Joel Dubin has just sent me the update of his useful guide to computer security, The Little Black Book of Computer Security. In October 2005, I published a review of the first edition and I refer readers to that review for a sense of the first edition's qualities. I liked the book so much I ordered it for the assigned readings in one of the seminars in the MSIA program.

The book has grown from 150 pages to 207 pages (38%) but its price has changed from $19.95 to $25.95 (30%). Seems fair. It still fits in a (large) pocket. More important, the content has significant changes.

Dubin begins with an insightful commentary in his introduction (quoting exactly):

"IT security has broadened dramatically. Its issues have expanded from the technology arena into the business arena. In other words, IT security no longer consists solely of the IT department working to lock down networks. It has moved into the boardroom as business leaders grapple with the business impacts of potential data breaches. Those leaders are now concerned with complying with legal regulations, protecting the privacy and identity of their customers, and keeping their brands intact if data breaches do occur. Consequently, IT security has developed into the more wide-ranging field of information security.

"Furthermore, as the network perimeter has dissolved, the old-fashioned firewall has evolved. Hackers have become more sophisticated, bypassing firewalls and other network controls by inserting malicious code into Web sites. Today, even innocent sites can serve as repositories of dangerous malware that can defeat the toughest network defenses. In other words, the threat has shifted from the network to the application. The new paradigm therefore entails not only safeguarding hardware and networks but also protecting data wherever it happens to be – a Web site, a database, or anywhere in between."

There are three new chapters. Quoting from correspondence with Dubin:
* Chapter 19 on compliance and working with auditors, since this has become such a big part of many IT security professionals' lives.
* Chapter 20 on security awareness training, since this has become part of compliance with tips on the bare bones minimum of what should go into an security training program.
* Chapter 21 is a simple explanation of encryption, which IT security pros can use to distill this complex topic for the business folks.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.