Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Book Review: Spam Nation

benrothke Re:Why are we afraid of international lawsuits? (82 comments)

I don’t know the laws. But Krebs was explicit that the Washington Post lawyers put the kibosh on many of his stories due to those lawsuit fears. And when they didn’t, it took months of review to finally to get the story out.

about 2 months ago

Book Review: Spam Nation

benrothke Re:So... did he have any tested? (82 comments)

Krebs writes that he had people at The University of Alabama at Birmingham ready to do the testing. But they couldn’t get the necessary sign off, both from the school administration and the FDA.

And even if they did, imagine if CNN got hold of the story. They would plaster the headlines with: University testing illegal Russian drugs for potency.

about 2 months ago

Book Review: Spam Nation

benrothke Re:Clarify this sentence, please? (82 comments)

Agreed, but they still have turned a blind-eye to the foreign illegal pharma. The amount important is not insignificant, and pharma has gone after smaller fish in the past.

about 2 months ago

Book Review: Spam Nation

benrothke Re:So... did he have any tested? (82 comments)

Such tests require sophisticated testing equipment.

Those with the equipment are not going to risk getting their labs shut down for testing illegal drugs.

The book notes that The University of Alabama at Birmingham was ready to do the testing; but the necessary approval from the FDA and university administrations simply could not be obtained.

about 2 months ago

Book Review: Spam Nation

benrothke Re:Clarify this sentence, please? (82 comments)

Big pharma has long portrayed these foreign made pharmaceuticals as dirty and dangerous.

The quandary is that if as John Horton noted that they are indeed indistinguishable from those sold by approved pharmacies; then US pharma is selling a drug at 10x the price.

It would place them in a PR nightmare they could not get out of.

about 2 months ago

Book Review: Spam Nation

benrothke Re:Why are we afraid of international lawsuits? (82 comments)

International lawsuits terrify management. As these lawsuits are distracting, time consuming and extremely expensive.

While libel is extremely hard to prove, no firm wants to be on the receiving end of a subpoena. The Washington Post is somewhat risk adverse, which is why they backed off on the story.

about 2 months ago

Book Review: Bulletproof SSL and TLS

benrothke Re:So is that a yes or a no? (92 comments)

SSL is subject to vulnerabilities, weaknesses and misconfiguration like every other protocol and piece of software.

It’s for the most part all we have until a SSL replacement is found.

With that, you can maximize its usefulness by deploying it correctly, as per the 2nd half of the book.

about 2 months ago

Book Review: Measuring and Managing Information Risk: a FAIR Approach

benrothke Re:Media Coverage of Risk (46 comments)

I guess a better term would have been ‘uninterested’.

The fact that a few people have died to Ebola makes it a novelty.

The fact that 10,000+ people have been killed annually in DUI related offences has jaded the media.

about 3 months ago

Book Review: Measuring and Managing Information Risk: a FAIR Approach

benrothke Re:Media Coverage of Risk (46 comments)

Bruce Schneier has a good essay on this topic - Virginia Tech Lesson: Rare Risks Breed Irrational Responses - https://www.schneier.com/essay...

He sums it up with novelty + dread = overreaction.

Ebola fits that. From a public heath perspective for the US, Ebola is for the most part a non-issue.

about 3 months ago

Book Review: Measuring and Managing Information Risk: a FAIR Approach

benrothke Re:ISBN (46 comments)

Thanks. Will see if the editor can make the change.

about 3 months ago

Book Review: Architecting the Cloud

benrothke Re:Real world example .. (75 comments)

If you start a dialogue with a sales rep at AWS, they have a log of diagrams and detailed technical material they will share.

You can also look around at http://aws.amazon.com/document..., as there is a lot of good technical material there.

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:The cloud (75 comments)

::::First and foremost, the cloud is not in any way shape or form secure.Any thing you put there is there to share.

It’s as secure as you want to make it.

Many firms that take security seriously use the cloud. :::::Second, it is a buzzword that is used to get gullible suits to think that they can get rid of their IT depatments.

You do have a good point there.

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:Either (75 comments)

You are correct about my not getting the first sentence right.

