Security 101 Book

Today I was asked for my recommendation for a "security 101" book. I hadn't given the subject much thought, although I think Ed Skoudis' Counter-Hack is a great place to start. I looked around my office and found a book Addison-Wesley sent me last year: Internet Site Security by Erik Schetina, Ken Green, Jacob Carlson. After thumbing through the book, I've decided it's excellent. I won't review it on Amazon.com, since my policy is to only review books I've read. Still, a mention here is worthwhile.

This book is so solid I adopted its "assess -> protect -> detect -> respond" security process model to replace the "plan -> prevent -> detect -> respond" version in my own book, just to avoid reinventing the wheel. They also correct state the risk equation as "risk = threat X vulnerability X asset value." If you're looking to get your feet wet in security, or if you're a manager who needs to learn the fundamentals, Internet Site Security is a fine starting point.