Domain: ins.com
Stories and comments across the archive that link to ins.com.
Stories · 8
-
The New School of Information Security
Ben Rothke writes "It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along thinking things are getting better and more secure. Obviously something needs to change. And that new change is what The New School of Information Security attempts to conceive." The New School of Information Security author Adam Shostack and Andrew Stewart pages 288 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 978-0321502780 summary Information security is highly broken; this book suggests a realistic fix. Far too much of the security industry has its roots in FUD. Billions of dollars of information security products have been sold, and for what? The book asks why is information security so dysfunctional and why companies are often wasting so much money on security. So what is this thing called the new school? The authors define it as neither a service nor a product; rather it is a new approach that uses the scientific method and objective data. This in turn gives an entirely new perspective from diverse fields to make effective security decisions. The authors rightly believe that when objective data is used, it enables better decision-making.
The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.
The book starts out with observations of why there are so many failures within information security. Anyone with experience in security can easily relate to these issues. One recurring theme throughout the book is that poor data, be it research or advertising negatively effects the state of security. The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.
In creating their new school, the authors have no qualms in attacking the dogma of the current state of information security. From Gartner to the Executive Alliance and more, the authors show that these groups and more often suffer from issues such as bias, lack of a scientific method and more. The book notes that the search for objective data on information security is at the heart of the philosophy of the new school. Since there is a drought of objective data today, the book asks how can we know that the conventional wisdom is the right thing to do? The observation is that the current state of affairs is unsustainable for the commercial security industry and for security practitioners.
The title of chapter 5 gives away the theme of the book — Amateurs Study Cryptography — Professionals Study Economics. The idea is that information security must do a better job of embracing such diverse fields as economics, psychology, sociology and more, to make effective decisions.
In some ways, the authors are perhaps too aggressive in their desire for security statistics. One of the most scientific approaches to information security is from CERT (www.cert.org). Yet the authors are not satisfied with CERT's findings that the majority of incidents appear to be insider based. Given what data and statistics we have in 2008, the figures from CERT are certainly good enough. Yes, they could be better, and yes, breach data is not actuarial data, but given the data from CERT, combined with recent news and court cases (UBS, Société Générale,etc.) clearly show that insiders are the most insidious threat.
Also, while the current state of information security is indeed less than perfect, the authors are a bit too condescending of areas where security is formalized (ISO 27001, etc.), yet not perfect.
After years of countless 1,000+ page massive security books, The New School of Information Security succinctly spreads its message in a brief 160 pages. In those 160 pages, the author's detail at a high-level what needs to be done to create this new school. Therein lays the books only flaw, its brevity. The authors want to get the concept of the new school out there, but they do not detail enough of the necessary requirement to make it work. They show with clarity how things are broken, but don't do enough to show how to fix it. Let's hope the authors are at work on a follow-up writing those necessary additions.
Some Slashdot readers are likely to question how an author (Shostack) can write a book on security while being employed by Microsoft. Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft. Indeed they have a lot of catching up to do, but it is being done. Put another way, Microsoft has likely spent more on security than China has spent on democracy.
Too much of information security is clearly broke and The New School of Information Security is about fixing it. The author's pragmatic approach is a refreshing respite from years of security product based FUD and silver-bullet solutions. The approach of the new school is one that screams out to be put into place. It is the job of today's CISO's and CIO's to heed that call, take the initiative, and lead their organizations there. Either they graduate their staff from the new school, or we are faced with more decades of information security failures.
Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
Ben Rothke is a security consultant with BT and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The New School of Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Geekonomics
Ben Rothke writes "First the good news — in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome warned us against driving unsafe automobiles; Geekonomics does the same for insecure software." Read on for Ben's take on this book. Geekonomics: The Real Cost of Insecure Software author David Rice pages 362 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 978-0321477897 summary How insecure software costs money and lives Now the bad news — we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.
Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.
Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue. Geekonomics has 3 main themes. First — software is becoming the foundation of modern civilization. Second — software is not sufficiently engineered to fulfill the role of foundation. And third — economic, legal and regulatory incentives are needed to change the state of insecure software.
The book notes that bad software costs the US roughly $180 billion in 2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, the $180 billion might be on the low-end, and the state of software security is getting worse, not better, according the Software Engineering Institute. Additional research shows that 90% of security threats exploit known flaws in software, yet the software manufacturers remain immune to almost all of the consequences in their poorly written software. Society tolerates 90% failure rates in software due to their unawareness of the problem. Also, huge amount of software problems entice attackers who attempt to take advantage of those vulnerabilities.
