
• Active content is more active than you think;
• Yesterday’s strong crypto is today’s weak crypto;
• The back door is open, which means a firewall is just a “front door” for the system;
• There is no such thing as a harmless attack;
• Information is your best defence;
• The future of hacking is bright.

In conclusion, the author tells people that hackers are not going away soon. Their numbers seem to be growing. Emerging trends in the IT arena point to a brighter day when computers will do even more for us than they do now. These same changes may also usher in a host of new vulnerabilities for the next generation of hackers to exploit. However, we can marshal the forces of the IT staff, end-user community and outside consultants, who can help bring the odds back in favor of legitimate business. Knowing why, how and when hackers do what they do puts the power back in the hands of the good guys.
 

Critique:

Inside Internet Security describes the underlying principles that crop up again and again in hacker attacks, and then progresses to focus on lessons that can be learned, and on how to protect against recurrence. By giving some real world examples of actual attacks, the author provides much in-depth theoretical background information and security checklists for common scenarios. He also gives pointers to other detailed information resources and a glimpse into the future of IT security. In my point of view, the book provides helpful guidelines for IT professionals and other people who are interested in IT issues.

In addition, the author uses easy vocabulary and lots of simple examples for explaining the professional terminologies, which is friendly for the beginners and amateurs. The tone throughout the whole book is light and relaxing, although the topic of hacking is a tough one. By they living writing style, the author attracts more readers rather than scare them away. 

However, there are some shortcomings for this book. First, there is a self-conflict in the section of the definition of hackers: on page 20 the author says “hacker hack for fun, power, money, and for a cause”, but later he only emphasizes they hack mostly for fun. It will be better to give some examples for the other three purposes. Another shortcoming is that the end of the book is not so satisfactory. The author only mentions the future for hackers is bright, but he does not give many appropriate reasons for supporting it. I think readers must be very interested in the issues of how the hackers will “progress” and how we can develop our systems in the future. So the book would be more beneficial if the author gave readers more ideas about the potential problems and the solutions in the future.