With that, don’t let defective sentence stop you from reading a very good book.

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:More details please... (75 comments)

:::::Will an experienced admin (20+ years *NIX) that's currently using RackSpace (dedicated and cloud) learn anything from this book? It's so hard to tell from this review.

I think so. :::I've been using RackSpace for a few months now and I find that it's not much different than hosting the servers myself except I don't have to deal with things like router/switch configuration and hardware replacements.

From a hosting and sys admin perspective, it is not a radical difference.

But from a cloud application perspective, there is a lot to learn.

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:Standards Standards Standards (75 comments)

Excellent point.

Lack of standardization is one of the biggest problems facing cloud computing.

It’s inevitable a few standards will eventually emerge. But until then, there’s a lot of uncertainty.

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:a solution in search of a problem (75 comments)

:::entrust their data to some unknown and unmonitored external entity such as the 'cloud'.

Do you really consider Amazon Web Services unknown and unmonitored?

The granularity of what they can report on shows their monitoring capabilities are quite sophisticated. :::Until that time, safe and productive cloud computing is just a fantasy. It's a solution in search of problem. Avoid it.

I think the facts speak for themselves. There are thousands of examples of safe and productive instances of cloud computing,

But there are also tens of thousands of examples of insecure and unproductive instances of cloud computing,

about 5 months ago

Book Review: Architecting the Cloud

benrothke Re:Sounds like a good read (75 comments)

The book doesn’t deal with acceptable use per se, as much of acceptable use is determined by the specific user of the cloud.

As I wrote about “almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictates where the data must specifically reside”.

So if you define what the with acceptable use is and build that into your cloud policy and contract, that would be acceptable.

about 5 months ago



Book review: Designing and Building a Security Operations Center

benrothke benrothke writes  |  4 days ago

benrothke (2577567) writes "Title:Designing and Building a Security Operations Center

Author: David Nathans

Pages: 276

Publisher: Syngress

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-0128008997

Summary: Good introduction to those looking to build their own security operations center

Many organizations are overwhelmed by the onslaught of security data from disparate systems, platforms and applications. They have numerous point solutions (anti-virus, firewalls, IDS/IPS, ERP, access control, IdM, single sign-on, etc.) that can create millions of daily log messages. In addition to directed attacks becoming more frequent and sophisticated, there are regulatory compliance issues that place increasing burden on security, systems and network administrators.

This creates a large amount of information and log data without a formal mechanism to deal with it. This has led to many organizations creating a security operations center (SOC). A SOC in its most basic form is the centralized team that deals with information security incidents and related issues.

In Designing and Building a Security Operations Center, author David Nathans provides the basics on how that can be done. An effective SOC provides the benefit of speed of response time to a security incident. Be it a DDoS attack or malware which can spread throughout a corporate network in minutes, and potentially knock out the network, every second counts in identifying these attacks and negating them before they can cause additional damage. Having a responsive SOC can make all the difference in how a firms deals with these security issues.

The book notes that the SOC is akin to an enterprise nervous systemthat can gather and normalize vast amounts of log and related data. This can provide continuous prevention, protection and detection by providing response capabilities against threats, remotely exploitable vulnerabilities and real-time incidents on the monitored network.

The books 11 chapters provide a start for anyone considering building out their own SOC. Topics include required infrastructure, organizational structure, staffing and daily operations, to training, metrics, outsourcing and more.

When building a SOC, the choices are for the most part doing it yourself (DIY) or using an outsourced managed security service provider (MSSP). The book focuses primarily on the DIY approach, while chapter 10 briefly details the issues and benefits of using a MSSP. The book provides the pros and cons of each approach. Some firms have a hybrid approach where they perform some SOC activities and outsource others. But the book doesn't details that approach.

The book provides a large amount of details on the many tasks needed to create an internal SOC. The truth is that many firms simply don't have the staff and budget needed to support an internal SOC. They also don't have the budget for an MSSP. With that, Mike Rothman of Securosis noted that these firms are "trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files".

One important topic the book does not cover is around SIM/SIEM/SEM software. SIEM software can provide a firm with real-time analysis of security alerts generated by network and security hardware, software and other applications.

