 | | |
| The New School of Information Security | 
| Authors: Adam Shostack, Andrew Stewart
Publisher: Addison-Wesley Professional
Category: Book
List Price: $29.99
Buy New: $17.76
You Save: $12.23 (41%)
Buy New/Used from $17.76
Avg. Customer Rating:  (11 reviews)
Sales Rank: 43044
Media: Hardcover
Edition: 1
Number Of Items: 1
Pages: 288
Shipping Weight (lbs): 1.3
Dimensions (in): 9 x 6.1 x 1.3
ISBN: 0321502787
Dewey Decimal Number: 658.478
EAN: 9780321502780
ASIN: 0321502787
Publication Date: April 5, 2008
Availability: Usually ships in 1-2 business days
|
| Editorial Reviews:
Product Description
<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.” --David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises. -
Better evidence for better decision-making
Why the security data you have doesn’t support effective decision-making--and what to do about it -
Beyond security “silos”: getting the job done together
Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve -
Amateurs study cryptography; professionals study economics
What IT security leaders can and must learn from other scientific fields -
A bigger bang for every buck
How to re-allocate your scarce resources where they’ll do the most good
|
| Customer Reviews: Read 6 more reviews...
 Should read if ... August 13, 2008
1 out of 1 found this review helpful
Nutshell review - This book should be read if you are in any kind of management position related to information security. It presents some thought provoking ideas to help you think about information security in a different way from the norm.
Not much "new school" in The New School of Information Security August 2, 2008
0 out of 1 found this review helpful
The previous reviews have adequately discussed the contents of The New School of Information Security (The New School). This is a short review within a discussion of what a "new school" of information security should do.
The New School eloquently outlines the evolution of information security from its roots, to a big picture snap of where it is at today, warts and all. It is economic of words, but not of concepts. The New School is a field summation accessible to non-technical readers, while at the same time attempting to act as a kind of a clarion call for security professionals. The authors do a pretty good job of this balancing act; they have created a map that tells the security industry, "You are here" in narrative terms. The problem with this map is that it has gaps in it and its information is sketchy in parts. The authors tell us in The New School why this map lacks clarity and then suggest ways to improve it.
While I was thinking about " The New School", Richard Bejtlich submitted a review where he says the authors "? don't do much to provide actionable next steps." I agree that there is not much "new school" in The New School. Personally I was hoping that the words "new school" in the title meant that it described a path to innovation or new ways to achieve information security. While there are a few mentions of being open to new perspectives, The New School mostly recommends improved empirical methodologies to make status quo technologies and models work better.
I also smiled at the irony of Mr. Bejtlich's review where he says: " Maybe [information security] dysfunction should be empirically demonstrated before foundations for a "New School" are deployed?" One of Richard's so-called Three Wise Men of Security is Marcus Ranum, who has probably written more about the dysfunctional side of information security, and monies wasted, than anyone else. (More later)
Even the term "information security" is a bit cloudy. The majority of persons equate the term with network security, which is information security only in the broadest sense. Although there is a growing consensus in the industry that it must refocus on information-centric security, there is no real discussion of this necessary change in direction in The New School.
Why do security pundits often say and write that information security has hit a wall, and that we no longer see innovation in information security? Guy Kawasaki wrote in his "Art of Innovation" spiel, "Those on the first curve are unable to comprehend, let alone embrace, the second curve." If this is really the case, which persons on the "first" curve will ever be in a position to come up with, or recognize new innovations?
When one tries to solve a problem, one intuitively starts with what one already knows, based on related experiences. From a philosophical point of view then, one might have to unlearn, or be able to put down, what one already knows, to be able to think out-of-the-box.
Unfortunately, The New School makes a case for Kawasaki's assertion by demonstrating that its authors, like most others in the information security field, are planted squarely on the first curve. Why does this matter? In the same article, Kawasaki also writes that whose on the first curve are aiming for improvements of 10-15% in status quo technologies (usually to gain market advantage), while true innovators strive for 10-15 TIMES improvements in end performance. That seems to imply a lot of empirical measurement and metric development ahead of us for an optimistic 15% increase in performance!
The authors allude to the fact that many security products address symptoms of the problem, instead of the problem itself. Shouldn't a genuine "new school" address the historic omission of security from information systems design that gives rise to the information systems security problems we are experiencing in today's networked world. How can an industry that has a dysfunctional premise (an inherent design flaw) as its foundation, not be dysfunctional? Are we attempting to build skyscrapers on a foundation of sand? Read Marcus Ranum for enjoyable rants on the futility of this.
This is the quandary for information security. Why should ANY resources be devoted to improving flawed technology models? Yet, it may be beyond the realm of possibilities for anyone fully entrenched on their current path, to change course to a path of innovation?
