The New School of Information Security

Ben Rothke writes "It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along thinking things are getting better and more secure. Obviously something needs to change. And that new change is what The New School of Information Security attempts to conceive."

The New School of Information Security
author	Adam Shostack and Andrew Stewart
pages	288
publisher	Addison-Wesley
rating	9
reviewer	Ben Rothke
ISBN	978-0321502780
summary	Information security is highly broken; this book suggests a realistic fix.

Far too much of the security industry has its roots in FUD. Billions of dollars of information security products have been sold, and for what? The book asks why is information security so dysfunctional and why companies are often wasting so much money on security. So what is this thing called the new school? The authors define it as neither a service nor a product; rather it is a new approach that uses the scientific method and objective data. This in turn gives an entirely new perspective from diverse fields to make effective security decisions. The authors rightly believe that when objective data is used, it enables better decision-making.

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

The book starts out with observations of why there are so many failures within information security. Anyone with experience in security can easily relate to these issues. One recurring theme throughout the book is that poor data, be it research or advertising negatively effects the state of security. The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.

In creating their new school, the authors have no qualms in attacking the dogma of the current state of information security. From Gartner to the Executive Alliance and more, the authors show that these groups and more often suffer from issues such as bias, lack of a scientific method and more. The book notes that the search for objective data on information security is at the heart of the philosophy of the new school. Since there is a drought of objective data today, the book asks how can we know that the conventional wisdom is the right thing to do? The observation is that the current state of affairs is unsustainable for the commercial security industry and for security practitioners.

The title of chapter 5 gives away the theme of the book — Amateurs Study Cryptography — Professionals Study Economics. The idea is that information security must do a better job of embracing such diverse fields as economics, psychology, sociology and more, to make effective decisions.

In some ways, the authors are perhaps too aggressive in their desire for security statistics. One of the most scientific approaches to information security is from CERT (www.cert.org). Yet the authors are not satisfied with CERT's findings that the majority of incidents appear to be insider based. Given what data and statistics we have in 2008, the figures from CERT are certainly good enough. Yes, they could be better, and yes, breach data is not actuarial data, but given the data from CERT, combined with recent news and court cases (UBS, Société Générale,etc.) clearly show that insiders are the most insidious threat.

Also, while the current state of information security is indeed less than perfect, the authors are a bit too condescending of areas where security is formalized (ISO 27001, etc.), yet not perfect.

After years of countless 1,000+ page massive security books, The New School of Information Security succinctly spreads its message in a brief 160 pages. In those 160 pages, the author's detail at a high-level what needs to be done to create this new school. Therein lays the books only flaw, its brevity. The authors want to get the concept of the new school out there, but they do not detail enough of the necessary requirement to make it work. They show with clarity how things are broken, but don't do enough to show how to fix it. Let's hope the authors are at work on a follow-up writing those necessary additions.

Some Slashdot readers are likely to question how an author (Shostack) can write a book on security while being employed by Microsoft. Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft. Indeed they have a lot of catching up to do, but it is being done. Put another way, Microsoft has likely spent more on security than China has spent on democracy.

Too much of information security is clearly broke and The New School of Information Security is about fixing it. The author's pragmatic approach is a refreshing respite from years of security product based FUD and silver-bullet solutions. The approach of the new school is one that screams out to be put into place. It is the job of today's CISO's and CIO's to heed that call, take the initiative, and lead their organizations there. Either they graduate their staff from the new school, or we are faced with more decades of information security failures.

Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.

Ben Rothke is a security consultant with BT and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The New School of Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Comment removed

[account_deleted]

Comment removed based on user account deletion

More complex, more problems

[techpawn]

Throwing more "experts" at the problem doesn't make the problems go away. Just like making passwords more complex doesn't seem to increase security, especially when the average user doesn't seem to be getting any better (still writing password on post-its, etc)

Breach notification laws are a start

[Beryllium Sphere(tm)]

One crippling problem with gathering hard numerical data about security is that so many incidents go unreported. A few make it into books, a few make it into the press, but most are solved internally.

If you have a fire, the fire department will write it down and it will go into national statistics that fire insurance companies can bet money on. If you have a security breach, would you even try involving law enforcement?

Another hassle is that so many of the costs are hard to quantify. Loss of revenue after a fire is something you can pin down. Loss of reputation or consumer confidence after a breach? The numbers will be uselessly fuzzy.

The problems is fundamental to the technology...

[tgatliff]

The issue is not how we handle security, but rather a fundamental flaw with the technology itself..

Meaning, the design of files themselves make it too easy to copy them. Also, trying to slap on some sort of encryption layer is laughable at best because once the encryption is removed all security goes along with it.

In my opinion, as an industry we need to re-examine how documents are managed. I suspect a considerably better approach is more of a "looking glass" to managing data where instead of actually having the physical files move around the network, you instead have sort of a vnc type approach where you only view the document where it resides. Yes, there are allot of complexities to this approach, but fundamentally I think this is where the industry needs to go...

Things are not getting better?

[spydum]

I think I'd beg to differ. Consider the growth rate of deployed systems and data, and compare to the number of security incidents. I think someone could make a strong argument that it IS getting better, proportionately. The internet has such impressive growth, it's hard to notice the change. Check out any sites with historical trends of reported security incidents (dshield.org, cert.org, whomever). They all show very large growth rates up until 2006, where they tend to level off. The internet didn't stop growing during that period, we just managed to catch up.

