Beautiful Security

brothke writes "Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The book's 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security." Keep reading for the rest of Ben's review.

Beautiful Security: Leading Security Experts Explain How They Think
author	Andy Oram and John Viega
pages	300
publisher	O'Reilly Media
rating	9/10
reviewer	Ben Rothke
ISBN	978-0596527488
summary	An eye-opening book that will challenge you

A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.

Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.

The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.

Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.

Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.

Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.

Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.

Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.

In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.

For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Beautiful Security: Leading Security Experts Explain How They Think from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:

[mcgrew]

I was about to get modded "redundant" because I almost posted the exact same comment. I wish people would understand what a phrase meant before trying to use it constructively, because if you don't understand a word or phrase, you will miscommunicate.

"Thinking outside the box" means thinking beyond marketing -- thinking about how the customer will use the product once the box is in the landfill.

The use of the phrase in the summary is a great example of not having a clue.

Re:Thinking outside the box

[theheadlessrabbit]

I wish people would understand what a phrase meant before trying to use it constructively..."Thinking outside the box" means thinking beyond marketing -- thinking about how the customer will use the product once the box is in the landfill. The use of the phrase in the summary is a great example of not having a clue.

the phrase "think outside the box" may have meant that at one time, but its meaning has evolved since then. Now, when people say 'think outside the box' they mean "take an unconventional approach to problem solving". 'The box' is no longer referring to 'a box' that a product comes in. 'The box' is a metaphor for 'the class room', 'the board room', or 'the established paradigm'

words change meaning with time. this is not a bad thing.

Re:

[stevied]

AFAIK, the meaning of "box" in that expression is much more general, see:

http://en.wikipedia.org/wiki/Thinking_outside_the_box [wikipedia.org]

Re:

[cinderblock]

This is why I always think outside the dodecahedron. :-p

Now that you have seen the trick, you can use it everywhere too!

Additional recommended reading

[betterunixthanunix]

Security Engineering: A Guide to Building Distributed Systems by Ross Anderson. It is actually an enjoyable textbook to read, and Anderson provides many insights into security that are easy to overlook, miss, or are highly counter-intuitive.

Re:

[karlconnors]

Make sure you read the second, updated edition.

Even better than the first edition.

Re:

[betterunixthanunix]

I agree, although the first addition is free (in all sense of the term) on Anderson's website.

Re:

[betterunixthanunix]

s/addition/edition/

Re:

[unfasten]

For those interested: http://www.cl.cam.ac.uk/~rja14/book.html [cam.ac.uk]
And a link straight to the book: http://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf [cam.ac.uk]

Quote from the author:

My goal in making the first edition freely available five years after publication was twofold. First, I wanted to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I think that many publishers (especially of music and software) are too defensive of copyright. (My colleague David MacKay found that putting his book on coding theory online actually helped its sales. Book publishers are getting the message faster than the music or software folks.) I expect to put the whole second edition online too in a few years.

I have a hard copy of this, and while I've only read a select few chapters I have to say I enjoy the book. Definitely recommended to anyone who has a interest in any kind of security, be it information security or anything all the way upto securing a nuclear missile.

Thnx

[hurting now]

While these essays are probably available in some form or another on the web, I'll be in for one of these books. Thank you for the review.

As an Information Security professional, I look for books and other easy to read documentation that I can recommend to management and others who indicate an interest in (or need a push in the right direction) info security. Most of the time, if I e-mail them a link or story, it gets blown off. If I can put a document (screw paper saving) in their hands or a book wi

Re:

[Coldmoon]

The essays are exclusive to this book

Could be a good read

[gubers33]

O'Reilly Media usually puts out pretty good books in the field of Information Sciences and I would be interested in reading the wireless networking chapter by Jim Stickley. I see an issue with the review, however an issue that makes me think the reviewer is incompetent. "Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks." I

Re:Could be a good read

[mungtor]

I don't think he was implying that security professionals are incapable of creativity. In most organizations security is considered an inconvenience, a budget drain, and an afterthought. Very rarely is an IT team staffed appropriately to allow the time and flexibility for anybody to try to think creatively about security. Even if they had the time, convincing people to spend money to prevent attacks that haven't happened yet is more difficult than it should be.