Perhaps a more accurate title for the book might have been "Reforming the Old School." In saying this I do not intend to be mean spirited, for I think the authors have done a service for the industry by challenging concepts such as "best practices", and The New School is worthy of a read. The real goal of a "new school" should be real innovation. Innovation must address the real problem so that we may jump to the next curve and obtain leaps in protection of data, rather than setting for marginal gains by inching further along the first curve.
Without such consideration, The New School is not strong enough to be a turning point for the industry, as some people might think, but it is good enough to act as a catalyst for better use of the status quo. Besides improved empirical methodologies though, we also need some real out-of-the-box thinkers and innovators. They are the ones that will be able to write the curriculum for a future "new school" of information security.
A wake-up call for some, but not many answers July 27, 2008
3 out of 7 found this review helpful
If you don't "get" Allan Schiffman's 2004 phrase "amateurs study cryptography; professionals study economics," if you don't know who Prof. Ross Anderson is, and if you think anti-virus and a firewall are required simply because they are "best practices," you need to read The New School of Information Security (TNSOIS). If you already recognize why I highlight these issues, you will not find much beyond an explanation of these central tenets in TNSOIS.
Authors Adam Shostack and Andrew Stewart do a good job summarizing the problems with the worldview held by many in the digital security industry. While they fairly effectively demolish current mindsets, they don't do much to provide actionable next steps. For example, the book jacket teases us with statements like "Why the security data you have doesn't support effective decision-making -- and what to do about it" and "How to re-allocate your scare resources where they'll do the most good." I read that most of what the industry does is broken, but not much beyond general ideas like these from the end of Ch 6: "When considering spending on a security product, a useful first question to ask is whether the core capabilities that the product would provide are already available within the organization's IT structure... Another framing question to consider is whether the security functionality you want will be delivered at some point in the future within the infrastructure that the organization already owns or expects to own" (pp 126-7). This isn't very "new school" to me, i.e., don't buy what you already have or expect to have soon.
Similarly, the "Call to Action" in Ch 8 boils down to "Gather Good Data," "Analyze Good Data," and "Seek New Perspectives," but aside from breach data, we aren't given much else to follow. Sections like this make me think TNSOIS could have been more of a pamphlet than a book, but I shouldn't take for granted that many people don't think like the authors.
I thought it ironic that a book praising the importance of evidence would place all of the references as endnotes at the back of the book. I laughed when I read on p x "we don't include endnote numbers in the text. We find those numbers distracting, and we hope you won't need them." Accurate documentation is the heart of good research, so a second edition or future works should put proper footnotes on each page. Readers usually ignore endnotes because it's a hassle to flip back and forth. When is the reader to know an endnote even exists, if the text has been stripped of endnote numbers?
We do need more security books that teach "how to think," instead of "how to configure a firewall." I wonder if books like "Cyber Security: Economic Strategies and Public Policy Alternatives" by Gallaher, Link, and Rowe might provide a stronger empirical rationale for the ideas we read in TNSOIS. I'd like to leave the authors with one thought. The back jacket asks "Why is information security so disfunctional? Are you wasting the money you spend on security?" I don't see real data (of the kind I'd expect the authors would demand elsewhere) justifying the "disfunction" aspect, although my "gut" sympathizes with this assessment. That doesn't satisfy an evidence-based approach, however. Maybe disfunction should be empirically demonstrated before foundations for a "New School" are deployed?
 It is High Time for the New School July 2, 2008
5 out of 5 found this review helpful
The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.
Chapter 1 begins with a quick look at some prominent problems in the information security landscape today. By looking at spam, malware, identity theft, and computer breaches the authors provide a rough sketch of the current infosec landscape. Given the apparent failure of current approaches to security in the face of these threats the authors rhetorically pose the question of simply starting over and building a new approach from scratch before providing the opening sketch of their New School. The authors advocate the need for a new approach to computer security, the New School. The New School is described as quantifiable, "putting our ideas and beliefs through tests designed to draw out their flaws and limitations." This concept of metrics and empiricism is a common thread throughout the book.
Chapter 2 describes the "scene," or the state of the computer security industry today. By applying some elementary game theory the authors sketch out some of the dilemmas facing information security today. Then they delve into some of the historic origins of modern computer security. They point out that much of the computer security "conventional wisdom" has grown out of the military's needs for computer security and how that foundation isn't necessarily the best. They also explore the influence of hackers and crackers on the evolution of the industry. Finally they explore the relationship of capitalism and money to the field, including the driving factors of making money and how these have shaped the development of security today. The authors point out that while many good things have come from these various influences, they have also produced some unfortunate side effects that don't necessarily have to be taken for granted. The chapter goes on to examine the economy of the security industry, including the idea of "best practices" (which the authors very roundly decry) as well as turnkey solutions. The authors also point out the difficulty in measuring security products given the lack of objective test data produced in the sector. The chapter concludes with the though that "without proper use of objective data to test our ideas, we can't tell if we are mistaken or misguided in our judgement." They provide further evidence that the industry as a whole isn't often guided by any sort of quantifiable data (thus removing the 'science' from computer science) and that all too often "conventional wisdom" is misguided and sometimes blatantly wrong because it lacks a solid empirical foundation.