Centralization is why IT sucks

[tjstork]

In my opinion, as an industry we need to re-examine how documents are managed.

And what's the cost benefit of that? You are talking about security and secrecy but really at the price of throwing innovation and efficiency out the window.

How can anyone on slashdot in their right mind be so dull-wittingly committed to doing in IT the very things that caused so many societies to fail! Secrecy and an atmosphere of secrecy, authentication at every turn,... my god, we have turned information into a virtual police state where you have to have papers, everywhere you go. And guess what, our digital Nazi Germany and Soviet Russia has failed just as much as their physical counterparts did.

Centralization is why IT sucks. Big Data Centers = Big Government, with the same long lead times, ineffective management, unaccountable projects and reduced performance.

We don't need an internet web 2.0, we need a PC 2.0 and push the data and decisions out to the people.

The best way to improve a company's efficiency is to eliminate internal gestapo security.

Microsoft profits from insecurity.

[Futurepower(R)]

"... Microsoft has likely spent more on security than China has spent on democracy"

Very creative. I can do that, too! My example: Women spend more money on makeup than children spend on trapping hedgehogs.

Microsoft makes more money when computers are less secure, because many people who have malware buy new computers: Corrupted PC's Find New Home in the Dumpster [nytimes.com].

Re:Centralization is why IT sucks

[tgatliff]

I think I understand your argument, but it sounds more political than technology in nature... Also, I know my history well and it certainly does not backup that secrecy makes societies fail. Early Germany certainly did not fail because of secrecy, but rather because they had a madman at their helm. Soviet Russia just had an unsustainable government structure... The US economy is currently failing not because of our secrecy, but rather because we want to try grow our economy on the ever continued consumption of debt... :)

In short, it sounds like you work for a big company and are quite frustrated by their internal procedures that most likely were put in place by managers and sales people who know nothing about security or the implication it has on people who run the business... Quite understandable, but I would not consider this as every business.

Will get worse until there's a counterattack.

[Ungrounded Lightning]

In a conflict between weapons and armor, weapons eventually win.

What is going on in "computer security" now is a conflict where the bad guys use weapons and the good guys only use armor.

Just as with ordinary security - safes, locked doors, walls, armor, military "defense", etc. - attempts at IT infrastructure security only slow, not stop, the perpetrators. In ordinary security the "war" must be taken to the enemy - with self-defense deterrence and counterattacks, arrest/trial/incarceration, or retaliatory war. Why should information security be any different?

But as of now there is essentially no consequence - except occasional failure and the need to adjust tools to evade the latest security tweaks. The result has been an opportunity, and financial incentive, to develop a powerful security-breaking infrastructure and several very lucrative businesses based on it.

So things will keep getting worse until there is retaliation that creates enough consequences to knock the perpetrators down in number of perpetrators and longevity of activity.

Retaliation produces collateral damage, so this won't be pleasant. But systematically letting bad guys get away with their crimes creates a rising exponential of wrongdoing that eventually sucks the lifeblood out of the rest of the population. Eventually this will become so egregious that the rest of the population will be willing to accept the collateral damage if it knocks down the problem.

Re:Ah, little too much of a socialist lens?

[ShieldW0lf]

The difference between the rich and the poor is greater than ever, and power over the unwilling must be maintained through security. What... criminy... can you put down your Karl Marx for a second and look at the reality. The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries. There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich. I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.

I am quite sure that your Choir, which is quite large, will appreciate your preaching.

However, it is not the stupid people who are successfully destroying security. It is the smart people. And it is not the smart people who are rich. It is the vicious people who are rich, and they are quite often stupid.

If you were right, and I were wrong, then this article would not have been written, and the situation would not be in the state it is in. The evidence is not on your side.

Marcus Ranum nailed this already

[Arrogant-Bastard]

Marcus Ranum's "The Six Dumbest Ideas in Computer Security" rant/essay neatly identified the top culprit a few years back. The mistakes he outlined continue to be made on a daily basis by nearly everyone working in the field -- and most of those people compound those errors by layering on more mistakes. (Example: "Well, yes, the firewall is default-permit outbound, but that's okay because we have an IDS.") This approach inevitably fails, yet those practicing it profess surprise every time it does -- especially if they happen to be standing in front of a press conference announcing the latest data loss incident.

We will not make any headway on this, as a profession, until we stop making rudimentary mistakes such as the ones Ranum has identified, along with a few others that are worthy additions to that list. No initiatives, no certifications, no appliances, nothing will change that -- because none of those change the attitudes of the people who are building systems and networks. Until those people manage to step back from irrelevant details like "which iframe exploit is current today?" and look at larger questions like "why are iframe exploits even possible?" or "why are browser exploits even possible?", then they will continue to waste effort "solving" the wrong problems.

Sadly, after observing this situation close up for many, many years, I've concluded that some, possible many, people will never get that far. They simply Do Not Get It, and despite essays like Ranum's or books like this one or anything else, they're not going to get it. And they will continue to fail, and so the systems/networks they've built will continue to fail. I'd say that will make for a bleak future, but -- look around! -- we're living in a bleak present.