Many benefits come from an effective SIEM tool being the backbone of the SOC. A SIEM tool consolidates all data and analyzes it intelligently and provides visualization into the environment. But selecting the appropriate SIEM and correctly deploying it is not a trivial endeavor.

Those looking for a good reference on SIEM should read: Security Information and Event Management (SIEM) Implementation, which I reviewed on Slashdot - http://books.slashdot.org/story/11/02/23/1328243/book-review-security-information-and-event-management-implementation. That book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM. Those looking for a solid introduction to the world of SIEM should definitely get a copy.

The book notes that the most important part of a SOC, and often the most overlooked, is that of the SOC analyst. And with that, the book writes how it's important to be cognizant of the fact of SOC analyst burnout. SOC analysts can burnout and it's important for an organization to have a plan to address this, including aspects of training, management opportunities and job rotation.

Building an in-house SOC takes significant planning an attention to detail and the book details a lot of the particulars that are required for an effective SOC design.

The implementation of a SOC will cost a significant amount of money and management will often want to have metrics to let them know what the SOC is doing. The book spends a brief amount of time on SOC metrics; which is a topic that warrants a book in its own right. There are many metrics that can be created to measure SOC efficacy. Effective SOC metrics will measure how quickly incidents are handled by the SOC, and how incident are identified, addressed and handled.

The downside to metrics is that they must be used judiciously. It's important not to measure base performance of a SOC analyst simply on the number of events analyzed or recommendations written. Metrics used in that manner are akin to help desk where analysts are only concerned about getting calls finished, in order to meet their calls completed metrics.

As important as a SOC is, this is surprisingly the first book written on the topic. At under 250 pages, the book provides an introduction to the topic, but is not a comprehensive work on the topic. There are areas in SOC management that the book doesn't cover, such as SOC documentation, creating and using SOC operation run books, and more.

But even with those missing areas, Designing and Building a Security Operations Centeris a good reference to start with. A SOC is a security component most organizations are in dire need of, and the book is a good way to get them started on that effort.

Reviewed by Ben Rothke"

Book review: Spam Nation

benrothke benrothke writes  |  about 2 months ago

benrothke (2577567) writes "Title:Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door

Author: Brian Krebs

Pages: 256

Publisher: Sourcebooks

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1402295614

Summary: Excellent expose on why cybercrime pays and what you can do about it

There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating.

Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper.

Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem.

Much of the story details the doings of two of the major Russian pharmacy spammer factions, Rx-Promotion and GlavMed. In uncovering the story, Krebs had the good fortune that there was significant animosity between Rx-Promotion and GlavMed, which lead to an internal employee leaking a huge amount of emails and documents. Krebs obtained this treasure trove which he used to get a deep look at every significant aspect of these spam organizations. Hackers loyal to the heads of Rx-Promotion and GlavMed leaked this information to law enforcement officials and Krebs in an attempt to sabotage each other.

Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.

Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.

Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.

Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.

Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.

The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.

So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.

As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.

As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.

As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.

Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.

The book concludes with Krebs's 3 Rules for Online Safetynamely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.

The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nationdoes a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nationis a quick read and a most important one at that.

Reviewed by Ben Rothke"

Book review: Bulletproof SSL and TLS

benrothke benrothke writes  |  about 2 months ago

benrothke (2577567) writes "Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Author: Ivan Ristic

Pages: 530

Publisher: Feisty Duck

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1907117046

Summary: Tremendous guide on how to correctly deploy TLS by one of the top experts in the field

If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLShas shown that perhaps the emperor isnt wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = securitymyth is dispelled.

For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security.

Ristic is the author of the SSL Labs web site; a site dedicated to everything SSL, including extensive documents and tools.

One would think that it's impossible to write an interesting book about a security protocol. But for those who use SSL or just want to understand what it's all about, the book is not only quite practical, but a very interesting read.

The book provides a good balance of overview, protocol details, summary of vulnerabilities and weaknesses, and a large chunk of practical deployment guidance.

The first three chapters provide an excellent overview to SSL, TLS, PKI and cryptography. While chapter 2 may be a bit dry, the introduction is thorough and comprehensive.

