Home and Small Office
Author: Thomas C Greene
Publisher: Apress (2004)
Price: ~US$32 from Amazon
This is a self-help IT security book aimed at those who work from a Small Office/Home Office (SOHO). Written by The Register’s Associate Editor, it should be no surprise that the book challenges accepted norms
such as Microsoft Windows, Office and Internet Explorer, recommending Linux and Open Source alternatives on security grounds. Regardless of the merits of the argument, the book is a worthwhile security awareness
text for a general if somewhat IT-literate audience.
There are 7 chapters and 3 appendices:
Introducing the Dark Side: introduces threats from malicious attackers such as script kiddies, hackers and carders.
Vectors: introduces vulnerabilities and attack methods, suggesting controls such as disabling unnecessary services.
Social engineering: human factors are often neglected in other IT security books. The author gives
good coverage on this topic but it unclear why this is considered sufficiently relevant to the SOHO situation to merit a full chapter. A rant about BSE (Bovine Spongiform Encephalopathy - “Mad Cow
disease”) is also rather out of place in a computer security book;
From newbie to power user: technical tools for more sophisticated IT security management are introduced and then advice is provided on how to get the most out of them. Examples are Netstat,
Ethereal, PGP and SSH;
Treasure hunt: this chapter is about finding and securely erasing various electronic traces of what you have been doing on your PC. The suggestions flit between cautious and paranoid;
The Open-Source escape hatch: the author’s overt preference for Linux and Open Source applications makes for an impassioned chapter, with some reference to security;
Trust nothing, fear nothing: after a labored discussion about the difference between privacy and
anonymity and a reprise of the BSE stuff, this chapter aims to dispel unwarranted fears by encouraging readers to check security on their PCs.
The appendices contain a glossary, ‘procedures, processes, and ports’ (basically another complete chapter) and a short list of online security resources, some 100 pages in total.
From the preface: “This is a handbook for ordinary people concerned about computer security and online privacy. It addresses everyday computer users and Netizens with little or no background in information
technology, concerned parents, business users, and corporate telecommuters. It speaks as well to corporate security managers struggling to articulate the necessary principles and procedures to nontechnical
staff in understandable language ... It’s a book written specifically for users that, I hope, can also make the professional’s job a bit easier by promoting security awareness ...”.
I do not agree that the book is suitable for a nontechnical audience. It’s not a detailed technical security manual but most of the issues covered are technical in nature, and the descriptions while clearly worded
assume a level of technical competence beyond most ordinary computer users I know.
Depth and breadth
The book is quite thorough, offering more depth and security content than the superficial coverage typical of many books aimed at ordinary PC users. It tackles head-on the installation and use of encrypted email
packages such as PGP and GPG, for example.
Advice in chapter 4 on using task manager to check for malware processes ignores the fact that malware authors usually hide their processes from the list. This perhaps hints at a limit on the author’s technical
knowledge but he is strong in other areas so perhaps this was just an oversight. He does however admit to being a “computer security specialist” not a “computer security expert”.
Style and readability
According to the author, the book is meant to be read from cover to cover like a story with activities for the reader to undertake at most stages. Nowhere does the book deal with the change management issues
such an approach would cause in an office with more than a small handful of systems.
There are numerous screenshots in the book, most of which are too low resolution to be easily legible but are helpful in a general sense.
Chapter 6 is a bare-faced rant against Microsoft Windows and related products, mostly on the basis of it being an insecure monoculture, backed up with selected quotations that support the author’s position.
There is some merit in this point of view but the chapter is heavily biased and unfortunately detracts from the remainder of the book. It would have made a reasonable piece on the Register but not here.
The author indulges in other extended asides and stories of historical interest only that also detract from the book’s stated goals. Several paragraphs on BSE (Bovine Spongiform Encephalitis, commonly known as Mad
Cow Disease) in at least two places, for instance, can hardly be more unrelated to computer security for home or small office users.
The author’s journalistic training shines through in many places. He has presumably researched some areas
in depth for The Register, whereas others are less well supported by quotations and commentary. Ironically,
the latter are easier to read. I get the impression several of these ‘illustrations’ were included purely because
Greene took a journalistic interest in the original stories and has source material available, rather than because of their relevance to the subject of this book.
If you are an IT manager responsible for IT support for a small business, or a student of information security
working towards CISSP or a college degree, this book is good value and will give you plenty of things to think about and do. If you are a nontechnical PC user, the book will probably stretch your abilities to the
limit, although if you have the patience and dedication to persist, you will be able to improve security of your PCs.