Oliver Day said
John and I don't see eye to eye on everything. In particular his thoughts of how vulnerability disclosure work. But this book deals with this and many other topics in a quick vernacular style which should make it accessible to security pros and everyone else. As an industry insider he has deep knowledge of how things work and it shows in the different stories throughout the book.
While there is no unifying theme throughout this text it is great to read in short bursts. He didn't try to add a lot of fluff to the chapters just to fill out the pages like a lot of other books tend to do. If you are thinking about entering or moving up in the security industry this is a great place to get a foothold on how the security industry's leaders think.
Ben Rothke said
The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'
The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.
Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.
From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 -- An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.
The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.
While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 -- Four Minutes to Infection and chapter 22 -- Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.
In chapter 16, The Cult of Schneier [full disclosure -- Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.
Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.
Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 -- Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.
Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.
While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.
Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.
James Holmes said
This is a wonderfully contrarian view to much of the information we are fed regarding security. Viega brings a much-needed skeptical view to many of the things we as consumers and workers in the IT industry are fed. He skewers everything from antivirus to identity theft and takes a lot of effort to lay out his propositions around how bad guys are driven by money.
I got a bit weary of the not-quite-shilling for McAffee, the company Viega works for, and there were a couple technical howlers (a server-side application which required 200 servers simply "because it was written in Java"). Those irritants aside, it really is a great read which, whether you agree with his points or not, should make you re-evaluate how you look at security.
Books which make you think are always a Good Thing.
R. Pompon said
Several security bloggers recommended this book, so I picked up. It's a very fast read, not only because of the short chapters but also the anemic content. As a veteran with a decade in infosec and a couple decades in IT, the whole thing struck me as an amuse bouche of obviousness. Basically, I read a short essay, nodded my head "uh huh, uh huh" and then it turned the page and it was the end of the chapter. Basically I learned very little new, except that SiteAdvisor was cool (the author's service) and that was that. I think I blew through the whole thing in about an hour. Of course, if you're not working in security and are curious about what's really going on, then this is worth checking out. It summarizes a lot of arguments and suppositions, basically saving a dozen or so hours of trolling security blogs to pick up the same issues.
Richard Bejtlich said
Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However, if most consumers think "antivirus" when they think "security," why would they bother reading The Myths of Security (TMOS)?
TMOS is strongest when Viega talks about the antivirus (or antimalware, or endpoint protection, or whatever host-centric security mechanism you choose) industry. I didn't find anything to be particularly "myth-shattering," however. I have to agree with two of the previous reviewers. Many of the "chapters" in this book could be blog posts. The longer chapters could be longer blog posts. The lack of a unifying theme really puts TMOS at a disadvantage compared to well-crafted books. I was not a huge fan of The New School of Information Security or Geekonomics (both 4 stars), but those two titles are better than TMOS.
If you want to read books that will really help you think properly about digital security, the two must-reads are still Secrets and Lies by Bruce Schneier and Security Engineering, 2nd Ed by Ross Anderson. I would avoid Bruce's sequel, Beyond Fear -- it's ok, but he muddles a few concepts. (Heresy, I know!) I haven't read Schneier on Security, but I imagine it is good given the overall quality of his blog postings.
If you want to shatter some serious myths, spend time writing a book on the "80% myth," which is stated in a variety of ways by anyone who is trying to demonstrate that insider threats are the worst problem facing digital security. If you're going to pretend to debunk open source security, why not back it up with some numbers? Studies have been published recently, and original research and results would be welcome. How about demonstrating that user awareness training wastes money, because enough marks fall prey anyway? I'd also like to see research showing that frequent password changes are worse for security, not better. Wrap all of that in a coherent manner with substantial chapters and you have a real TMOS book.
Comments