The New School of Information Security 164
Ben Rothke writes "It is 2008
and never has so much been spent in information security.
Year after year, more and more security hardware and software is
purchased, more and more security professionals are hired, and more security
is done; yet things are not getting better. Every
indicator, every pundit, everything points to more security breaches,
vulnerabilities and incidents. Large amounts of
proprietary data are compromised on a daily basis.
Obviously something is wrong, yet the entire industry goes along
thinking things are getting better and more secure.
Obviously something needs to change. And
that new change is what The New School of Information Security
attempts to conceive."
Far too
much of the security industry has its roots in FUD.
Billions of dollars of information security
products have been sold, and for what? The
book asks why is information security so dysfunctional and why companies are
often wasting so much money on security.
So what is this thing called the new
school? The authors define it as neither a service
nor a product; rather it is a new approach that uses the scientific method and
objective data. This in turn gives an entirely new
perspective from diverse fields to make effective security
decisions. The authors
rightly believe that when objective data is used, it enables better
decision-making.
The New School of Information Security | |
author | Adam Shostack and Andrew Stewart |
pages | 288 |
publisher | Addison-Wesley |
rating | 9 |
reviewer | Ben Rothke |
ISBN | 978-0321502780 |
summary | Information security is highly broken; this book suggests a realistic fix. |
The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.
The book starts out with observations of why there are so many failures within information security. Anyone with experience in security can easily relate to these issues. One recurring theme throughout the book is that poor data, be it research or advertising negatively effects the state of security. The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.
In creating their new school, the authors have no qualms in attacking the dogma of the current state of information security. From Gartner to the Executive Alliance and more, the authors show that these groups and more often suffer from issues such as bias, lack of a scientific method and more. The book notes that the search for objective data on information security is at the heart of the philosophy of the new school. Since there is a drought of objective data today, the book asks how can we know that the conventional wisdom is the right thing to do? The observation is that the current state of affairs is unsustainable for the commercial security industry and for security practitioners.
The title of chapter 5 gives away the theme of the book — Amateurs Study Cryptography — Professionals Study Economics. The idea is that information security must do a better job of embracing such diverse fields as economics, psychology, sociology and more, to make effective decisions.
In some ways, the authors are perhaps too aggressive in their desire for security statistics. One of the most scientific approaches to information security is from CERT (www.cert.org). Yet the authors are not satisfied with CERT's findings that the majority of incidents appear to be insider based. Given what data and statistics we have in 2008, the figures from CERT are certainly good enough. Yes, they could be better, and yes, breach data is not actuarial data, but given the data from CERT, combined with recent news and court cases (UBS, Société Générale,etc.) clearly show that insiders are the most insidious threat.
Also, while the current state of information security is indeed less than perfect, the authors are a bit too condescending of areas where security is formalized (ISO 27001, etc.), yet not perfect.
After years of countless 1,000+ page massive security books, The New School of Information Security succinctly spreads its message in a brief 160 pages. In those 160 pages, the author's detail at a high-level what needs to be done to create this new school. Therein lays the books only flaw, its brevity. The authors want to get the concept of the new school out there, but they do not detail enough of the necessary requirement to make it work. They show with clarity how things are broken, but don't do enough to show how to fix it. Let's hope the authors are at work on a follow-up writing those necessary additions.
Some Slashdot readers are likely to question how an author (Shostack) can write a book on security while being employed by Microsoft. Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft. Indeed they have a lot of catching up to do, but it is being done. Put another way, Microsoft has likely spent more on security than China has spent on democracy.
Too much of information security is clearly broke and The New School of Information Security is about fixing it. The author's pragmatic approach is a refreshing respite from years of security product based FUD and silver-bullet solutions. The approach of the new school is one that screams out to be put into place. It is the job of today's CISO's and CIO's to heed that call, take the initiative, and lead their organizations there. Either they graduate their staff from the new school, or we are faced with more decades of information security failures.
Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
Ben Rothke is a security consultant with BT and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The New School of Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The irony is thick enough to cut with a laser... (Score:5, Insightful)
Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better.
And:
Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft.
"Do as I say, not as I do?"