Chapter 4 is particularly interesting in that the author notes that while the cryptography behind SSL and PKI is fundamentally secure, there is an inherent flaw in how PKI operates, in that any CA (certificate authority) is able to issue a certificate for any name without have to seek approval from the domain name owner. This trust dependency creates numerous attack vectors that can be exploited.

The chapter details a number of significant incidents that arose from this flaw, from the 2001 code signing certificate mistake; where Verisign mistakenly issued Class 3 code signing certificates to someone claiming to be a Microsoft employee, to the Flame malware, which was signed with a bogus certificate that was seemingly signed by Microsoft, to a number of other issues.

In chapter 5, the book details a number of HTTP and browser issues, and related TLS threats. Attacks such as sidejacking, cookie stealing, cookie manipulation and more are detailed.

The author wisely notes that cookies suffer from two main problems: that they were poorly designed to being with, allowing behavior that encourages security weaknesses, and that they are not in sync with the main security mechanisms browsers use today, namely same-origin policy (SOP).

The chapter also details a significant TLS weakness in that that certificate warnings generated often leaves the clueless user to make the correct decision on how to proceed.

Ristic writes that if you receive an alert about an invalid TLS certificate, the right thing to do is immediately abandon the connection attempt. But the browser won't do that. Browser vendors decided not to enforce TLS connection security; rather they push the problem down to the user in the form of a certificate warning.

The problem is that when a user gets a certificate warning error, they simply don't know what to do to determine how big of an issue it really is, and will invariably choose to override the warning, and proceed to the website.

The challenge the user face is that these certificate warning errors are pervasive. In 2010, Ristic scanned about 119 million domain names (.com, .net and .org) searching for TLS enables sites. He found that over 22 million or 19% of the sites hosted in roughly 2 million IP addresses. But only about 720,000 had certificates whose names matches the intended hostname.

The chapter also details that the biggest problem with security indicators, similar to the certificate warnings, is that most users don't pay attention to them and possible don't even notice them.

As valuable as the first half of the book is, its significance really comes alive starting in chapter 8 on deployment issues. The level of security TLS offers only works when it is deployed correctly, and the book details how to do that. Given that OpenSSL, which is the most widely used SSL/TLS library, is notorious for being poorly documented and difficult to use, the deployment challenges are a significant endeavor.

Another issue with TLS, is that it can create performance issues and chapter 9 provides a lot of insight on performance optimization. The author quotes research from Google that SSL/TLS on their email systems account for less than 1% of the CPU load, less than 10kb of memory per connection, and less than 2% of the network overheard. The author writes that his goal is to enable the reader to get as close as possible to Google's performance numbers.

SSL/TLS has a reputation for being slow, but that is more a remnant of years ago when CPU's were much slower. With better CPU's and the optimization techniques the book shows, there is no reason not to use TLS.

For those that want an initial look, the table of contents, preface, and chapter 1 are available here. Once you get a taste of what this book has to offer, you will want to read the entire book.

As noted earlier, OpenSSL is poorly documented. InBulletproof SSL and TLS, Ivan Ristic has done the opposite: he has written the most readable and insightful book about SSL/TLS to date. TLS is not so difficult to deploy, but incredibly easy to deploy incorrectly. Anyone who is serious about ensuring that their SSL/TLS deployment is effective should certainly read this book.

Reviewed by Ben Rothke"

Book review: Countdown to Zero Day: Stuxnet and the Launch of the World's First

benrothke benrothke writes  |  about 3 months ago

benrothke (2577567) writes "Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon

Author: Kim Zetter

Pages: 448

Publisher: Crown

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0770436179

Summary: Outstanding narrative about Stuxnet — how it was developed, quarantined and debugged

A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction.

Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weaponhas certainly upped the ante for accurate computer security journalism.

The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book.

For those that want to know the basics about Stuxnet, its Wikipediaentry will suffice. For a deeper look, the book take a detailed look at how the Stuxnet worm of 2010 came to be, how it was written, discovered and deciphered, and what it means for the future and provides nearly everything known to date about Stuxnet.