Being pulled away from a firewall deployment because one of the many Finance printers is out of toner is a lot more common than one would think.

Re:

[yhetti]

You're forgetting another critical thing....a lot of security is Cover Your Ass work, and nothing more. If you think too creatively, it means you've moved outside the scope of "best practices." Best Practices are what will Cover Your Ass when something goes wrong and you end up in court because 10k credit card numbers are in the open. Judges and managers don't want to hear that you found a totally awesome way to secure SQL server transactions by using fiberchannel instead of regular ethernet. They just

Re:

[karlconnors]

>>>>The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling.

Semantics no?
Decent review, and reviewers observations seems correct.

Re:

[morgan_greywolf]

The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling. Most attackers find creative ways to get into systems because they taught themselves. they only have an objective and no process they have to follow. Many security professionals learned process of coding and of doing things and think they need to follow it. The professionals need to think like the attackers, in order to defend against them. It is like using a tiger team to test your network, they can fix your network the best cause they are thinking of ways to break into it first.

You hit the nail right on the head! It's like a war where one side is using traditional war tactics, and the other side are guerilla freedom fighters. The tendency of a large military organization is to see the war as a problem of engineering and management, whereas the guerilla freedom fighters are willing to do whatever it takes out think and thwart their enemy, and part of guerilla mindset is, "even though we're outmanned and outequipped, we can still win if we sit here and think of ways to beat our en

Re:

[DiegoBravo]

A beautiful but missing chapter would be titled "Why security standards and certifications are mostly useless (even counterproductive.)".

Re:

[NES HQ]

You could really argue this point either way and the truth, like most things, lies somewhere in the middle. The argument is [obviously] subjective since there are no real metrics to base 'how effective' someone is. Instead these opinions are, in my experience, formed based on experiences. I run into a fair number of folks who think that certs are useless because they ran across someone who was heavily certified and their company/client was breached or they were flat our incompetent. On the other hand I've r

Re:

[DiegoBravo]

The main drawback I see in current certifications and even full "security careers" is that they see the subject as a tool for approving audits. So the "professionals" end doing a lot of paperwork that helps the organization to comply with some kind of standards, but technically remains totally insecure. Sadly, that's my experience from the big companies I had opportunity to work into.

Re:

[NES HQ]

I would definitely, definitely agree with that statement.

How could we possibly be at fault for this problem? We hired a [Insert security cert here]-certified professional so I can't fathom how this could be our fault.

Re:

[karlconnors]

The problem is that people see certs as an end-all, when they really are the beginning.

Certifications are great, but one should use them as a stepping stone, not a retiring stone.

Andy Oram also edited...

[tcopeland]

...the book Beautiful Code [amazon.com] which was a collection of essays about, well, beautiful code. The chapter "Another Level of Indirection" by Diomidis Spinellis was one of my favorites. There were some misses in there, but overall definitely worth a look.

Another thing - all the author royalties for Beautiful Code were donated to Amnesty International. Not sure if Beautiful Security is the same way, but, neat idea.

Re:

[SilentGhost]

Neat idea that needs to be advertised! Not every one enjoys being tricked into support of charities. I, for one, think that Beautiful Code was very poorly edited/organised and written. The only real ideas about beautiful code were Matsumoto's. And they certainly don't warrant either spending money on a book, nor supporting AI.

Re:

[Danse]

Neat idea that needs to be advertised! Not every one enjoys being tricked into support of charities.

How is it really any of your business what the authors/publishers do with the money they make? If they want to make it public, fine, but they're certainly not remotely obligated to. Do you demand to know what the charities a car dealer gives to before you buy a car from them? What about the other companies or individuals you purchase things from?

