Security Engineering – by Wiley – Security is not just FUD – IMHO

Posted: September 2, 2013 in technical
Tags: , , , , , , , , , ,

Wiley – they are some of my favourite publishing houses, alongside Springer, Academic Press and Prentice Hall. Latest book I’ve read from Wiley is actually an old one. Somehow, it has slipped my reading list.

It is Security Engineering: A Guide to Building Dependable Distributed Systems

Mr. Ross J. Anderson has a nice profile on University of Cambridge website and advertises the second edition of his Security Engineering book almost 3 years ago.

The structure of the book follows like this:

Part I
1. What is security engineering?
2. Usability and psychology
3. Protocols
4. Access control
5. Cryptography
6. Distributed systems
7. Economics


Part II
8. Multilevel security
9. Multilateral security
10. Banking and bookkeeping
11. Physical protection
12. Monitoring and metering
13. Nuclear command and control
14. Security printing and seals
15. Biometrics
16. Physical tamper resistance
17. Emission security
18. API attacks
19. Electronic and information warfare
20. Telecom system security
21. Network attack and defense
22. Copyright and DRM
23. The bleeding edge
Part III
24. Terror, justice and freedom
25. Managing the development of security systems
26. System evaluation and assurance
27. Conclusions

The very first impression I got while reading this book was: “Why on Earth have I not read this in preparation for my CISSP exam? My life would have been so much easier!”

But: let’s have another chocolate and get over the first moment of frustration 🙂

I must confess I only read the following chapters in sufficient detail to be able to say a couple of words about them:

Part I
1. What is security engineering?
3. Protocols
4. Access control
5. Cryptography
Part II
8. Multilevel security
9. Multilateral security
10. Banking and bookkeeping
12. Monitoring and metering
16. Physical tamper resistance
18. API attacks
20. Telecom system security
21. Network attack and defense
Part III
26. System evaluation and assurance
27. Conclusions

I will not start writing about each of them. Overall, I appreciated the following things about the book:

1. Strong technical content (what I surprise that I liked that! ), to-the-point, well-reasoned and well-exemplified observations about what is wrong with security design, implementation, configuration, as well as management, maintenance and people in companies, as well as research institutes.

2. Very nice examples about lesser-known parts of security (such as hardware tampering resistance, telco and banking worlds). People imagine that if it’s hardware, then it’s safe – wrong. People imagine banking security is about putting more hardware stuff and leveraging risk to specialised risk institutions, while the bank admins play Solitaire – wrong again. I won’t even start on telcos, where most of the people focus on “making it work” reliably – what we call the “availability” part of the Security Triangle (CIA: Confidentiality, Integrity, Availability), and think security is a fancy invention of people without occupation, to gain some easy money by creating panic – wrong wrong wrong.

When I was an engineer I used to complain about engineering jobs getting to India (aspect which engineers still rightfully complain about). If I am to quote Mr. Tyson, I would say this happens because of the law of economics: if they can do it the same or similarly well, for a significantly lower price, then the jobs get there. Fair enough, I would say. And, unless there is a specific privacy law prohibiting some data or knowledge transfer to countries outside US, or EU…etc., then these jobs, data and knowledge get there. I won’t comment about how well the job is done – I believe it varies from case to case. Nevertheless, my point is: what is the added value of an activity? If you are good engineer, then you want to still have your job in EU, because you VALUE more than a lot of people in an under-developed country. The value the company gets for keeping you and paying you good money is that your work is of high-quality and it overall raises the value of the company.

I believe the same goes with security. What is really the VALUE of security? If we think it’s all about creating panic that, somehow, someday, a bad guy will hack into your network…then I say you’ve only got a part of the picture. If you just buy a very good router, it does not mean you have an efficient communication in your network. If you have a security team and people tell you everyday how many hackers can produce damages, then you don’t add value to the company, you just mitigate a risk.

I should not say this, but I don’t like the risk-driven approach in security. Whether it’s a near-future risk, or an “imagined” (some-day risk) in the future, I think this is just the approach security specialists need to take, in order to “get the money” for security.

I see SECURITY standing in the same boat with QUALITY. Sure you can pay 100 people from an under-developed country to create OSPF rules. Yes. But I would pay one guy to do it properly, even if it costs twice as much as the above 100. Sure you can say all security developments are driven by risk and FUD. But I do it because of the same reason why some companies decide to hire that ONE guy to do it properly. Not because 100 others cannot write OSPF rules. But because one company decides to do it properly. And by PROPERLY I mean a good look into Security as a measure of QUALITY of the network and company, and NOT as a measure of mitigating a risk.

I liked how Mr. Anderson gave his examples of hacks and showed his ideas and best practices of improving security. But what I liked most was the unspoken words I’ve read between the lines. This book seemed (to me) to address Security as a measure of Quality, as a measure of doing things the right way, the professional way, in a network or company or organisation, and not merely as “fix this, because if you get hacked, then that’s the amount of money you can lose”. Sure, I don’t say this argument is not valid. But I think we can do more. And I think Security is MORE than FUD.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s