The need to create Stuxnet was the understanding that a nuclear Iran was dangerous to the world. The book notes that it just wasn't the US and Israel that wanted a nuclear free Iran; Egypt and Saudi Arabia were highly concerned about the dangers a nuclear Iran would bring to the region.

What is eminently clear is that Iran chronically lied about their nuclear intentions and actions (chapter 17 notes that former United Kingdom Prime Minister Gordon Brown told the international community that they had to do something over Iran's serial deception of many years) and that the United Nations International Atomic Energy Agency (IAEA) is powerless to do anything, save for monitoring and writing reports.

Just last week, President Obama said a big gap remains in international nuclear negotiations with Iran and he questioned whether talks would succeed. He further said "are we going to be able to close this final gap so that (Iran) can reenter the international community, sanctions can be slowly reduced and we have verifiable, lock tight assurances that they cant develop a nuclear weapon, theres still a big gap. We may not be able to get there". It's that backdrop to which Stuxnet was written.

While some may debate if Stuxnet was indeed the worlds first digital weapon, it's undeniable that it is the first piece of known malware that could be considered a cyber-weapon. Stuxnet was unlike any other previous malware. Rather than just hijacking targeted computers or stealing information from them, it created physical destruction on centrifuges the software controlled.

At just over 400 pages, the book is a bit wordy at times, but Zetter does a wonderful job of keeping the book extremely readable and the narrative enthralling. Writing about debugging virus code, Siemens industrial programmable logic controllers (PLC) and Step7 software (which was what Stuxnet was attacking) could easily be mind-numbingly boring, save for Zetter's ability to make it a compelling read.

While a good part of the book details the research Symantec, Kaspersky Lab and others did to debug Stuxnet, the book doesn't have and software code, which makes it readable for the non-programmer. The book is technical and Zetter gets into the elementary details of how Stuxnet operated; from reverse engineering, digital certificates and certificate authorities, cryptographic hashing and much more. The non-technical reader certainly won't be overwhelmed, but at the same time might not be able to appreciate what went into designing and making Stuxnet work.

As noted earlier, the book is extremely well researched and all significant claims are referenced. The book is heavily footnoted, which makes the book much more readable than the use of endnotes. Aside from the minor error of mistakenly calling Kurt Gödel a cryptographer on page 295, he was a logician; Zetter's painstaking attention to detail is to be commended.

Whoever wrote Stuxnet counted on the Iranians not having the skills to uncover or decipher the malicious attacks on their own. But as Zetter writes, they also didn't anticipate the crowdsourced wisdom of the hive — courtesy of the global cybersecurity community that would handle the detection and analysis for them. That detection and analysis spanned continents and numerous countries.

The book concludes with chapter 19 — Digital Pandora — which departs from the details of Stuxnet and gets into the bigger picture of what cyber-warfare means and its intended and unintended consequences. There are no simple answers here and the stakes are huge.

The chapter quotes Marcus Ranum who is outspoken on the topic of cyber-warfare. At the 2014 MISTI Infosec World Conference, Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Be it the topic or Marcus just being Marcus, a third of the participants left within the first 15 minutes. But they should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.

The book leave with two unresolved questions; who did it, and how did it get into the Nantanz enrichment facility.

It is thought the US with some assistance from Israel created Stuxnet; but Zetter also writes that Germany and Great Britain may have done the work or at least provided assistance.

It's also unknown how Stuxnet got into the air-gapped facility. It was designed to spread via an infected USB flash drive. It's thought that since they couldn't get into the facility, what needed to be done was to infect computers belonging to a few outside firms that sold devices that would in turn be connected to the facility. The book identified a few of these companies, but it's still unclear if they were the ones, or the perpetrators somehow had someone on the inside.

As to zero day in the title, what was unique about Stuxnet is that it contained 5 zero day exploits. Zero day is also relevant in that Zetter describes the black and gray markets of firms that discover zero-day vulnerabilities who in turn sell them to law enforcement and intelligence agencies.