The books 7 chapters are systematically written and provide a compelling case for the need for security software. The book tells of how Joseph Bazalgette, chief engineer of the city of London used formal engineering practices in the mid-1800's to deal with the city's growing sewage problem. Cement was a crucial part of the project, and the book likens the development of secure software to that of cement, that can without decades of use and abuse.
One reason software has significant security vulnerabilities as noted in chapter 2, is that software manufacturers are primarily focused on features, since each additional feature (whether they have real benefit or not) offers a compelling value proposition to the buyer. But on the other side, a lack of software security functionality and controls imposes social costs on the rest of the populace.
Chapter 4 gets into the issues of oversight, standards, licensing and regulations. Other industries have lived under the watchful eyes of regulators (FAA, FDA, SEC, et al) for decades. But software is written removed from oversight by unlicensed programmers. Regulations exist primarily to guard the health, safety and welfare of the populace, in addition to the environment. Yet oversight amongst software programmers is almost nil and this lack of oversight and immunity breeds irresponsibility. The book notes that software does not have to be perfect, but it must rise to the level of quality expected of something that is the foundation of an infrastructure. And the only way to remove the irresponsibility is to remove the immunity, which lack of regulation has created a vacuum for.
Chapter 5 gets into more detail about the need to impose liability on software manufacturers. The books premise is that increased liability will lead to a decrease in software defects, will reward socially responsible software companies, and will redistribute the costs consumers have traditionally paid for protecting software from exploitation, shifting it back to the software manufacturer, where it belongs.
Since regulations and the like are likely years or decades away, chapter 7 notes that short of litigation, contracts are the best legal option software buyers can use to leverage in address software security problems. Unfortunately, most companies do not use this contractual option to the degree they should which can benefit them.
Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.
It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.
To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.
Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Geekonomics: The Real Cost of Insecure Software from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
IT Security Interviews Exposed
Ben Rothke writes "Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant. Even with a bright future, that does not necessarily mean that a career in information security is right for everyone. What differentiates an excellent security professional from a mediocre one is their passion for the job. With that, IT Security Interviews Exposed is a mixed bag of a book. For those that are looking for an information security spot and have the requisite passion for the job, much of the information should already be known. For someone who lacks that passion and simply wants a security job, their lack of breadth will show and the information in the book likely won't be helpful, unless they have a photographic memory to remember all of the various data points." Read below for the rest of Ben's review. IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job author Chris Butler pages 218 publisher Wiley rating 8 reviewer Ben Rothke ISBN 0471779873 summary Good review for a pro, but not for newbies. If you find information security challenging and either want a job in the field or are looking for a better job in the field, the book will be quite valuable. But for those looking for a hot security job, their lackings will likely show through on in interview, even with the help of this book.
As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.
I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
3. What skills do I need to develop?
4. Have I acquired a new skill during the past year?
5. What are my most significant career accomplishments and will I soon achieve another one?
6. Have I been promoted over the past three years?
7. What investments have I made in my own career?
The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.
What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.
If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.
Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.
On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
End-to-End Network Security
Ben Rothke writes "One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway." Read on for the rest of Ben's review. End-to-End Network Security: Defense-in-Depth author Omar Santos pages 480 publisher Cisco Press rating 9 reviewer Ben Rothke ISBN 1587053322 summary Excellent and comprehensive look at how to secure a Cisco infrastructure End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.
The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.
While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.
Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.
The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.
Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.
Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.
Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.
Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
PCI Compliance
Ben Rothke writes "It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products to an inferior level in order to ensure repeat business. A similar paradox is occurring in the information security space where many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better." Read on for the rest of Ben's review. PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance author Tony Bradley pages 352 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597491659 summary Great for anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements.
PCI came to life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards to deal with credit card fraud. PCI requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, be required to be compliant with the PCI DSS. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.
The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas and 12 specific requirements of the PCI DSS:
Build and maintain a secure network
1. Install and maintain firewall configurations
2. Do not use vendor-supplied or default passwords
Protect cardholder data
3. Protect stored data
4. Encrypt transmissions of cardholder data across public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to need-to-know
8. Assign unique IDs to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Monitor and track all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
A quick review of these 12 items shows that PCI is a textbook example of the fundamentals of information security. With that, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is an excellent resource that provides the reader with all of the fundamental information needed to understand and implement PCI DSS.
