Time Based Security [Paperback]

Winn Schwartau (Author)

Editorial Reviews

Review

"Mr. Schwartau offers an intriguing process to information systems security which must be seriously considered when developing, baselining, and/or testing the protection mechanisms of today's systems. He explains why fortress mentality and the old ways of security have not worked and provides an alternative, which is an integration of new ideas and the tested ideas such as risk management. His Time-Based Security Model can be nicely integrated as the "other side of the coin" to compliment the penetration testing in a more systematic and cost-effective process." -- Dr. Gerald L. Kovacich, CFE, CPP, CISSP, President, Information Security Management Associates

"Stimulating" -- Dorothy Denning, Professor, Computer Science, Georgetown University

"This book is really right!" -- Dr. Fred Cohen, Principle Member Technical Staff, Sandia National Laboratories; Inventor of Computer Viruses

"Time Based Security is brilliant. Revolutionary thinking! Time Based Security is to computer security as gunpowder was to warfare. For the first time, those who would defend critical infrastructures and priceless intellectual property have a manual for defeating their attackers, and doing so in a cost-effective fashion. The heart of this book is about the relationship between detection time, sunk costs, and sufficient security--this is essential reading." -- Robert D. Steele, President, OSS Inc.

"Time Based Security presents a simple, common sense approach that virtually anyone can use to apply to information assets." -- Lloyd F. Reese, CPP, CISSP, Program Manager

About the Author

Winn Schwartau, one of the country's leading experts on information security, infrastructure protection and electronic privacy is often referred to as "the civilian architect of information warfare." He coined the term "Electronic Pearl Harbor" and was the Project Lead of the Manhattan Cyber Project Information Warfare and Electronic Civil Defense Team. Today, in addition to extensive lecturing, consulting and writing, Schwartau is host of the daily Radio Show, "On the Line" by New Media Entertainment.

President of Interpact, Inc. & The Security Experts, Inc COO, Infowar.Com, Ltd.

- Founder & Co-Sponsor: InfowarCon Conferences on Security, IW and infrastructure assurance, 1994-1999 Brussels, Belgium, London, and US. - Member, New York Institute of Technology Criminal Justice Advisory Board - Publisher and Founder, Security Insider Report - Security Columnist: PlanetIT, CMP Publications - Member, Board of Directors, Tritheum Technologies, (company sold 11/98) - Editorial Board Advisor, Network Security (Elsevier), U.K. - Member, Board of Directors, HomeCom, Inc. Atlanta, GA (1996-1997) - Editorial Columnist and Security Features Contributing Editor, Network World - Member, Board of Advisors, IBIT, International Banking Information Technology, Liechtenstein - Member, Editorial Board of Advisors, InfoSecurity News. 1990-1997 - Technologist Advisor, National Computer Security Association (1990-1997) - Contributing Editor, Internet World (1994-1996) - Security Technologist to the International Security Systems Symposium Seminars. - Commentary Editor and Columnist: "Security Insider," Security Technology News, Phillips Publications. - Member, Editorial Board of Advisors, Crisis Magazine. (1988-1994) - Former Architectural Security Consultant to Hughes STX on Enterprise security network architectures, design and implementation.

Mr. Schwartau is a popular and entertaining keynote speaker and interactive seminar leader who always keeps his audiences awake with thought provoking insights and commentary.

Mr. Schwartau may be reached at Interpact, Inc., 11511 Pine St., Seminole, FL. 34642. 727.393.6600, fax 727-393-6361, E-Mail: winn@infowar.com

Product Details

• Paperback: 192 pages
• Publisher: Interpact Pr (February 1, 1999)
• Language: English
• ISBN-10: 0962870048
• ISBN-13: 978-0962870040
• Product Dimensions: 8.7 x 5.9 x 0.5 inches
• Shipping Weight: 10.4 ounces
• Average Customer Review: 3.6 out of 5 stars  See all reviews (5 customer reviews)
• Amazon Best Sellers Rank: #1,009,229 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

12 of 12 people found the following review helpful:

5.0 out of 5 stars A must have for anyone interested in information security!, November 5, 1999

By 

Dennis Groves (Scottsdale, AZ) - See all my reviews
(REAL NAME)   

This review is from: Time Based Security (Paperback)

It has been said that "form follows function" and in the computer sciences we have had the freedom of sloppy engineering for way to long. It is joked that if builders built buildings the way programmers wrote programs the first woodpecker to come along would destroy civilization. I know that it is for this reason that we have so many problems "securing" anything in the info-sec fields, form is not following function...

This book is the only book on my shelf I recommend *everyone* (interested in security) read. It is ground breaking because it starts from scratch and looks at the function and follows with what the form should be. I think this book is a decade ahead of it's time and that until every programmer, consultant, system architect, and info-sec employee read this book and the information becomes ingrained as common sense will security be truly possible in any meaningful way.

Most importantly it gives useful information on how to apply this information right now, a decade before we have good competition in the security product market place that will solve this kind of problem. If you plan on doing any kind of intrusion detection, the information in this book must be at your finger tips... It is the only way to measure how well solutions deliver, and to create meaningful metrics for measuring information security solutions.

The book has a certain prose about it that keeps on building on the previous idea, and hence seems to be repeating itself, however it is a short book that everyone from CEO to "in the trench guy" can read. Keep reading and thinking about what is being presented to you however and I think you will find as I did that the book is way ahead of it's time and you will soon be building a secure infrastructure for your business that you can measure, and justify.