Creating Stuxnet was a huge challenge that took scores of programmers from a nation state many months to create. Writing a highly readable and engrossing book about the obscure software vulnerabilities that it exploited was also a challenge, albeit one that few authors could do efficaciously. InCountdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon, Kim Zetter has written one of the best computer security narratives; a book you will likely find quite hard to put down.

Reviewed by Ben Rothke"

Book review: Measuring and Managing Information Risk: A FAIR Approach

benrothke benrothke writes  |  about 3 months ago

benrothke (2577567) writes "Measuring and Managing Information Risk: A FAIR Approach

Author: Jack Freund and Jack Jones

Pages: 408

Publisher: Butterworth-Heinemann

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124078147

Summary: Superb overview to the powerful FAIR risk management methodology

It's hard to go a day without some sort of data about information security and risk. Researches from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources.

The current panic around Ebola shows how people are ill-informed about risk. While distressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like.

When it comes to information security, is not that much better. With myriad statistics, surveys, data breach reports, cost of data breach: global analyses and the like, there is an overabundance of data, and an under abundance of meaningful data.

In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk.

The book details the factor analysis of information risk(FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity.

An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.

The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.

FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.

FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.

For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.

The book is an incredibly good reference that will force you to look again at how you view risk management.

Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking.

The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.

The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.

A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.

The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.

The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.

The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.

In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it canbe effectively measured to the degree to reduce management's uncertainly about risk.

They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.

The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.

Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.

In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.

FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.

But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.

The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.

For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.

Reviewed by Ben Rothke"

Book review: Architecting the Cloud

benrothke benrothke writes  |  about 5 months ago

benrothke (2577567) writes "Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS

Author: Michael Kavis

Pages: 224

Publisher: Wiley

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1118617618

Summary: Extremely honest and enlightening book on how to effectively use the cloud

Most books about cloud computing are either extremely high-level quasi-marketing tomes about the myriad benefits of the cloud without any understanding of how to practically implement the technology under discussion. The other type of cloud books are highly technical references guides, that provide technical details, but for a limited audience.

In Architecting the Cloud: Design Decisions for Cloud Computing Service Models, author Michael Kavis has written perhaps the most honest book about the cloud. Make no doubt about it; Kavis is a huge fan of the cloud. But more importantly, he knows what the limits of the cloud are, and how cloud computing is not a panacea. That type of candor makes this book an invaluable guide to anyone looking to understand how to effective deploy cloud technologies.

The book is an excellent balance of the almost boundless potential of cloud computing, mixed with a high amount of caution that the potential of the cloud can only be manifest with effective requirements and formal security architecture.

The full title of the book is: Architecting the Cloud: Design Decisions for Cloud Computing Service Models: SaaS, PaaS, and IaaS. One of the mistakes of using the cloud is that far too many decision makers rush in, without understanding the significant differences (and they are significant) between the 3 main cloud service models.

The book crams a lot in under 200 pages in the following 16 chapters:

1 Why Cloud, Why Now?

2 Cloud Service Models

3 Cloud Computing Worst Practices

4 It Starts with Architecture

5 Choosing the Right Cloud Service Model

6 The Key to the Cloud: RESTful Services

7 Auditing in the Cloud

8 Data Considerations in the Cloud

9 Security Design in the Cloud

10 Creating a Centralized Logging Strategy

11 SLA Management

12 Monitoring Strategies

13 Disaster Recovery Planning

14 Leveraging a DevOps Culture to Deliver Software Faster and More Reliably

15 Assessing the Organizational Impact of the Cloud Model

16 Final Thoughts

In chapter 1, he provides a number of enthusiastic cloud success stories to set the stage. He shows how a firm was able to build a solution entirely on the public cloud with a limited budget. He also showcases Netflix, whose infrastructure is built on Amazon Web Services (AWS).

Chapter 3 is titled cloud computing worst practicesand the book would be worth purchasing for this chapter alone. The author has a number of cloud horror stories and shows the reader how they can avoid failure when moving to the cloud. While many cloud success stories showcase applications developed specifically for the cloud, the chapter details the significant challenges of migrating existing and legacy applications to the cloud. Such migrations are not easy endeavors, which he makes very clear.