Re:

[Tony-A]

When a book or charitable affair is advertised as being for a charitable purpose, then it is my business to know what the arrangement is. And there is a big difference between profits and proceeds.
If a car dealer provides a car that is raffled off to some charity, it does matter if that charity is the car dealer's own pocket.

One reason for that kind of arrangement is that it avoids messy arguments about who gets what percentage of the profits/proceeds -- as in who gets more than whom.

Re:

[Danse]

However much they want to advertise it is certainly up to them. Not you. Apparently it wasn't advertised enough for you to know about it. It's not even comparable to raffling off a car. They're selling the book, not raffling them off. There's no deception here.

Re:

[Coldmoon]

All royalties are donated to the Internet Engineering Task Force (IETF)

Re:

[night_flyer]

if the tables were turned and Apple was the "big dog" it would be the OS being hacked, not Windows. suggesting another OS is nothing more than security via obscurity cause hackers will go where they can do the most damage, Windows has the biggest market share, so they get the most hits... BeOS doesn't have any viruses either...

Re:

[cromar]

While the parent is obviously wrong (not even trojans can work on OS X, wow!), I wonder if what you say isn't just a small bit biased too. I mean, I honestly do wonder. Obviously, OS X or Linux would have plenty of security problems, but I bet they would be less dangerous or meaningful than the vulnerabilities in Windows. I haven't been following that debate for a while, but IIRC OS X has had far fewer remote code execution exploits than Windows has... Anyway, maybe you or someone else will prove me wron

Re:

[Polumna]

I am puzzled and intrigued by your statements. In order to further my understanding of the world, could you please check all that apply:

[ ] I am a troll.
[ ] I am a humor writer.
[ ] I do not understand the nature of security as it effects all computers and networks, and not only the laptop my mother bought me.
[ ] I believe that a virtually 100% secure operating system requires security updates. (If so, for what?)
[ ] I do not know what "argumentum ad ignorantiam" means.
[ ] I believe that Apple is staf

Re:

[mcgrew]

I do not know what "argumentum ad ignorantiam" means.

The only reason to use Latin is to be a show-off. The phrase "argument through ignorance" should suffice. It's been my observation that the use of jargon, dead languages, and foreign languages do NOT enhanse communication, and their only purpose is to show the audience how "smart" you are.

Any time anyone does this, I get suspicious of their knowledge and/or credentials: what does he have to hide? I suspect that Mr. AC most likely does NOT understand secur

Re:

[DrgnDancer]

Well in this case the reason for using Latin is probably "Because that's the proper name of the rhetorical device in question". For whatever reason, logical errors and rhetorical devices are mostly known by Latin names. If your primary exposure to rhetoric and logical fallacies was through a class in college (generally the case when people can give proper names to these devices), that's probably how you learned them. Though I know perfectly well that "Reductum ad Absurdum" means "reduction to absurdity",

Re:

[mcgrew]

Heh, I've been out of college for decades. I barely rememered it form my logic class, and had to hit wikipedia to be sure.

Re:

[Polumna]

For the record, there were other reasons to use Latin. First, it's what I remembered first. Second, undoubtedly resulting in the first, my girlfriend is taking an introduction to logic class this summer, and I've been perusing my old text book for nostalgia and interest. Last, I am an obnoxious linguistic prescriptivist and "argument through ignorance" doesn't (to my mind) cover the full breadth of the Latin term, eg. argument from personal incredulity or argument by lack of imagination.

Also, I'm kind of

Re:

[karlconnors]

That is absolute nonsense.

With zero empirical evidence.

I read that as...

[Anonymous Coward]

"A Beautiful Secretary."

Imagine my disappointment.

Re:

[tsalmark]

Do a Google search for "A Beautiful Secretary", you will not be disappointed.

