Monday, August 25, 2008

Book Review: The New School of Information Security

The New School of Information Security
Adam Shostack & Andrew Stewart
2008 Pearson Education Inc, ISBN: 0-321-50278-7
160 Pages plus 51 pages of end notes.

The New School of Information Security is a call to action for Information Security professionals to change the way that we think about information security. For many of us, our approach to information security is dominated by principles such as defense in depth and separation of duties. While this book does not discount those principles, it urges security professionals to start looking to other sciences to help answer questions such as “How much defense in depth is appropriate?” The book employs principles from economics, psychology, and sociology to help explain some of the problems that the Information Security industry faces. Much of the information in this book is interesting and though provoking, but you’ll find that I criticize it for being short on details frequently.

One criticism that I’ve seen in other reviews that I believe is accurate is that the information in this book could have been presented in a pamphlet. I think that it is safe to say that 85% of the meat of this book is in chapter 4. The other chapters simply reinforce the beliefs presented in chapter 4. I also hate the way the endnotes are presented in the book. When the authors make a bold claim, they do not put a number after the sentence so you can easily find their source. Instead you have to flip to the back of the book, find the chapter that you’re reading, then read through all of the quotes until you find the one that you want. My biggest criticism of the book is that it doesn’t really tell me what I should do right now to improve the state of information security. The book tells me to think lofty thoughts but in the meantime my users still give their password to every phisher that writes to them. I think that the book is very interesting, and I think that it is a view into the future of our craft, but don’t expect to come away knowing what your next steps are.

Chapter Description
Chapter 1 is largely an overview of the security state of the Internet. Nothing in this chapter will be particularly educational for a seasoned information security professional, but I don’t believe that the author meant for it to be. This chapter is largely useful for setting the tone of the next two chapters.

Chapter 2 examines the way that we currently respond to the problems presented in chapter 1. It examines the faults of the information security industry and the motivations of all the players: vendors, analysts, hackers, crackers, etc. While this information is interesting, I don’t believe that it is always accurate. For example, on page 31 the author mentions that the CISSP certification “…employs a syllabus that it refers to as ‘the common body of knowledge.’ It amounts to a statement by the certification body of what a security professional should think about. Because of what is left out, it is also an implicit statement about what should not be thought about.” I do not believe that the intent of the CBK is to serve as a compendium of all the relevant knowledge in the information security field. Rather, I believe that the CBK is a collection of the knowledge that (ISC)2 believes all security professionals should know. I believe that the CBK allows that one could specialize in any of the ten domains and gather more detailed information beyond what is present in the CBK. The chapter rightly mentions that most of our problems can be solved by doing a few things really well, but is short on examples. The industry, however, has focused on selling us products to fix problems in other products. We aren’t trying to solve problems at their root, and we often use fear and group think to decide which actions to take.

Chapter 3 talks about the sources of information that are used to create the groupthink and fear discussed in chapter 2. Evidence comes in the form of surveys, vulnerabilities, trade press, and companies each of which has major flaws (such as sampling bias in the case of surveys). They are particularly hard on statistics, especially those well known statistics that everyone can cite but nobody can prove. For example, everyone knows that in our lifetime we are going to swallow a number of spiders while we are sleeping, but nobody can point to a single scientific study where a researcher has watched people sleeping and counted the number of spiders that entered their mouths. In the book the authors point to the well known fact that 50 to 70 percent of breaches are caused by insiders.

Chapter 4 mainly focuses on breach notification and how that information, if shared properly, can be of tremendous value to the security profession. The chapter introduces the concept of Prisoners Dillema from Economics: a situation where two people acting in their own self interest bring about an outcome that is worse for both of them. The authors present evidence that in the security industry, the practice of withholding breach information is acting in our own self interest and deprives the community of valuable information that can be used to create scientifically-tested findings. They talk about the reasons why companies avoid sharing this information and what scientists could do if a large body of this information were available. Another interesting idea that the authors point out is the concept of semi-strong efficiency in the stock market, although they do not use that particular term. Semi-strong efficiency is the belief that the current stock price of a company reflects all of the publicly known information about the company. The authors use this theory and some event analysis of the stock market to support their belief that releasing breach information does not result in significant customer flight.

In chapter 5 the authors introduce other concepts from economics, psychology, and sociology that should be considered when evaluating security problems. Ideas like the Nash Equilibrium, free-rider problems, externalities, risk homeostasis, and agency problems. I found this information to be interesting, but the authors didn’t do a great job of tying these concepts to information security. An example of an externality would be that people who do not patch their computers do not get more spam than the people that do patch. The authors didn’t point that out, instead talking about the pollution generated by SUVs. Externality: people that drive SUVs do not suffer more smog than people who bike to work even though they are a larger contributing factor.

Chapter 6 is all about spending. What we spend money on, what we should spend money on, why we spend money, and how much money we should be spending. This is the first chapter to suggest that we should incorporate concepts like Net Present Value into our security spending. The chapter challenges some of the core beliefs of the information security profession, but is often light on details.

Chapter 7 describes what life will be like in the security field when we’ve all started sharing data and using scientific studies to prove or disprove the effectiveness of our practices. Essentially, life will not be perfect, but it will be better and our industry will be more respected by upper management.

Chapter 8, the last chapter, is a call to action for the information security field to start thinking differently. The authors invite us to start sharing our breach data and using scientific thinking to guide our decision making process. This chapter is pretty short.

1 comment:

JimMoore said...

I haven't read it, but I think I will (or maybe I will wait for the pamphlet).

I have a hard time explaining to management why results aren't instantaneous, and with no cost (they don't think that about anything else), or explaining why real costs of security solutions are often several x the invoice costs (when you include policy development, user education, systems admin education, etc).

But the thing that you mention that I don't see often is security people how are business people as well as computer scientists. Part of the reason that I had to do some of that is because I am an old fart. But today, we have some sensitive logging going up to a security server. The logging has views associated with it. The CISSP in charge wrote a note that all views would be under change control. I log to the server as well, and I have special investigative views that change with the investigation. I suggested that he was right in putting production views into the logs of data coming from hundreds or thousands of machines under configuration management, but investigations is a one-off, and the documentation would begin to outweigh the utility. He said that change control reduces risk. Defense in depth, with no context. Then he suggested that I use a standalone analysis utility that is not as powerful if I didn't want to comply with change control. That didn't make sense for when I was logging for virtual machines. I encounter this frequently, usually with CISSPs that have about 20 years less experience than I do.

Hopefully the New School will help people to see the big picture again.