Customer Reviews

Beautiful Security: Leading Security Experts Explain How They Think

5 star:		(8)
4 star:		(2)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

This collection of essays is a very clearly written introduction to a number of current topics and techniques in computer security. It is not a how-to book, but it includes several case studies and gives you a good idea of what is happening in the field. For the most part the book does not assume prior knowledge in the field, although occasionally a bit of hacker or security jargon is used without being defined.

For me the most interesting chapters were the one with case studies. In this book you will learn how to steal people's credit card numbers at airports (run a cut-rate WiFi access point), how to scan for malicious websites without getting infected (harder than it looks, and a constant battle of measures and countermeasures), and the true history of Pretty Good Privacy, as told by its inventor, Phil Zimmermann (not as lurid as the versions you have probably heard, but still full of twists and turns). You'll learn the going rates for stolen personal and financial information (not that much, so if you're going to steal it, you need to steal a lot) and how to run your own cyber money-laundering network (which seems to be where most of the money and the risk is). Microsoft plays a prominent role in the book, sometimes as hero, sometimes as chump.

The layout and production of the book are very good, and it has a good index (a glossary would have been nice, too). I have a couple of minor gripes: the book is set in itty-bitty type (I measured it at 8 points on 12 point line spacing); and although the book has two editors, the preface is written in the first person singular (apparently by Oram, but this is not stated).

The book's title, "Beautiful Security", was probably modeled on Oram's previous collection Beautiful Code: Leading Programmers Explain How They Think (Theory in Practice (O'Reilly)), but it doesn't really fit the content of this book. Some of the essays mention beauty in the body or the title, but this is usually a token appearance, or is explained as meaning that security should be built in rather than tacked on. The preface states that the purpose of the book is to convince the reader that security is not bureaucratic drudgery but is an exciting career, and I think the book is successful at this.

Recently I have been asked by a lot of people how do you get in the security field? I used to say a lot of hard work and a lot of luck. My new answer is going to be to read this book and see if you are interested in the field. The book covers a wide variety of subjects across all of information security that are really quite useful. Some of these areas you won't learn a lot if you are in that particular field, but even if you are in security I am sure you will learn a lot. I learned quite a bit on the sections on metrics and software security. This is a great book to have to be able to lend to people with an interest in entering the field.

Beautiful Security is full of pertinent information for all of us. The book is well written, covers topics we need to know about, is very readable. Start with the first entry by Mudge: his perspective is accurate and revealing and of course he writes well so enjoy the new insights you gain by reading this book. Highly recommended.

BEAUTIFUL SECURITY: LEADING SECURITY EXPERTS EXPLAIN HOW THEY THINK provides a collection of essays on digital security and comes from experts who explain how social networking and other popular trends hurt online security efforts - and how to design new networks around these trends. Analysis of criminal attempts and logic patterns offer network security libraries a solid set of case histories and examples of how to build better security measures. Highly recommended.

Like O'Reilly's Beautiful Teams, this book's a series of essays by industry experts, this time focused on security. The various authors do a great job of covering topics from social engineering to forcing firms to focus on security. The chapters are all well-written, although a few do better jobs of keeping the material interesting and flowing.

You'll find plenty of security-related history in the book. Phil Zimmerman's chapter on PGP's Web Of Trust is one example. Pieter Zatko's discussion of his work on the LH0phtCrack is another. Both stories help expose mindsets which, sadly, haven't changed a whole lot.

Security, as with testing or overall quality, is at its most fundamental roots a culture issue. Not every story focuses on this aspect, but pointing out bad culture is a common theme through many of the chapters. Zatko's discussion of "Learned Helplessness," John McManus's Security by Design, and Jim Routh's Forcing Firms to Focus are all great reads on this line. Many of the stories correctly emphasize that security isn't just about someone hacking code - it's a much broader issue.

As with any good security book, there's plenty of well-done content which will likely scare you in to re-thinking how you and your company approach security. Beautiful Security can help you identify practices, problems, and mindsets which leave you, your company, or your clients at risk.

Overall it's a very useful, highly readable book on a critical subject.

Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The books 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security.

A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.

Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.

The 16 essays, arranged in no particular theme are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapter are particularly noteworthy.

Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics and how metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.

Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the on-line advertising is a victim to.

Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free, is most often far from it.

Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it though containing substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.

Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair -- "it's difficult to get a man to understand something when his salary depends on him not understanding it". He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.

In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weight a few pounds a use reams of paper, that don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.

For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.

I like computer security: it is always entertaining and insightful. This book is no exception. It offers a large panorama on Security, as seen from many point of view since this is a collective work.

Advantages:
- You see the subject from different angles
- One or two author maybe boring, the overall content still has value
- It is more like reading many little books on security.
On the other hand:
- You get many introduction and conclusions, that doesn't add much.
- There is no real continuity nor overall aim or message. It is more a collection of essays arranged and formated to look like a "one story".

