Customer Reviews

Time Based Security

5 star:		(2)
4 star:		(0)
3 star:		(2)
2 star:		(1)
1 star:		(0)

 

 

It has been said that "form follows function" and in the computer sciences we have had the freedom of sloppy engineering for way to long. It is joked that if builders built buildings the way programmers wrote programs the first woodpecker to come along would destroy civilization. I know that it is for this reason that we have so many problems "securing" anything in the info-sec fields, form is not following function...

This book is the only book on my shelf I recommend *everyone* (interested in security) read. It is ground breaking because it starts from scratch and looks at the function and follows with what the form should be. I think this book is a decade ahead of it's time and that until every programmer, consultant, system architect, and info-sec employee read this book and the information becomes ingrained as common sense will security be truly possible in any meaningful way.

Most importantly it gives useful information on how to apply this information right now, a decade before we have good competition in the security product market place that will solve this kind of problem. If you plan on doing any kind of intrusion detection, the information in this book must be at your finger tips... It is the only way to measure how well solutions deliver, and to create meaningful metrics for measuring information security solutions.

The book has a certain prose about it that keeps on building on the previous idea, and hence seems to be repeating itself, however it is a short book that everyone from CEO to "in the trench guy" can read. Keep reading and thinking about what is being presented to you however and I think you will find as I did that the book is way ahead of it's time and you will soon be building a secure infrastructure for your business that you can measure, and justify.

Time Based Security (TBS) was largely written 10 years ago. The author gave me a copy about 3 years ago at a security conference. What's remarkable about the concept of TBS is that it was as relevant 10 years ago as it is today. The "risk avoidance" idea and "fortress mentality" described in TBS are as prevalent in this decade as they were in the 1990s, and they continue to fail us. TBS, as an alternative approach, is a powerful way to estimate the security posture of an asset. However, TBS the book is not the best way to make this argument (hence the three star rating). I would like to see TBS (published in 1999, but including older material) rewritten as a tenth anniversary edition and released in digital format, perhaps as a digital Short Cut.

To start, the foreword by Bob Ayers is almost as helpful as the rest of the book. I understand now why he claimed to manage "the performance of over 20,000 infrastructure and application penetration tests" in Chris McNab's Network Security Assessment; in TBS he says his Vulnerability Analysis and Assistant Program had "attacked well over 18,000 DoD computers." His findings from those tests revealed overwhelming success in penetrating systems, undetected, and barely reported when detected. Bob advocated transitioning from a risk avoidance strategy in DoD to one of protection-detection-response (PDR), because "it was impossible, either technically or fiscally, to build and operate a large DoD-wide 'secure' computing environment and that no security safeguards could resist a dedicated penetration attempt by an adversary who had an unlimited amount of time to attack...[T]he only true metric of the security of a system was the 'time' it took a dedicated attacker to break the security mechanisms" (p vi).

Turning to Winn's text, I found it filled with accurate judgments concerning security -- especially interesting since they were made 10 years ago. "Unfortunately, management sees information security as an unmeasurable bottom-line drain on profits, or an 'insurance policy' against which actuarials are slim and hard numbers are more folklore than statistically defensible. Or, management sees security as an unnecessary evil or burden that interferes with getting the job done. Too many security professionals and security product vendors view security as a technical problem, thereby demanding a technical solution" (p 9). Winn continues on p 26: "As a species, we humans are not smart enough to build a computer security system that is impenetrable... [I]f we were smart enough to build an impenetrable security system, it wouldn't be very useful or functional. If we were smart enough to build a computer security system that met these goals, we couldn't afford it."

Winn presents TBS as his way to measure security: "The amount of time offered by the Protection device or system (P) must be greater than the amount of time it takes to detect the attack (D) plus the amount of time it takes to react to the detection (R)... If the amount of protection time you provide is greater than the sum of D and R, then your system can be considered secure" (p 34). This really resonated with me: "[T]he choice of a good protection system is not the first thing you need to think about when designing a security network environment. It's the efficacy of the detection and reaction processes that really matters" (p 36). Where "there are no detection or reaction mechanisms... P must be absurdly high... to have any effectiveness" (p 43). "Conventional protective information security is very difficult. And so, we assume for many TBS applications that P=0" (p 44).

To support his TBS concept, Winn recommends developing Reaction Matrices to list attacks, detection and response mechanisms, and estimated times for P, D, and R. Winn suggests using gaming (i.e., exercises) to show management and operators how TBS works and to assess if their estimates are realistic. Winn promotes network auditing (essentially data collection) as a means to improve detection and response, since making fast yet accurate decisions requires high-fidelity data.

