Defend IT. Security by Example
by Gupta, Ajay and Scott Laliberte

Addison-Wesley 2004.
ISBN 0-321-19767-4. 384 pages. Index. Bibliography.

Reviewed by  Robert Bruen   May 17, 2004 

Defend I.T. uses the case method to instruct readers by illuminating problems through examples with enough detail and scope to be helpful. Case studies are a common way for business schools to teach would-be managers how to analyze situations in which decisions must be made. Background is given to the reader, such as organizational details and the path that brought the subjects to the current situation. Generally there is problem at hand that the reader must solve.

In contrast, the technical world tends to provide an analysis and an answer in "man" pages, how-tos and help. This approach is quite helpful when one is stuck trying to get something working. However, when learning to think about how one goes about solving problems, one needs to practice using a case. Given the situation, how does one approach the problem? If there is no clear cut answer, then mapping out the steps toward some answer is a challenge. One needs to be able to defend a decision in a rational and logical way.

There does not seem to be much in the case approach in the tech world, so it is good to have a security book that presents it. The sixteen cases use real but disguised organizations that have experienced a problem. Each case is analyzed in technical and managerial fashion to get a good overall picture of the problem and its accompanying solution. The step can be easily followed from problem presentation through the final step. In fact, the cases are very accessible to readers just starting out in security if they have some technical background. For those who are advanced in security, the value would be in how the analysis is presented.

Although there are lots of helpful diagrams, none of the cases go into excruciating detail that some of us might like. The cases have not been shortened to summary status, but, for example, when looking at Return on Investment (ROI) for an Intrusion Detection System (IDS) purchase, the financial data is simplified. This does not detract from the example, but instead it does avoid unnecessary detail to keep the reader moving along.

If the reader is well versed in the case method for teaching, these case s will not quite fit into the mold, but again, this is not problem when getting the most out of the book. The coverage is fairly broad including policy, hacking, forensics, and worms. Included are new topics like the Health Insurance Portability and Accountability Act (HIPAA), one of the major impacts on digital security through government regulation. HIPAA will certainly not be the last regulation to cause such disruption.

The only real criticism I can levy is the inclusion of war dialing as a case. The chapter is in a section labeled "Old School," indicating that the authors knew what they were doing at the time. It makes me feel nostalgic for the good old days, but I would have replaced it with newer material. This is a bit of a nit pick, though, which some readers will still find valuable.

This is definitely a recommended book, one that those of you who are teaching security especially ought to consider.