Time Based Security (Paperback)

~ Winn Schwartau (Author) "Computer security has finally, at long last, become mainstream..." (more)
Key Phrases: next chaplet, reaction matrices, electronic assets, Time Based Security, Information Warfare, Reaction Matrix (more...)

Editorial Reviews

Review

"Mr. Schwartau offers an intriguing process to information systems security which must be seriously considered when developing, baselining, and/or testing the protection mechanisms of today's systems. He explains why fortress mentality and the old ways of security have not worked and provides an alternative, which is an integration of new ideas and the tested ideas such as risk management. His Time-Based Security Model can be nicely integrated as the "other side of the coin" to compliment the penetration testing in a more systematic and cost-effective process." -- Dr. Gerald L. Kovacich, CFE, CPP, CISSP, President, Information Security Management Associates

"Stimulating" -- Dorothy Denning, Professor, Computer Science, Georgetown University

"This book is really right!" -- Dr. Fred Cohen, Principle Member Technical Staff, Sandia National Laboratories; Inventor of Computer Viruses

"Time Based Security is brilliant. Revolutionary thinking! Time Based Security is to computer security as gunpowder was to warfare. For the first time, those who would defend critical infrastructures and priceless intellectual property have a manual for defeating their attackers, and doing so in a cost-effective fashion. The heart of this book is about the relationship between detection time, sunk costs, and sufficient security--this is essential reading." -- Robert D. Steele, President, OSS Inc.

"Time Based Security presents a simple, common sense approach that virtually anyone can use to apply to information assets." -- Lloyd F. Reese, CPP, CISSP, Program Manager

About the Author

Winn Schwartau, one of the country's leading experts on information security, infrastructure protection and electronic privacy is often referred to as "the civilian architect of information warfare." He coined the term "Electronic Pearl Harbor" and was the Project Lead of the Manhattan Cyber Project Information Warfare and Electronic Civil Defense Team. Today, in addition to extensive lecturing, consulting and writing, Schwartau is host of the daily Radio Show, "On the Line" by New Media Entertainment.

President of Interpact, Inc. & The Security Experts, Inc COO, Infowar.Com, Ltd.

- Founder & Co-Sponsor: InfowarCon Conferences on Security, IW and infrastructure assurance, 1994-1999 Brussels, Belgium, London, and US. - Member, New York Institute of Technology Criminal Justice Advisory Board - Publisher and Founder, Security Insider Report - Security Columnist: PlanetIT, CMP Publications - Member, Board of Directors, Tritheum Technologies, (company sold 11/98) - Editorial Board Advisor, Network Security (Elsevier), U.K. - Member, Board of Directors, HomeCom, Inc. Atlanta, GA (1996-1997) - Editorial Columnist and Security Features Contributing Editor, Network World - Member, Board of Advisors, IBIT, International Banking Information Technology, Liechtenstein - Member, Editorial Board of Advisors, InfoSecurity News. 1990-1997 - Technologist Advisor, National Computer Security Association (1990-1997) - Contributing Editor, Internet World (1994-1996) - Security Technologist to the International Security Systems Symposium Seminars. - Commentary Editor and Columnist: "Security Insider," Security Technology News, Phillips Publications. - Member, Editorial Board of Advisors, Crisis Magazine. (1988-1994) - Former Architectural Security Consultant to Hughes STX on Enterprise security network architectures, design and implementation.

Mr. Schwartau is a popular and entertaining keynote speaker and interactive seminar leader who always keeps his audiences awake with thought provoking insights and commentary.

Mr. Schwartau may be reached at Interpact, Inc., 11511 Pine St., Seminole, FL. 34642. 727.393.6600, fax 727-393-6361, E-Mail: winn@infowar.com

Product Details

• Paperback: 192 pages
• Publisher: Interpact Pr (February 1, 1999)
• Language: English
• ISBN-10: 0962870048
• ISBN-13: 978-0962870040
• Product Dimensions: 8.7 x 5.9 x 0.5 inches
• Shipping Weight: 10.4 ounces
• Average Customer Review: 3.8 out of 5 stars  See all reviews (6 customer reviews)
• Amazon.com Sales Rank: #1,196,337 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

12 of 12 people found the following review helpful:

5.0 out of 5 stars A must have for anyone interested in information security!, November 5, 1999

By	Dennis Groves (Scottsdale, AZ) - See all my reviews (REAL NAME)

It has been said that "form follows function" and in the computer sciences we have had the freedom of sloppy engineering for way to long. It is joked that if builders built buildings the way programmers wrote programs the first woodpecker to come along would destroy civilization. I know that it is for this reason that we have so many problems "securing" anything in the info-sec fields, form is not following function...

This book is the only book on my shelf I recommend *everyone* (interested in security) read. It is ground breaking because it starts from scratch and looks at the function and follows with what the form should be. I think this book is a decade ahead of it's time and that until every programmer, consultant, system architect, and info-sec employee read this book and the information becomes ingrained as common sense will security be truly possible in any meaningful way.