Grammar Nazi Me

[cromar]

This is all meant in the best spirit of camaraderie. To summarize is not the purpose of a book review. The purpose is to explain to the reader why they should (or should not) read the book. Furthermore, chapter summaries are almost always redundant. Write concisely. Good opening. Informative. Understandable. Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.

Compare to the following reworking of your review. Basically, you have a short paragraph of content:

Books that collect chapters from expert authors often fail to do more than present disjointed ideas. "Beautiful Security: Leading Security Experts Explain How They Think" is an exception: the book provides an interesting overview of security, risk and privacy and is comprised of 16 essays, each showing how fascinating information security can be. Each of the essays is written by an established security expert and is organized and well-argued. With chapters from industry luminaries such as Mark Cuphrey, Jim Routh, Randy Sabett, Anton Chuvakin and others, "Beautiful Security" is required reading. The book highlights the importance of security metrics, with author Elizabeth Nichols explaining why the security profession should change to more emulate the medical profession in that a system of vital signs and accepted metrics should be adopted. Author Benjamin Edelman reports a problem with the online supply chain, in that it does not have long-established practices to confirm legitimacy of vendors. This has created an avenue for fraud. He has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves, and provides details of these scams. In a welcome and long absent authoritative appearance by PGP creator Phil Zimmerman, as well as current PGP CTO Jon Callas, the pair highlight substantial inaccuracies in other writing on PGP, and provide insight into the history and use of cryptography, the PGP web of trust model, and recent enhancements to that model. The book details the need to get people, processes and technology to work together to make better security decisions. It also details emerging security topics relating to cloud computing, social networks, and the economics of security. For those that have an interest in information security, or those that are frustrated by it, "Beautiful Security" will be an entertaining yet challenging read.

A better review would briefly explain why these ideas are important, giving the separate highlighted ideas their own paragraph or two. A good rule of thumb is to explain an idea rather than only present it; the explanation presents the idea in context so the reader will not only know what is in the book but know why they may want to read it.

Cheers and good luck!

Re:

[maxume]

You called the longest (by quite a bit) paragraph in your post a short paragraph.

Re:

[cromar]

Considering it's over two thirds shorter than the entire original review, I don't particularly see your point...

Re:

[DrgnDancer]

In this case I think chapter summaries, or more properly "chapter reviews", are appropriate. The book is a collection of essays; each of which, in theory, stands on its own as well as being part of the collection. By reviewing a few standout pieces the reviewer gives us an idea of particularly strong or weak blocks within the overall work. Had the book been a simple textbook or cohesive narrative, or had the reviewer merely summarized the chapters in question, I would agree with your criticism. As it is

Re:

[cromar]

To summarize is to report what's in a chapter or book. To review is to explain what's in a chapter or book. There's nothing wrong with talking about individual chapters, but a list like "Chapter 1 talks about this. Chapter 3 talks about this." is what tables of contents are for.

Re:

[karlconnors]

Isn't it a stylistic issue?
Some people do standard book reviews, chapter 1, chapter 2,chapter x.....
Others write a more macro-approach to the book.
Is one better?
Matter of opinion.

Re:

[cromar]

Anyone can tell you what's in a book. A good reviewer will explain why you may want to read it, which requires going deeper than saying "Chapter 1 explains this. Chapter 3 explains this. Etc." It's a stylistic issue whether one wants to mention individual chapters, sure, but it is usually unnecessary and doesn't add much to the review. A good review needs to put the information presented in context. Saying "Chapter X explains Y. This is important because of Z." gives both an explanation and the conte

Re:

[karlconnors]

It is style you refer to.

What are the errors you claim to have found?

Re:

[cromar]

Oh leave me alone. I think I'm being pretty clear :) Style is the way you write - the words you use, sentence structure, etc. Good writing does more than simply tell you something, and it is entirely separate from style. Good writing puts information in context, targets its audience, and is more than an extended table of contents.

Re:

[karlconnors]

>>>>Oh leave me alone.

you made the claim,I called you on it; now I have to leave you alone? Please play fair.

