Slashdot Mirror
Beautiful Security
brothke writes "Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The book's 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security." Keep reading for the rest of Ben's review.
Beautiful Security: Leading Security Experts Explain How They Think
author
Andy Oram and John Viega
pages
300
publisher
O'Reilly Media
rating
9/10
reviewer
Ben Rothke
ISBN
978-0596527488
summary
An eye-opening book that will challenge you
A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.
Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.
The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.
Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.
Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.
Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.
Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.
Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.
In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.
For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Beautiful Security: Leading Security Experts Explain How They Think from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.
The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.
Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.
Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.
Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.
Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.
Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.
In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.
For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Beautiful Security: Leading Security Experts Explain How They Think from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
"They think outside of the box which the security people built to keep them out."
OK so the security people got them were they want them... they should get worried once they start thinking _inside_ the box.
Security Engineering: A Guide to Building Distributed Systems by Ross Anderson. It is actually an enjoyable textbook to read, and Anderson provides many insights into security that are easy to overlook, miss, or are highly counter-intuitive.
Palm trees and 8
While these essays are probably available in some form or another on the web, I'll be in for one of these books. Thank you for the review.
As an Information Security professional, I look for books and other easy to read documentation that I can recommend to management and others who indicate an interest in (or need a push in the right direction) info security. Most of the time, if I e-mail them a link or story, it gets blown off. If I can put a document (screw paper saving) in their hands or a book with a chapter as "homework" I seem to get a better response.
Because a cactus has a backdoor. An animal can come up from below, exploiting a stack overflow through the roots to get to the plant's meat.
I see you've been camping in the southwest with Sarah Jessica Parker.
O'Reilly Media usually puts out pretty good books in the field of Information Sciences and I would be interested in reading the wireless networking chapter by Jim Stickley. I see an issue with the review, however an issue that makes me think the reviewer is incompetent. "Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks." I see an issue with this statement in large because it is not true. The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling. Most attackers find creative ways to get into systems because they taught themselves. they only have an objective and no process they have to follow. Many security professionals learned process of coding and of doing things and think they need to follow it. The professionals need to think like the attackers, in order to defend against them. It is like using a tiger team to test your network, they can fix your network the best cause they are thinking of ways to break into it first.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
...the book Beautiful Code which was a collection of essays about, well, beautiful code. The chapter "Another Level of Indirection" by Diomidis Spinellis was one of my favorites. There were some misses in there, but overall definitely worth a look.
Another thing - all the author royalties for Beautiful Code were donated to Amnesty International. Not sure if Beautiful Security is the same way, but, neat idea.
The Army reading list
I see you've been camping in the southwest with Sarah Jessica Parker.
I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?
"A Beautiful Secretary."
Imagine my disappointment.
I see you've been camping in the southwest with Sarah Jessica Parker.
I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?
Just think outside the box. Not very far outside it, I might add.
I see you've been camping in the southwest with Sarah Jessica Parker.
I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?
Here's a hint: "human" is the last word you could use to classify her in a taxonomy of earthly species. Equine, anteater, cactus tunneler, anything is more accurate.
if the tables were turned and Apple was the "big dog" it would be the OS being hacked, not Windows. suggesting another OS is nothing more than security via obscurity cause hackers will go where they can do the most damage, Windows has the biggest market share, so they get the most hits... BeOS doesn't have any viruses either...
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
This is all meant in the best spirit of camaraderie. To summarize is not the purpose of a book review. The purpose is to explain to the reader why they should (or should not) read the book. Furthermore, chapter summaries are almost always redundant. Write concisely. Good opening. Informative. Understandable. Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.
Compare to the following reworking of your review. Basically, you have a short paragraph of content:
Books that collect chapters from expert authors often fail to do more than present disjointed ideas. "Beautiful Security: Leading Security Experts Explain How They Think" is an exception: the book provides an interesting overview of security, risk and privacy and is comprised of 16 essays, each showing how fascinating information security can be. Each of the essays is written by an established security expert and is organized and well-argued. With chapters from industry luminaries such as Mark Cuphrey, Jim Routh, Randy Sabett, Anton Chuvakin and others, "Beautiful Security" is required reading. The book highlights the importance of security metrics, with author Elizabeth Nichols explaining why the security profession should change to more emulate the medical profession in that a system of vital signs and accepted metrics should be adopted. Author Benjamin Edelman reports a problem with the online supply chain, in that it does not have long-established practices to confirm legitimacy of vendors. This has created an avenue for fraud. He has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves, and provides details of these scams. In a welcome and long absent authoritative appearance by PGP creator Phil Zimmerman, as well as current PGP CTO Jon Callas, the pair highlight substantial inaccuracies in other writing on PGP, and provide insight into the history and use of cryptography, the PGP web of trust model, and recent enhancements to that model. The book details the need to get people, processes and technology to work together to make better security decisions. It also details emerging security topics relating to cloud computing, social networks, and the economics of security. For those that have an interest in information security, or those that are frustrated by it, "Beautiful Security" will be an entertaining yet challenging read.