2 of 3 people found the following review helpful:

3.0 out of 5 stars As a book, not so great; as a concept, exceptional, January 19, 2008

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Time Based Security (Paperback)

Time Based Security (TBS) was largely written 10 years ago. The author gave me a copy about 3 years ago at a security conference. What's remarkable about the concept of TBS is that it was as relevant 10 years ago as it is today. The "risk avoidance" idea and "fortress mentality" described in TBS are as prevalent in this decade as they were in the 1990s, and they continue to fail us. TBS, as an alternative approach, is a powerful way to estimate the security posture of an asset. However, TBS the book is not the best way to make this argument (hence the three star rating). I would like to see TBS (published in 1999, but including older material) rewritten as a tenth anniversary edition and released in digital format, perhaps as a digital Short Cut.

To start, the foreword by Bob Ayers is almost as helpful as the rest of the book. I understand now why he claimed to manage "the performance of over 20,000 infrastructure and application penetration tests" in Chris McNab's Network Security Assessment; in TBS he says his Vulnerability Analysis and Assistant Program had "attacked well over 18,000 DoD computers." His findings from those tests revealed overwhelming success in penetrating systems, undetected, and barely reported when detected. Bob advocated transitioning from a risk avoidance strategy in DoD to one of protection-detection-response (PDR), because "it was impossible, either technically or fiscally, to build and operate a large DoD-wide 'secure' computing environment and that no security safeguards could resist a dedicated penetration attempt by an adversary who had an unlimited amount of time to attack...[T]he only true metric of the security of a system was the 'time' it took a dedicated attacker to break the security mechanisms" (p vi).

Turning to Winn's text, I found it filled with accurate judgments concerning security -- especially interesting since they were made 10 years ago. "Unfortunately, management sees information security as an unmeasurable bottom-line drain on profits, or an 'insurance policy' against which actuarials are slim and hard numbers are more folklore than statistically defensible. Or, management sees security as an unnecessary evil or burden that interferes with getting the job done. Too many security professionals and security product vendors view security as a technical problem, thereby demanding a technical solution" (p 9). Winn continues on p 26: "As a species, we humans are not smart enough to build a computer security system that is impenetrable... [I]f we were smart enough to build an impenetrable security system, it wouldn't be very useful or functional. If we were smart enough to build a computer security system that met these goals, we couldn't afford it."

Winn presents TBS as his way to measure security: "The amount of time offered by the Protection device or system (P) must be greater than the amount of time it takes to detect the attack (D) plus the amount of time it takes to react to the detection (R)... If the amount of protection time you provide is greater than the sum of D and R, then your system can be considered secure" (p 34). This really resonated with me: "[T]he choice of a good protection system is not the first thing you need to think about when designing a security network environment. It's the efficacy of the detection and reaction processes that really matters" (p 36). Where "there are no detection or reaction mechanisms... P must be absurdly high... to have any effectiveness" (p 43). "Conventional protective information security is very difficult. And so, we assume for many TBS applications that P=0" (p 44).

To support his TBS concept, Winn recommends developing Reaction Matrices to list attacks, detection and response mechanisms, and estimated times for P, D, and R. Winn suggests using gaming (i.e., exercises) to show management and operators how TBS works and to assess if their estimates are realistic. Winn promotes network auditing (essentially data collection) as a means to improve detection and response, since making fast yet accurate decisions requires high-fidelity data.

These are all excellent and powerful ideas, but their lackluster presentation in TBS is probably enough to turn many people away from them. Previous reviews describe some of the problems with TBS as a book. I subtracted one star for overall presentation and delivery, and a second star for ineffective communication. Some conceptual problems need to be addressed, such as this: since P usually fails, we need to reduce D and R. However, if D and R can be reduced to the point where they are incredibly fast, why can't D and R be converted into P? After all, protection requires identifying an attack and stopping it -- i.e., detection and reaction. The answer probably involves recognizing that detecting and reacting to the attack itself is often very difficult, but identifying the attack consequences is more likely.

Still, I think it's time for TBS to make a comeback in a lean, focused format for 2009. Too many people still live in a fortress where P is the most important aspect of security. P is nowhere close to being 100% effective, yet D and R continue to be neglected.

3.0 out of 5 stars Some good ideas but a lot of gaps, November 18, 2006

By 

a reader - See all my reviews

Amazon Verified Purchase

This review is from: Time Based Security (Paperback)

The premise of Time Based Security is simple: a system is never truly secure. Someone will break in. So what do we do? The idea is that preventing people from breaking in is only one part of securing a system. The other parts are detection and reaction. If we can known someone broke in, we can hopefully limit the damages. This is an idea that is used in practice: if a firewall company detects (detection) a new virus (protection breach), it will react by updating the signature file (reaction). This idea is powerful. Many books on security and many developers focus on protection: do a threat analysis, identify vulnerabilities and fix them. There is often little thought given to detection and reaction. I hope this book can change that perception.

There are however at least two important aspects of time based security that are not dealt with properly in the book. The first one is the consequence of a breach, how short it may be. Is time really a good measure of the effects of a breach? Maybe the attacker was there for only a few seconds, but if he installed a Trojan horse the only safe thing to do is to flatten the machine. It is unclear to me that time is an appropriate measure. In that case much of the time-based theory is suspect. The second issue is feedback. The reason why time-based security works in the firewall case above is because the reaction directly impacts protection: the protection becomes more and more efficient as more and more viruses are discovered. If reaction does not impact protection, then it is useless: as soon as it stops the attacker can break in again! This aspect is ignored in the book. The feedback loop is a crucial aspect of time-based security. It is surprising it is not mentioned.

The book is OK. It is a quick read and contains some useful information. Many of the best ideas are also covered in other security books, such as Secrets and Lies. I would not bother with this book if you have already read about time-based security in these other books.