The books 13 chapters provide the reader with a comprehensive overview of all of the details and requirements of PCI. The first three chapters provide an overview of the basics about PCI and the basic requirements of the standard. The following six chapters go into detail about each of the primary control areas.
In particular, chapter 6 provides a good overview of the PCI logging requirements. This requirement can be time-consuming to put into place. The author notes that a commonly overlooked but essential requirement, namely that of accurate and synchronized time on network devices. Enterprise information network and security infrastructure devices are highly dependent on synchronized time and PCI recognizes that correct time is critical for transactions across a network.
In a further discussion about synchronized time in chapter 9, the author unfortunately makes an error when he states that local hardware is considered a stratum 1 time source since it gets its time from its own CMOS. From an NTP perspective, only a device that is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and can't be relied upon.
The title of chapter 12 is both amusing and accurate 'Planning to fail your first Audit'. The irony is that so many organizations lack a CISO or formal business security program in place designed to protect corporate information assets. They don't focus on information security as a process, rather as a set of products or regulatory items to be checked-off. Yet, these same organizations are surprised when they fail an audit.
The book concludes in chapter 13 with the well-known observation that security is a process, not an event. The book astutely notes that it is impossible to be PCI compliant without approaching security as a process. Trying to achieve compliance without integrating the various aspects in an integrated fashion is bound to fail.
Overall, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is a great book for one of the most sensible security standards ever. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find the book to be quite valuable.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know
You can purchase PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
The Ultimate Identity Theft Prevention Plan
Ben Rothke writes "It's a fallacy that our elected officials take forever to get things done. Two examples where Washington acted with speed are with the National Do Not Call Registry and the Sarbanes-Oxley Act. The National Do Not Call Registry was slated to take effect on October 1, 2003, but various marketing associations challenged its legitimacy and even if the FTC had the jurisdiction to enforce it. Notwithstanding, President Bush speedily signed the bill authorizing the no-call list to go into effect in September 2003 and the United State Court of Appeals upheld the constitutionality of the registry in February 2004. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $7 billion by improperly accounting for its operating costs. Senator Paul Sarbanes then introduced Senate Bill 2673 that same day where it passed 97-0 less than three weeks later. The House and Senate formed a Conference Committee to reconcile the differences between Sarbanes's bill and Representative Michael Oxley's bill (HR 3763) and on July 24, 2002, the Sarbanes-Oxley Act of 2002 was passed." Read on for the rest of Ben's review. Stealing Your Life: The Ultimate Identity Theft Prevention Plan author Frank W. Abagnale pages 256 publisher Broadway Books rating 8 reviewer Ben Rothke ISBN 0767925866 summary exposes the tactics of today's identity theft criminals and offers strategies to thwart them
The bottom line is that when politicians really want votes and PR, they can act swiftly. The frustration is exacerbated when politicians choose to do nothing when it comes to identity theft. In Stealing Your Life: The Ultimate Identity Theft Prevention Plan, Frank Abagnale details the frustration that consumers face (and will face in the years to come) when their identities are stolen, the ease at which the criminals carry out such crimes, and the months and often years of effort required to regain ones identity.
Abagnale's tenure on the criminal side long ago gives him the advantage that he knows firsthand how criminals think and such an outlook is pervasive throughout the book. Looking at the current state of identity protection, he states that he is personally horrified at how easy identity theft is. In fact, he calls it "a crook's dream come true". The book details incident after incident where criminals and criminal gangs obtained credit in someone else's name with ease.
What makes this worse is that the book shows how we haven't even scratched the surface of the identity theft problem. Everyone, including the FTC agrees that current identity theft figures are quite low, due to the fact that so many cases go unreported or undetected.
The book notes that lenders often miscategorize a good deal of identity theft because it looks like delinquent bills, as opposed to a crime. Only later does the victim realize what has been going on and complains, at which time it becomes apparent that fraud was involved. But by that time, the money has been written off as a credit loss and then appears as negative information on the victim's credit report.