Re:

[cromar]

You challenge me, I explain myself, you dismiss my explanation and make your previous claim over. Not exactly a discussion!

Re:

[karlconnors]

I felt you did not explain yourself.

I am still waiting for the specific 'errors'.

Re:

[karlconnors]

>>>Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.

Beside a missing space, could not find any of the glaring spelling or grammar mistakes. Can you point them out?

Re:

[cromar]

Like I said, there weren't too many errors. IIRC, there were some missing letters in a few words (an/and) and some awkward grammar. Nothing major, but it tripped me up reading it anyway. I think I'm done proofing this text though!

Re:

[karlconnors]

You 'claimed' there are errors, but now suddenly can't find them?

They be thare mate! :)

Re:

[cromar]

Well, I wouldn't say I critique everything, AC, I always put in a good word when I see a well written review... I'm trying to help people write better. So sue me! And if I find a book to review, then god dammit maybe I will submit something (:

Re:

[cromar]

For the record, Ben Rothke's book [amazon.com] (the one mentioned in the article) looks like it's well written for reading the preview. I'm not trying to dog on anyone. I really just want to see better book reviews on Slashdot.

Re:

[karlconnors]

>>>I really just want to see better book reviews on Slashdot.

One could argue that is an oxymoron.

This is /., not the NY Times book reviews.

Re:

[cromar]

Obviously.

Re:

[karlconnors]

Sorry...obviously what?

Re:

[cromar]

Obviously this isn't the New York Times. I've devoted enough time to this. If you can't find the grammatical and spelling errors yourself, I suggest picking up a copy of Hodge's Harbrace Handbook [amazon.com] or checking it out from your local library.

Re:

[karlconnors]

Rather than a cat and mouse game here, can't you give me but two of the grammatical errors?

Please! Please!!!

You sez he made errers, but u refuze to tellus what they be.

Re:

[cromar]

It's pretty easy to see that you don't actually care what they are.

Re:

[karlconnors]

I DO CARE!!!

That is why I am making my sixth request of you to please tell me.

Re:

[cromar]

First paragraph: "each author brings their own unique insights" should be "each author brings his or her own unique insights."

Fourth paragraph: "in defense to how security is often perceived" should be "in defense against how security is often perceived."

Sixth paragraph: "online-advertising" should be "online advertising."

Eighth paragraph: "Chapter 7 is about the PGP" should be "Chapter 7 is about PGP." In "web of trust model, and recent enhancements bring PGP's web of trust up to date" the comma should be

Re:

[karlconnors]

At last.... thanks.

>>>First paragraph: "each author brings their own unique insights" should be "each author brings his or her own unique insights."

that is being picky.

>>>Fourth paragraph: "in defense to how security is often perceived" should be "in defense against how security is often perceived."

also picky.

>>>>Sixth paragraph: "online-advertising" should be "online advertising."

Picky

>>>Eighth paragraph: "Chapter 7 is about the PGP" should be "Chapter 7 is about PGP.

Re:

[cromar]

It's kind of funny because you are being picky about me saying there were a few spelling and grammar errors :) That wasn't my main point at all. Anyway, I guess you are alright. I had you on my foes list for a minute there XD

Re:

[karlconnors]

All is forgiven!

Thank you!

[Hurricane78]

Hey, thank you for that rework. I loathe these "tl;dr" ultra-long low-density /. "summaries". If I want to read a book, I go and read the original book. ^^

We should follow what I heard is seen as good style in Japan: To keep your statements as short and precise as possible. Or, in other words,to talk efficiently and compact.

I prefer reading the same sentence thrice to reading three sentences.

Must be just me

[FreakyGreenLeaky]

Maybe I'm too much of a man, or maybe I'm sex starved 'coz I'm married (if you're married, you know what I mean), but the title Beautiful Security made me think of something else [hubpages.com] entirely.

Coretan Imtihan

[imtihan]

good book review