WHAT?!!! (Score:4, Insightful)
MARKETING causes problems?!! I'd have never dreamed of such a concoction of lunacy! This guy wants to make us think we'd actually be safer without the Nortons and McAfees of the world. I tell you this buddy, you can pry my annual $50 subscription from my cold dead hands!! I say we hunt down this guy with torches and rope in hand!
No,I do not work for Norton. What a silly question. That thousand bucks the guy in Norton shirt just gave me is totally normal, so never you mind it. Anyways, lynch the heretic!
Ah, little too much of a socialist lens? (Score:5, Insightful)
What... criminy... can you put down your Karl Marx for a second and look at the reality.
The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries.
There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.
I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.
Crypto isn't the only link in the chain (Score:5, Insightful)
Hence the discussion about how security as a field is reaching out to other disciplines -- organizational behavior and sociology and economics are essential because you're looking at the problem of why business organizations don't do well at security, and it isn't just a technical matter.
Doh! (Score:5, Insightful)
Most security can sometimes even lead to less security! A system that is too hard to access because of it's security will eventually be bypassed by the normal users, leaving you with a bigger security hole is one example of this. Customers who put three different firewall programs on their computer, plus the one on their router is another example.
ttyl
Farrell
What about quality of experts? (Score:3, Insightful)
How many IT projects have you worked on where the company hires one of these huge consulting firms, spends millions of dollars, and still has problems after all is said and done? I think one of the problems is the business model of these firms. The head schmooze crowd takes the CIO for a round of golf or two, and convinces them that the firm is the answer to all their security questions. The next day, a bunch of barely-trained "security consultants" descend on the company and begin making all sorts of recommendations/purchases. Sounds cynical, but I've seen it many many times. It's also applicable for any system replacement project, development project, etc.
The other problem is marketing of security products. How many times have you heard from a relative, "Oh, I've got Norton Internet Security, I'm safe." Vendors have a lot of people convinced that if they install their toolset, they can totally drop their guard.
Re:Things aren't getting done because of the exper (Score:3, Insightful)
Re:Ah, little too much of a socialist lens? (Score:2, Insightful)
Don't you think this generalizes just a little bit? My guess would be that out of the, you know, billions of poor, their poverty is more a result of circumstance than being "stupid." Hard for everyone to be smart w/out food, water, sanititation, rule of law, or school.
And there are plenty of dumb rich people. Arrogant ones, too.
Not what he's talking about... (Score:4, Insightful)
I understand in practice that might allow people to collapse to a narrow set of passwords. But I think it's also possible that this kind of standardization could allow people's ideas about what constitutes a good password to coalesce around a few basic points, which might let them more readily create a few.
And the parent is absolutely right that rotating random strings of characters every three months presents a use problem. One type of security analyst might say "suck it up, there's a tradeoff between security and use," and if you can get the user to suck it up and that works in the context of the organization, that's great. But if not, this brings us to the point in the "Amateurs study crypto, pros study economics" phrase. If you really want a secure system, solve both problems. Provide the user with some security practice that isn't going to cost him cycles the operation of the organization is going to demand he use somewhere else.
Re:Ah, little too much of a socialist lens? (Score:3, Insightful)
The socialist seeks to find the regulatory changes that would make the economic system more equitable. I for one don't think that limiting how much money one person can make is quite the right way of doing it: I'm more in favour of putting limits on how much money can be passed from parent to child. We could allow anyone to pass on only enough money to their children so that they would enjoy, as an example, a comfortable, middle class lifestyle for the rest of their lives, and no more, mandating that the rest of the money or assets or whatever be put back into the economy directly, instead of waiting for Junior to spend it or not.
The problem with both sides of the debate (capitalist vs socialist) is that Economics is Hard, and the solutions to the world's woes are more likely to come from careful, subtle economic and regulatory fiddling, not from grand platforms presented by politicians on the Left or Right, designed to garner votes. But nobody wants to hear that.
Re:Ah, little too much of a socialist lens? (Score:3, Insightful)
The last time income distribution was as skewed to the richest 1/10th of 1% as it is now was at the beginning of the Great Depression. Because capitalism failed then, we got all these socialist New Deal programs foisted on us. The hard-core Marxists want capitalism to fail again like that. It's precisely when they can get more of their programs in place. So, as a great fan of capitalism, I have to say our current repeat of the mistake made in the 1920s seems less than brillaint.