To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren’t. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.
Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author’s viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.
I’ve posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.
The news today is reporting that the City of San Francisco computer systems have been hijacked by a rogue network engineer. The highly-paid employee of the city’s technical department had been exhibiting increasingly erratic behavior which culminated in his locking out all administrative access to the systems and refusing to divulge the password. The 43-year-old individual had been hired in spite of a felony record for aggravated robbery 25 years prior.
Two thoughts come to mind. First, the glaringly obvious: Knowingly hiring an individual with a criminal history for such a sensitive position was probably not a good idea. Second, it is essential to ensure that people in trusted positions are worthy of that trust. If ethics and work-life balance take a back seat to technical competence in a prospective job applicant’s value system, wise employers look elsewhere.
My Amazon review of Andrew Jaquith’s Security Metrics: Replacing Fear, Uncertainty, and Doubt has been posted. I wasn’t as enthusiastic about it as many others, and in my review, I explain why. Nevertheless, I found the thorough discussion of security metrics useful enough to give the book three stars. Managers charged with running an effective information security program should check it out.
Verizon Business Security Solutions has released a study of breach data from more than 500 forensic investigations conducted by their incident response team.
This is exciting because it represents an opportunity to examine trends from an objective data source instead of relying on the usual biased surveys and vendor-influenced trade publications. A fine example of the “new school” approach to information security.
I’ve just posted a review of Timothy P. Layton’s Information Security Awareness: The Psychology Behind the Technology on Amazon. There is a worthwhile premise within, but the book misses the mark by failing to build on it in any meaningful manner. You won’t miss much if you read the “Coles Notes” version of this one.
The government of India wants to monitor messages sent over the BlackBerry wireless network, because terrorists could be using these handheld devices to coordinate attacks. They are demanding that Canadian vendor Research In Motion hand over “master decryption keys” (which are very unlikely to exist) or lower the encryption level from 256 bits to 40 bits, presumably so that the Indian government can recover the keys by brute force. What I don’t understand is, wouldn’t the terrorists use PGP to encrypt their e-mails anyway? Terrorist or not, who in their right mind would depend on a foreign vendor for something like this?
One of the more interesting information security books I have read recently is The New School of Information Security by Adam Shostack and Andrew Stewart. You can read my four star Amazon review of the book. It is a quick, enjoyable read and definitely recommended.
I read a lot. And I mean A LOT. At any point in time, I have dozens of technical books, white papers, journals, blogs, and news articles competing for my attention. Of course, I rarely get to them all, but I try to pick up at least one nugget of useful information from each reading session.
My father once told me that one should strive to know everything about one thing and something about everything. Words to live by, although neither part is achievable in any significant measure (well, I guess you COULD become an all-knowing expert in something trivial, but that wouldn’t be satisfying).
The field of information security appeals to me precisely because it is so well suited to the pursuit of this ideal. It is a subject area of incredible depth and breadth. Take cryptography, for example. The art and science of secret writing has a rich history dating back all the way to the ancient Egyptians and Babylonians. The Greeks and the Romans used simple transposition and substitution techniques for military communications. Medieval cryptographers developed ever more sophisticated methods of encryption, yet each one eventually yielded to the ingenuity and sheer persistence of medieval cryptanalysts. Later came the age of machine cryptography, with the German Enigma being the most famous example. The first mechanical computer was invented to aid in the cryptanalysis of machine ciphers. The digital information age ushered in an era of computer cryptography, rendering manual and machine encryption obsolete.
One could write volumes on the history, theory, practice and applications of cryptography, yet it is only one small aspect of the much broader field of information security. Should you ever attain utter and complete enlightenment in all things cryptography, your immense intellect would not want for lack of additional pursuits. Authentication and access control. Physical security. Network and telecommunications security. Application and database security. Digital forensics and incident response. Malware research. Each represents a rich area of specialization and in-depth study.
Sadly, life is too short to get to them all.