Most importantly it gives useful information on how to apply this information right now, a decade before we have good competition in the security product market place that will solve this kind of problem. If you plan on doing any kind of intrusion detection, the information in this book must be at your finger tips... It is the only way to measure how well solutions deliver, and to create meaningful metrics for measuring information security solutions.

The book has a certain prose about it that keeps on building on the previous idea, and hence seems to be repeating itself, however it is a short book that everyone from CEO to "in the trench guy" can read. Keep reading and thinking about what is being presented to you however and I think you will find as I did that the book is way ahead of it's time and you will soon be building a secure infrastructure for your business that you can measure, and justify.

2 of 3 people found the following review helpful:

3.0 out of 5 stars As a book, not so great; as a concept, exceptional, January 19, 2008

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

Time Based Security (TBS) was largely written 10 years ago. The author gave me a copy about 3 years ago at a security conference. What's remarkable about the concept of TBS is that it was as relevant 10 years ago as it is today. The "risk avoidance" idea and "fortress mentality" described in TBS are as prevalent in this decade as they were in the 1990s, and they continue to fail us. TBS, as an alternative approach, is a powerful way to estimate the security posture of an asset. However, TBS the book is not the best way to make this argument (hence the three star rating). I would like to see TBS (published in 1999, but including older material) rewritten as a tenth anniversary edition and released in digital format, perhaps as a digital Short Cut.

To start, the foreword by Bob Ayers is almost as helpful as the rest of the book. I understand now why he claimed to manage "the performance of over 20,000 infrastructure and application penetration tests" in Chris McNab's Network Security Assessment; in TBS he says his Vulnerability Analysis and Assistant Program had "attacked well over 18,000 DoD computers." His findings from those tests revealed overwhelming success in penetrating systems, undetected, and barely reported when detected. Bob advocated transitioning from a risk avoidance strategy in DoD to one of protection-detection-response (PDR), because "it was impossible, either technically or fiscally, to build and operate a large DoD-wide 'secure' computing environment and that no security safeguards could resist a dedicated penetration attempt by an adversary who had an unlimited amount of time to attack...[T]he only true metric of the security of a system was the 'time' it took a dedicated attacker to break the security mechanisms" (p vi).

Turning to Winn's text, I found it filled with accurate judgments concerning security -- especially interesting since they were made 10 years ago. "Unfortunately, management sees information security as an unmeasurable bottom-line drain on profits, or an 'insurance policy' against which actuarials are slim and hard numbers are more folklore than statistically defensible. Or, management sees security as an unnecessary evil or burden that interferes with getting the job done. Too many security professionals and security product vendors view security as a technical problem, thereby demanding a technical solution" (p 9). Winn continues on p 26: "As a species, we humans are not smart enough to build a computer security system that is impenetrable... [I]f we were smart enough to build an impenetrable security system, it wouldn't be very useful or functional. If we were smart enough to build a computer security system that met these goals, we couldn't afford it."

Winn presents TBS as his way to measure security: "The amount of time offered by the Protection device or system (P) must be greater than the amount of time it takes to detect the attack (D) plus the amount of time it takes to react to the detection (R)... If the amount of protection time you provide is greater than the sum of D and R, then your system can be considered secure" (p 34). This really resonated with me: "[T]he choice of a good protection system is not the first thing you need to think about when designing a security network environment. It's the efficacy of the detection and reaction processes that really matters" (p 36). Where "there are no detection or reaction mechanisms... P must be absurdly high... to have any effectiveness" (p 43). "Conventional protective information security is very difficult. And so, we assume for many TBS applications that P=0" (p 44).

To support his TBS concept, Winn recommends developing Reaction Matrices to list attacks, detection and response mechanisms, and estimated times for P, D, and R. Winn suggests using gaming (i.e., exercises) to show management and operators how TBS works and to assess if their estimates are realistic. Winn promotes network auditing (essentially data collection) as a means to improve detection and response, since making fast yet accurate decisions requires high-fidelity data.

These are all excellent and powerful ideas, but their lackluster presentation in TBS is probably enough to turn many people away from them. Previous reviews describe some of the problems with TBS as a book. I subtracted one star for overall presentation and delivery, and a second star for ineffective communication. Some conceptual problems need to be addressed, such as this: since P usually fails, we need to reduce D and R. However, if D and R can be reduced to the point where they are incredibly fast, why can't D and R be converted into P? After all, protection requires identifying an attack and stopping it -- i.e., detection and reaction. The answer probably involves recognizing that detecting and reacting to the attack itself is often very difficult, but identifying the attack consequences is more likely.

Still, I think it's time for TBS to make a comeback in a lean, focused format for 2009. Too many people still live in a fortress where P is the most important aspect of security. P is nowhere close to being 100% effective, yet D and R continue to be neglected.

5.0 out of 5 stars Excellent, June 14, 2008

By	Jos Pols - See all my reviews (REAL NAME)

Amazon Verified Purchase

Nutshell review - The book describes the application of information security in terms of time; protection time, detection time, response time. This is a must read for infosec professionals.