These are all excellent and powerful ideas, but their lackluster presentation in TBS is probably enough to turn many people away from them. Previous reviews describe some of the problems with TBS as a book. I subtracted one star for overall presentation and delivery, and a second star for ineffective communication. Some conceptual problems need to be addressed, such as this: since P usually fails, we need to reduce D and R. However, if D and R can be reduced to the point where they are incredibly fast, why can't D and R be converted into P? After all, protection requires identifying an attack and stopping it -- i.e., detection and reaction. The answer probably involves recognizing that detecting and reacting to the attack itself is often very difficult, but identifying the attack consequences is more likely.

Still, I think it's time for TBS to make a comeback in a lean, focused format for 2009. Too many people still live in a fortress where P is the most important aspect of security. P is nowhere close to being 100% effective, yet D and R continue to be neglected.

The premise of Time Based Security is simple: a system is never truly secure. Someone will break in. So what do we do? The idea is that preventing people from breaking in is only one part of securing a system. The other parts are detection and reaction. If we can known someone broke in, we can hopefully limit the damages. This is an idea that is used in practice: if a firewall company detects (detection) a new virus (protection breach), it will react by updating the signature file (reaction). This idea is powerful. Many books on security and many developers focus on protection: do a threat analysis, identify vulnerabilities and fix them. There is often little thought given to detection and reaction. I hope this book can change that perception.

There are however at least two important aspects of time based security that are not dealt with properly in the book. The first one is the consequence of a breach, how short it may be. Is time really a good measure of the effects of a breach? Maybe the attacker was there for only a few seconds, but if he installed a Trojan horse the only safe thing to do is to flatten the machine. It is unclear to me that time is an appropriate measure. In that case much of the time-based theory is suspect. The second issue is feedback. The reason why time-based security works in the firewall case above is because the reaction directly impacts protection: the protection becomes more and more efficient as more and more viruses are discovered. If reaction does not impact protection, then it is useless: as soon as it stops the attacker can break in again! This aspect is ignored in the book. The feedback loop is a crucial aspect of time-based security. It is surprising it is not mentioned.

The book is OK. It is a quick read and contains some useful information. Many of the best ideas are also covered in other security books, such as Secrets and Lies. I would not bother with this book if you have already read about time-based security in these other books.

This is perhaps the worst-written IT book I've seen.

First, there are the basic mechanics of writing a book. The book was self-published by the author's own company, and it shows. There are typos, wording mistakes, crudely done tables, inconsistent use of certain mathematical symbols, and graphics that look like they were done by someone who likes to dabble with Microsoft Office. In at least one case, a variable changes names within the same equation. He insists on referring to chapters/sections as "chaplets" instead (real meaning of the word: a wreath worn on the head).

Then there's the question of organization. There's no index. Information is hard to find. Four key concepts in the book are Protection, Detection, Response, and Exposure, yet there are no headings, bold face or other mechanisms for helping you find where each is first introduced and explained. The chapter titles often go for a charming or humorous effect, without being informative about what the chapter covers. In most chapters, there are no subheadings or other organizational aids to help you find things.

Let's talk about his writing style. The author seems as fascinated by himself as he is by his subject. The book is peppered with reminders that (as his presumably self-written bio says) he's "a popular and entertaining keynote speaker and interactive seminar leader." The stories are mostly not illuminating, just self-aggrandizing. He consistently misses one of the most important elements of informative writing: getting to the point. His chapters often natter on about unrelated matters that are more distracting fluff than cogent illustrations. You have to skim back and forth over the text to find the informative bits.

As to the security topic itself, there are some good ideas buried in there. The author's entire focus, however, is on one narrow element of the security situation: stopping an attack. There's much more to risk management and incident response than that, yet the author seems to think he's revolutionized network security by looking for ways to measure this one facet of the problem.

I give it two stars instead of one only because there are some good items buried in all the fluff.

OK, I admit it! This is another book that should be read alongside Donn Parker and Commander Smith! Excellent and thought provoking. I loved it!

The only bad things you could say about it, is Winn's use of storytelling (even if I found it enjoyable and effective), and the shoddy printmanship of the book (unclear pictures and bad illustrations, but that may be Winn's doing again).

Regardless of all complaints you may have against it, it needs to be read and understood, as well as being integrated into the curriculum of CISSP and equivalent certifications.