Like many other books on the subject of identity theft, Stealing Your Life: The Ultimate Identity Theft Prevention Plan covers the main issues, and makes numerous suggestions on how to control your identity. What is interesting about the book is that Abagnale also focuses on why identity theft is so popular for today's criminals. One of the main reasons it that the person committing the crime has the odds significantly stacked in their favor. The book quotes a Gartner study that found that identity thieves have roughly a 1 in 700 chance of getting caught by law enforcement, which is a figure any criminal would jump at.
The books 13 chapters are written in an easy to read and compelling style. The early chapters detail the prime causes of what makes identity theft such a problem and astutely notes that a large part of the problem is that financial services companies are conducting business today by doling out credit like candy and do almost nothing to ascertain that people really are who they say they are when applying for credit. In addition, issuers of credit in their haste to rack up more business frequently accept a social security number from an applicant at face value, without demanding proof. The book lists many examples of where children and dead people have been given credit.
In chapter 6, the book lists 20 steps one can take in the hope of preventing identify theft. The author notes that since the punishment for identity theft, and the recovery of stolen goods from identity theft are so low, the only viable source of action is prevention by the individual. All 20 steps are fundamental, from protecting your social security number and examining your financial statements, to using a shredder and more.
Chapter 8 lists one of the more important points of the book, in which Abagnale writes that all credit and personal information should be opt-in based, as opposed to the prevalent opt-out requirement. Such an approach is what one would hope Congress would mandate, but does not have the tenacity to do. The problem is that if a consumer does not opt-out, they are giving the financial institution permission to share their personal information with the hundreds and often thousands of affiliates they share data with.
Companies obviously prefer opt-out, which shifts the burden to the consumer to take action to keep their information from being shared. With opt-in, the burden shifts and the financial services company has to prove that consumers granted their consent to have their personal information shared. National opt-in requirements would significant stem the flow of personal information, which is in part why identity theft is so easy to carry out.
Aside from a glaring error in chapter 12 where Abagnale erroneously writes that true authentication is impossible on the Internet and occasionally hawking companies he has financial dealings with, Stealing Your Life: The Ultimate Identity Theft Prevention Plan is an interesting and entertaining book on a subject of the fasting growing crime in the USA.
The book details what happens when an apathetic Congress and financial services industry do almost nothing to protect their constituents, and the thieves who have never had it easier. These identity thieves are able to acquire gigabytes of personal information without ever having to leave their workstations. When you factor in that the odds are in their favor of never being prosecuted, it leaves nearly every individual at risk for identity theft.
With Congress dropping the ball and doing nothing, Abagnale shows that it is up to each individual to take responsibility for protecting their own personal information. Stealing Your Life: The Ultimate Identity Theft Prevention Plan is indeed a great place to start such an approach.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know
You can purchase Stealing Your Life: The Ultimate Identity Theft Prevention Plan from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Security Metrics
Ben Rothke writes "The goal of security metrics is to replace fear, uncertainty, and doubt (FUD) with a more formalized and meaningful system of measurement. The FUD factor is the very foundation upon which much of information security is built, and the outcome is decades of meaningless statistics and racks of snake oil products. Let's hope that Andrew Jaquith succeeds, but in doing so, he is getting in the way of many security hardware and software vendors whose revenue streams are built on FUD." Read below for the rest of Ben's review. Security Metrics: Replacing Fear, Uncertainty, and Doubt author Andrew Jaquith pages 336 publisher Addison-Wesley rating 10 reviewer Ben Rothke ISBN 0321349989 summary Authoritative text on information security metrics
One could write a book on how FUD sells security products. One of the most memorable incidents was in 1992 when John McAfee created widespread panic about the impending Michelangelo virus. The media was all over him as he was selling solutions for the five million PCs worldwide he said would be affected. The end result is that the Michelangelo virus was a non-event. Nonetheless, it was far from the last time that FUD was used to sell security.
The allure of FUD is that companies can spend huge amounts of money fighting nebulous digital adversaries and feel good about it. They can then put all of that fancy hardware in dedicated racks in their data center, impressing the auditors with the flashing lights giving off an aroma of security and compliance.
And that is the chaos that security metrics comes to solve. Security metrics, if done right, can help transform a company from a nebulous perspective on security to an effective one based on formal security risk metrics.
Security Metrics is a fabulous book that should be in the hands of every security professional. The book demonstrates that companies must establish metrics based on their unique requirements, as opposed to simply basing their requirements on imprecise industry polls, best-practices and other ill-defined methods.