A better review would briefly explain why these ideas are important, giving the separate highlighted ideas their own paragraph or two. A good rule of thumb is to explain an idea rather than only present it; the explanation presents the idea in context so the reader will not only know what is in the book but know why they may want to read it.
Cheers and good luck!
I am puzzled and intrigued by your statements. In order to further my understanding of the world, could you please check all that apply:
[ ] I am a troll.
[ ] I am a humor writer.
[ ] I do not understand the nature of security as it effects all computers and networks, and not only the laptop my mother bought me.
[ ] I believe that a virtually 100% secure operating system requires security updates. (If so, for what?)
[ ] I do not know what "argumentum ad ignorantiam" means.
[ ] I believe that Apple is staffed by level 84 wizards with computers enchanted with "detect traps."
Thank you for your participation. Your answers will be kept as anonymous as you desire.
While the parent is obviously wrong (not even trojans can work on OS X, wow!), I wonder if what you say isn't just a small bit biased too. I mean, I honestly do wonder. Obviously, OS X or Linux would have plenty of security problems, but I bet they would be less dangerous or meaningful than the vulnerabilities in Windows. I haven't been following that debate for a while, but IIRC OS X has had far fewer remote code execution exploits than Windows has... Anyway, maybe you or someone else will prove me wrong and enlighten this discussion a bit more.
I do not know what "argumentum ad ignorantiam" means.
The only reason to use Latin is to be a show-off. The phrase "argument through ignorance" should suffice. It's been my observation that the use of jargon, dead languages, and foreign languages do NOT enhanse communication, and their only purpose is to show the audience how "smart" you are.
Any time anyone does this, I get suspicious of their knowledge and/or credentials: what does he have to hide? I suspect that Mr. AC most likely does NOT understand security, but he does have a point - Windows' market share is a reason they are targeted, but it's only one of a number of reasons. If Apple had 90% market share you would indeed have more Apple viruses, but I don't believe there would be as many or that they would be as bad.
Free Martian Whores!
That is absolute nonsense.
With zero empirical evidence.
Well in this case the reason for using Latin is probably "Because that's the proper name of the rhetorical device in question". For whatever reason, logical errors and rhetorical devices are mostly known by Latin names. If your primary exposure to rhetoric and logical fallacies was through a class in college (generally the case when people can give proper names to these devices), that's probably how you learned them. Though I know perfectly well that "Reductum ad Absurdum" means "reduction to absurdity", I always think of the logical device by the Latin name. It's how it was taught to me.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
For the record, there were other reasons to use Latin. First, it's what I remembered first. Second, undoubtedly resulting in the first, my girlfriend is taking an introduction to logic class this summer, and I've been perusing my old text book for nostalgia and interest. Last, I am an obnoxious linguistic prescriptivist and "argument through ignorance" doesn't (to my mind) cover the full breadth of the Latin term, eg. argument from personal incredulity or argument by lack of imagination.
:)
Also, I'm kind of a show off, and I like it when other people use the fancy phrases because I can always copy-paste-Google and probably end up learning something. If I'm just being a tool, my sincere apologies.
As to your last paragraph, I agree completely with it, in its entirety.
Maybe I'm too much of a man, or maybe I'm sex starved 'coz I'm married (if you're married, you know what I mean), but the title Beautiful Security made me think of something else entirely.
Heh, I've been out of college for decades. I barely rememered it form my logic class, and had to hit wikipedia to be sure.
Free Martian Whores!
good book review
Hey, thank you for that rework. I loathe these "tl;dr" ultra-long low-density /. "summaries". If I want to read a book, I go and read the original book. ^^
We should follow what I heard is seen as good style in Japan: To keep your statements as short and precise as possible. Or, in other words,to talk efficiently and compact.
I prefer reading the same sentence thrice to reading three sentences.
Any sufficiently advanced intelligence is indistinguishable from stupidity.