Attention Microsoft users: Syngress lays out the seven deadliest attacks against the popular operating system.
* Syngress Seven Deadliest Attacks Series. By Bob Kraus et al.; published by Syngress, www.syngress.com; 160-256 pages; $24.95.
This book is part of a series from Syngress. In this case, the focus is on the deadliest threat vectors facing users today: attacks that target or leverage Web applications, unified communications, traditional networks, USB devices, social networks, wireless technologies, and Microsoft products. Each is penned by a different author or coauthors with the assistance of an expert technical editor in that special field.
One topic addressed is Structured Query Language (SQL) injection attacks. These have evolved during the last decade or so, but the underlying vulnerability stays the same. They are addressed in detail in the Web Application Attacks volume, along with cross-site scripting, cross-site request forgery, and logic attacks. For example, Web content consists of a mix of hypertext markup language and Java script, an area typically sensitive to attack. Author Mike Shema explains potential vulnerabilities and offers case studies based on actual attacks, looking at the topic from a forensic perspective to devise proper preventive measures. This is where the series will endear itself to Web application developers and to security professionals in particular.
Another installment, Unified Communications Attacks, largely deals with attacks on insecure endpoints, eavesdropping, control-channel attacks, and a few related topics involving real-time communication systems. Integration is the overriding theme in these systems. The chapter on eavesdropping is certainly the most illustrative, providing figures, graphics, flowcharts, electronic ultrasound clips, and data-tabulations. Internet Protocol security is discussed in a manner making it easy to apply to eavesdropping threats.
Network Attacks deals with the mitigation of hacks, attacks, and exploits. Topics covered include denial-of-service attacks, war dialing, penetration testing, and protocol tunneling. The chapter on war dialing merits a special mention as it is well-illustrated with figures and templates. The section on protocol tunneling is also highly informative.
This set of books assumes some basic familiarity with the Web. It should, however, appeal to all security professionals, from top-level executives and IT experts to the lowest rung of managers.
Reviewer: Colonel Kuljeet Singh, CPP (Indian Army-ret.), is director of business development and planning for Command International Security Services, Inc. He is a member of ASIS International.