Some essays are really insightful:
- "Psychological security trap": Is certainly something that you want to be aware of! How developers may think that security isn't a real requirement. It is somehow also the point in "security by design" and "Forcing firms to focus", but with an emphasis on project management and process.
- Security Metrics is also interesting. It resurfaces in many others essays, mostly to warn about the wrong usage of metrics or the usage of wrong metrics.
- The evolution of PGP is nice. It shows how far they have gone with PKI. Now it really looks like a good solution. But as with the Semantic Web, I would say that it is still waiting wide adoption to be useful.
- "Oh no, here comes the Lawyer" should have been even more developed. This is where I feel I lack the most insight.
- Incident detection: This is well known today. But always good to repeat. This is concrete stuff and where we can expect improvement soon.
- "Doing real work without real data" exposes a nice idea. Worth to implement if it fits your use case. There are good references to balance pro and cons.
- Casting spells also exposes a vendor solution. It uses a combination of technics (virtualization, signature + AI) to secure the user's workstation. Again, it may fit some use case.
- Log handling is also certainly a crucial part of the puzzle.
- ... others essays exposes security breaches, Honeyclient, adventures in wireless land ...

The essays target an average reader. It doesn't require any knowledge in programming, cryptography or Network protocols. Still, it will certainly help to have some culture in software development. It raises awarness in many differents aspect related to security.

At first, I really liked the introduction in the book: The idea that too often security is seen from the point of view of the failures, like you look for a car race only waiting to see car crashes. The promise here was to focus on how a good design is as beautiful and enjoyable as a car crash. Well the content shows that it isn't that easy. I guess that it would have been a book on protocol design and application architecture. Subjects much harder to enjoy. Still the intent was good.
To conclude, I would say that this book is what computer's security looks like after all: there is no coherent story. But if you have to write your own security story, you will be better of knowing 16 different essays than a single one.

Beautiful Security goes well beyond the confines of traditional security books that dive into technical minutia and bore you to tears. Yes there is technical jargon to be seen throughout, but the real hook to this collection of ideas and best practices is the thinking and logic the various contributors gracefully convey through the pages within. A section that spoke about an issue on my desk at the moment was the Improving Perspective with Host Logging - specifically the section regarding building a more resilient detection model.

As I say on the back cover:

This collection of thoughtful essays catapults the reader well beyond deceptively shiny security FUD (the drum major of the bug parade) toward the more subtle beauty of building security in. Security is an essential emergent property for all modern systems'something that most people implicitly expect and few people explicitly receive. This book demonstrates the yin and the yang of security, and the fundamental creative tension between the spectacularly destructive and the brilliantly constructive. Read. Learn. Emulate.

Gary McGraw, Ph.D.
CTO, Cigital
Author of Software Security (and nine other books)

"Beautiful Security" from O'Reilly, which I just finished reading, is truly an awesome book.

Now, I will probably have a high opinion of my own chapter ("Beautiful Log Handling") since it took some work (eh... and one complete rewrite) to create (this why people LOVE O'Reilly books!!) However, I am just about as excited about the rest of the chapters in the book.

Here are my favorite chapters:

Psychological Security Traps by Mudge: awesome chapter with some fun ideas. Must read.

Beautiful Security Metrics by Betsy Nichols: if you are "a metrician", there won't be anything new (apart from here interesting medical research analogy); otherwise, a MUST read!

The Underground Economy of Security Breaches: not a bad, even if a bit dated, review of underground economics.

Beautiful Trade: Rethinking E-Commerce Security by Ed Bellis: this is one of the 2 chapters that I like more than my own (and that is coming from a fairly egotistic person ;-)); this has lots of visionary ideas on payment security.

Securing Online Advertising: Rustlers and Sheriffs in the New Wild West by Ben Edelman: this one is a fascinating read about attacks by and on online advertizing. Definitely both enjoyable and insightful.

Open Source Honeyclient: Proactive Detection of Client-Side Exploits: a good read for those not familiar with "client honeypots" or "honeyclients"

Tomorrow's Security Cogs and Levers by Mark Curphey: this chapter exudes pure awesomeness and is the best in the book; read it three times already and plan to read a few more. Sorry that it sounds cliché, but this chapter definitely stimulates new, beautiful ways of "thinking security"!!

Security by Design by John McManus: a very good chapter that mixes NASA, security and software design. Read it and learn from it.

Forcing Firms to Focus: Is Secure Software in Your Future? by Jim Routh: great chapter that describes one company's battle for securing software (first, its own and then 3rd party)

Oh No, Here Come the Infosecurity Lawyers: way too much ROI and ROSI to my taste; also has ALE horror. Killed all the fun for me.

Beautiful Log Handling by Anton Chuvakin: eh...make your own opinion here :-)

Incident Detection: Finding the Other 68% by Grant Geyer: good old data correlation of IDS alerts, logs and other information is covered in this well-written chapter.

Overall, this was BY FAR the most insightful and enjoyable security book that I've read in a long time!