Book Review: Minoli-Cordovana's Authoritative Computer Security


"Minoli-Cordovana's Authoritative Computer and Network Security Dictionary", Daniel Minoli/James Cordovana, 2006, 0-471-78263-7

%A Daniel Minoli %A James Cordovana %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2006 %G 0-471-78263-7 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 %O

formatting link
formatting link
formatting link
Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 443 p. %T "Minoli-Cordovana's Authoritative Computer and Network Security Dictionary"

I find that, again, I need to declare the possibility of bias or conflict in this review. Not only have I published a security dictionary of my own, but my work was also intended, as the authors announce in their preface, to be not simply a list of terms, but a set of practical definitions, and even a commentary on the security field.

While my dictionary addresses only security, Minoli and Cordovana have included computer and network in the title (and later mention that they are including financial terms). However, the preface also makes clear that security is the major thrust of the glossary: the first two-thirds of the introduction basically preaches security, and the remaining material even mentions a superior telecommunications dictionary.

Therefore, it comes as a bit of a surprise that the first term that has any direct connection to security comes on page four, and even then is only the expansion of an acronym. We are on page eight before we find the first actual definition that has even a nominal connection to security. A random sampling of terms seems to indicate that less than 20% of the entries in the work relate to security. (That relation holds in terms of number of entries. The actual material appertaining to security is proportionately less, since non-security entries tend to be longer than those defining security phrases.)

A surprising number of terms deal with cellular telephone technologies and standards, and the promised financial jargon is there in abundance. It is, in fact, not always clear (even from the definition) from which field a particular term comes. (Generally the financial jargon is so identified, but I chased down a particular thread through a number of entries, which task was not aided by the lack of cross-references between terms, before I finally realized that it was not an unusual security phrase, but a minor part of a specific cellular telephone service.)

In regard to the security terms themselves, the value is questionable. Like Phoha's "Internet Security Dictionary" (cf. BKINSCDC.RVW) the authors have included twelve variations on the access theme, and "access control" is only defined in terms of the old confidentiality model. There are 28 variants on authentication, 13 on vulnerabilities, and 20 on business with only three related to security. Five "attacks" are listed, none major. There are seven entries starting with "trojan": one is a definition, five are possible types of trojans, and the last entry lists the previously defined types. Eight phrases start with "Computing:" and include items such as "Computing: Molecular Computers." Ten entries are components of the United States' Communications Assistance for Law Enforcement Act [CALEA], which proliferation of American legal entries also points out the US-centric nature of the work. There are entries for both "Domain Name System" and "Domain Names System." (There is, so help me, a definition for "one-time password" and another for "One-Time Password.") There are two entries for grid computing, and they contradict each other.

The "authoritative" part of the title seems to be based on the fact that the references section lists over 500 articles, Web pages, and books. (It's hard to judge what they are, since the list is not in author, title, publisher, or even date order.) However, the entries sometimes merely conflate material that seems to come from diverse sources, without any attempt at analysis or explanation. (The definition of "stateful inspection," for example, in one phrase is talking about session state, and before the sentence is over has switched to content examination.)

Some of the terms are idiosyncratic or seldom used, and there are frequently multiple terms for the same concept. Again, it is not easy to assess the amount of duplication that goes on, since there are almost no cross-references between terms (and in those few instances some of the alternate terms suggested don't actually exist in the book). Even where a specfic technology may have major divisions related terms aren't noted. (The "firewall" entry, for example, doesn't even inventory the four major catgories, and "intrusion detection system" lists neither the engine types nor the sensor placement architectures.) However, by looking up terms known to be related the reader can readily find not only multiple terms for similar concepts, but frequently duplicated wording as well (see "ankle-biter" and "script-kiddie").

One of the attacks catalogued, "attack on hash-and-sign signature schemes" is much more widely known as the birthday attack, but there is no corresponding entry under that term. (There is a definition for birthday paradox.) There is an entry for CUT (Coordinated Universal Time) but not the more widely used UCT. Some of the phrases used for entries mean that people may not find what they are looking for: there is "computer bug" but not "bug" (and no mention of implementation versus design) as well as "computer evidence" and "computer forensics" but not "evidence" or "forensics" (or "digital forensics"). Cryptanalytic attacks are defined under their own entries, but most are also listed (and with more detail) under "Cryptanalysis, " [sic] entries (and, again, there are no cross-references between them).

There is also an entry for "fork bomb" which is said to be equivalent to "logic bomb" but is defined more as a processor exhaustion virus or worm. "Kleptography" makes reference to "subliminal" and the definition of "subliminal channel" gives an example of a covert timing channel and then states that this is *not* what a subliminal channel is. (Subliminal never is defined except to state that it is an undetectable covert channel.)

Canonicalization defines only one of the many meanings (and that possibly the least significant). Only one aspect of "race condition" is given. "Digital money" (rather than the more commonly used digital cash) has no mention of the requirements or technical challenges. Feistel cipher never states the requirement for multiple rounds of simple functions or the iterated subdivision of blocks. The definition of low-level format does not mention that it operates at the physical, rather than logical, stratum (and it states, incorrectly, that a low-level format destroys all data on the disk).

A number of entries are for specific (and often obscure) products and little used processes. There are five entries related to crypto- viruses, occupying three pages, whereas the definitions for worm and virus combined don't exceed three column inches. (Within that brief space are at least three factual errors, and there are many important factors that are missing. "Vaccine," which term has not been seriously used in years and then only for a specific type of change detection, is said only to be a program to detect and disable viruses.)

There are a great number of extremely silly typographical errors, such as rile instead of role, pc rather than PC, ant-keylogger versus anti- keylogger, and competing for computing.

There are other, and better, communications dictionaries. There are other, though older, computer dictionaries. There are other security dictionaries, and, even excluding my own, I could not say that this glossary has any advantage over them.

copyright Robert M. Slade, 2006 BKMCACNS.RVW 20070102

====================== (quote inserted randomly by Pegasus Mailer) It was much better to imagine men in some smoky room somewhere, made mad and cynical by privilege and power, plotting over the brandy. You had to cling to this sort of image, because if you didn't then you might have to face the fact that bad things happened because ordinary people, the kind who brushed the dog and told their children bedtime stories, were capable of then going out and doing terrible things to other ordinary people. - `Jingo,' Terry Pratchett Dictionary of Information Security

formatting link
formatting link

Reply to
Rob Slade
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.