Chapter 3 looks at some of the underpinnings of gathering solid scientific evidence with which to test the ideas of the New School. Without good evidence, they point out, it is nearly impossible to make accurate decisions. The authors point out the problems with much of the evidence used to support common claims in computer security, including surveys, and show the bias present in much of the survey data used to justify security decision making. The chapter goes on to lament the lack of an objective trade press in the industry and then delves into the vulnerability discovery lifecycle that drives much of computer security. The authors examine how vulnerabilities are discovered, how vendors often ignore flaws in their products in their rush to market, and the fact that there are sometimes problems with using vulnerability reports as solid metrics for security. The chapter then goes on to examine how data about security can be collected, either by hobbyists or individuals. Ultimately, the authors lament the fact that much of the data collected about security isn't shared with the community and thus it becomes nearly impossible to make better decisions. The lack of objective, available data makes it extremely difficult for us to draw reliable conclusions based on trends or quantify the current state of security.
Chapter 4 looks at security breaches and specifically argues for the benefits of breach notification as one of the best ways to produce quantifiable metrics in security. The authors point out that breach notification rarely has long term consequences to a companies stock price or customer loyalty and the benefit of breach data would be invaluable to researchers. The authors argue that breach notification is a key component to the outlook of the New School. In joining the New School organizations have to learn "to focus on observation and objective measurement." They argue that only by doing so can we move information security from an art to a science. They say that while "it is true that computer security consists of a fog of moving parts...complex problems do get solved. Investigators bring a broad set of analytic techniques ranging from explanatory psychology...to complex economic models." At this point in the book the authors begin to introduce another key component of the New School, that is the need for integration of other fields of study into computer security. The authors argue that by utilizing approaches and theories developed in the fields of psychology, economics, sociology, and other academic areas our understanding of information security can be broadened and greatly enhanced. They always come back to ideas of empiricism, however, stating that "the core aspect of scientific research - the ability to gather objective data against which to test hypotheses - has been largely missing from information security." The authors emphasize that not only does data need to be collected, it must also be shared in order to aid in our understanding of the data.
Chapter 5 begins to draw upon outside fields of academia to enhance the New School. This chapter begins by introducing several economic models and explaining how they influence information security. While economic approaches to security are nothing new (risk mitigation, calculations of value and exposure equaling risk, etc.) the New School argues that "because computers are inevitably employed within a larger world, information security as a discipline must embrace lessons from a far wider field." The authors argue that economic models don't only have to be applied at a macro level to computer security, but can also be applied to more compartmentalized security problems (such as getting users to select good passwords). They also examine the success potential of certain security products based on economic analysis. The chapter goes on to discuss how lessons from psychology can be incorporated into our security decision making and to help us understand computer security more fully. Finally the chapter draws on lessons from sociology and shows how they too can inform our understanding of security.
Chapter 6 focuses on spending. The chapter is devoted to examining how organizations spend their money on information security and why. Like the earlier chapters, this one applies the New School approach to attempt to analyze spending habits and challenges many of the foundational logic that supports common security spending plans. The chapter draws on lessons from economics and psychology to examine the patterns of spending and suggests some ways in which we can improve our spending on security. Ultimately the authors argue that we understand the factors that should influence spending and focus our efforts on the most quantifiably effective expenditures of money.
Chapter 7, or Life in the New School, discusses many of the challenges facing the New School. These range from the lack of quality data to the dearth of a standardized security vocabulary. This chapter mainly points out the challenges that lie ahead and the many ways that a new approach can help overcome them.
Chapter 8 is a blanket call to join the New School along with instructions for how to begin. The authors argue that New School proponents should collect good data, analyze that data and seek new perspectives. They point out that the New School draws from a diverse body of academic knowledge and advocates synthesizing work from other academic area into the New School approach. Ultimately the New School challenges us to change how we think about information security. Not only should we question the "conventional wisdom" we take for granted, but we should also seek out new hypothesis and ways to test them in order to expand our understanding of computer security as a whole.
The book is an easy read and make quite an impression. Shostack and Stewart lead the charge towards a more empirical approach to computer security. The field has matured enough that we should begin treating it seriously, and in order to do so we need to be able to speak authoritatively about issues. The voodoo of conventional wisdom is no longer good enough when making recommendations as experts. We need to be able to point to solid evidence to justify security strategies and implementations. We also need to be able to look at quantifiable data when evaluating new products and tools. Ultimately I see the field moving in this direction and I give kudos to Shostack and Steward for issuing this clarion call to an industry that will hopefully take their message to heart.
Kicking Down Institutional Walls June 16, 2008
7 out of 7 found this review helpful
By: Jeffrey W. Bennett, ISP, Author of: ISP Certification-The Industrial Security Professional Exam Manual and Under the Lontar Palm
This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.
While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.
Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.
The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.
The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|