So why don't companies do that in the first place? If security metrics can provide even a quarter of the benefits that Jaquith states, companies should run to implement them. Real security metrics require an organization to open up their security hood and dig deep into the engine that runs their security infrastructure. It necessitates understanding the internal requirements, unique organizational risks, myriad strengths and weaknesses, and much more. Very few companies are willing to dedicate the time and resources for that, and would rather build their security infrastructure on thick layers of FUD. History has shown that the security appliance of the month almost always beats a formal risk and needs assessment.
Chapter 1 lays out the problem with approaches that most companies take to risk management. The main problem is that traditional risk management is far too dependant on identification and fixing, as opposed to quantification and triage based on value. Quantifying and valuing risk is much more difficult than simply identifying, since the software tools used do not have an organization context or knowledge of the specific business domain.
Chapter 2 sets out the foundation of security metrics. The goal of these metrics are to provide a framework in which organizations can quantify the likelihood of danger, estimate the extent of possible damage, understand the performance of their security organizations and weigh the costs of security safeguards against their expected effectiveness.
The time has come for security metrics since information security is one of the few management disciplines that have yet to submit itself to serious analytical scrutiny. The various chapters provide many different metrics that can be immediately used in most organizations to address that.
The author defines various criteria for what makes a good metric. One of his pet peeves is the use of the traffic light as a metaphor for compliance. Jaquith feels that traffic lights are not metrics at all, since they don't contain a unit of measure or are a numerical scale. He suggests using traffic lights colors sparingly, and only to supplement numerical data or draw attention to outliers. He astutely notes that if your data contains more precision than three simple gradations, why dilute their value by obscuring them with a traffic light.
The chapter concludes on what makes a bad metric, defined as any metric that relies too much on the judgment of a person. These metrics can't be relied on since the results can't be guaranteed to be the same from person to person. Also, security frameworks such as ISO-17799 should not be used for metrics. The book also tackles the sacred cow of risk management, namely ALE (annualized loss expectancy), and how it is significantly misused and misunderstood in the industry.
The book states that in developing metrics, there must be formal collaboration between the business units and the security staff. This collaboration serves to increase awareness and acceptance of security. In addition, it ensures that security requirements are incorporated into the lifecycle early on. This is needed as business units generally have no clue as to what the needed security requirements are.
Chapter 5 is a short course on analysis techniques and statistics. The author quotes George Colony who stated that "any idiot can tell you what something is. It is much harder to say what that thing means". With that, the book details a number of techniques for analyzing security data (average, median, time series, etc.) and how each one should be used.
Chapter 6 is about visualization and notes that most information security professionals have no real idea how to show security, both literally and figuratively. Part of the problem is that security is proliferated with esoteric terminology and concepts, and the lack of understanding risk management amongst the masses. Part of the reason for this difficulty in sharing the security message with management is that many security practitioners lack simple metaphors for communicating priorities. This is compounded by the fact that the message is often focused exclusively on technical security issues, as opposed to the underlying business issues, which is was management is concerned with. The chapter is invaluable as it weans one off the malevolent pie chart and traffic light PowerPoint presentation.
Marcus Ranum notes that people seem to want to treat computer security like its rocket science or black magic. In fact, computer security is nothing but attention to detail and good design. FUD is all about emphasizing the black magic aspect of hackers and other rogue threats. Metrics are all about the attention to detail that FUD lives to obfuscate.
Security Metrics: Replacing Fear, Uncertainty, and Doubt is one of the more important security books of the last few years. Jaquith turns much of the common security wisdom on its head, and the world will be a better place for it. Security metrics are a necessity whose time has come and this invaluable book shows how it can be done.
Ben Rothke, CISSP is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Security Metrics: Replacing Fear, Uncertainty, and Doubt from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Windows 2000 Name Services - What do you think?
ianna asks: "I read the description about the new win2k implementazion of name services at Lucent. It speaks about IETF compatibility, Dynamic DNS, SRV, LDAP and about removing NetBIOS and WINS (finaly!) I have the impression that this time Microsoft did things in the right way. Is it true? I'm an Opensource software advocate, but more that everything I always look for the best solution... This time I'm wondering: do we have something similar (or better) or shall we follow the Microsoft this time?" Interesting thought. Did Microsoft get it right this time, or is there a better solution?