In the chapter, Kavis details one of the biggest misguided perceptions of cloud computing, in that it will greatly reduce the cost of doing business. That is true for some cloud initiatives, but definitely not all, as some cloud marketing people may have you believe.

Perhaps the most important message of the chapter is that not every problem is one that needs to be solved by cloud computing. He cites a few examples where not going with a cloud solution was actually cheaper in the long run.

The book does a very good job of delineating the differences between the various types of cloud architectures and service models. He notes that one reason for leveraging IaaS over PaaS, is that when a PaaS provider has an outage, the customer can only wait for the provider to fix the issue and get the services back online. With IaaS, the customer can architect for failure and build redundant services across multiple physical or virtual data centers.

For many CIO's, the security fears of the cloud means that they will immediately write-off any consideration of cloud computing. In chapter 9, the author notes that almost any security regulation or standard can be met in the cloud. As none of the regulations and standard dictate where the data must specifically reside.

The book notes that for security to work in the cloud, firm's needs to apply 3 key strategies for managing security in cloud-based applications, namely centralization, standardization and automation.

In chapter 10, the book deals with creating a centralized logging strategy. Given that logging is a critical component of any cloud-based application; logging is one of the areas that many firms don't adequate address in their move to the cloud. The book provides a number of approaches to use to create an effective logging strategy.

The only issue I have with the book is that while the author is a big fan of Representational state transfer (REST), many firms have struggled to obtain the benefits he describes. RESTful is an abstraction of the architecture of the web; namely an architectural style consisting of a coordinated set of architectural constraints applied to components, connectors and data elements, within a distributed hypermedia system. REST ignores the details of component implementation and protocol syntax in order to focus on the roles of components, the constraints upon their interaction with other components, and their interpretation of significant data elements.

I think the author places too much reliance on RESTful web services and doesn't detail the challenges in making it work properly.RESTful is not always the right choice even though it is all the rage in some cloud design circle.

While the book is part of the Wiley CIO Series, cloud architects, software and security engineers, technical managers and anyone with an interest in the cloud will find this an extremely valuable resource.

Ironically, for those that are looking for ammunition why the cloud is a terrible idea, they will find plenty of evidence for it in the book. But the reasons are predominantly that those that have failed in the cloud, didn't know why they were there in the first place, or were clueless on how to use the cloud.

For those that want to do the cloud right, the book provides a vendor neutral approach and gives the reader an extremely strong foundation on which to build their cloud architecture.

The book lists the key challenges that you will face in the migration to the cloud, and details how most of those challenges can be overcome. The author is sincere when he notes areas where the cloud won't work.

For those that want an effective roadmap to get to the cloud, and one that provides essential information on the topic, Architecting the Cloud: Design Decisions for Cloud Computing Service Modelsis a book that will certainly meet their needs.

Reviewed by Ben Rothke"

Book review: Social Engineering in IT Security Tools, Tactics, and Techniques

benrothke benrothke writes  |  about 5 months ago

benrothke (2577567) writes "Title: Social Engineering in IT Security Tools, Tactics, and Techniques

Author: Sharon Conheady

Pages: 272

Publisher: McGraw-Hill Osborne Media

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-0071818469

Summary: Great resource on which to build a social engineering testing program

When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniquesby Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource.

While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book.

This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times.

The following are the chapters in the book:

1. Social Engineerings Evolution

2. The Ethical and Legal Aspects of Social Engineering

3. Practical Social Engineering and Why it Works

4. Planning Your Social Engineering Test

5. Reconnaissance & Information Gathering

6. Scenario Creation & Testing

7. Executing Your Social Engineering Test

8. Reporting

9. The Social Engineering Arsenal & Tools of the Trade

10. Defense Against Social Engineering Attacks

11. Tomorrows Social Engineering Attacks

Coming in at about 250 pages, the book finds a good balance between high-level details and actionable tactical things to execute on. Without getting bogged down in filler.

Since the social engineering tools and techniques only get better, the advantage Conheady's book has it that it details a lot that has changed in the 4 years since Hadnagy's book came out.

In chapter 1, she writes about mumble attacks, which are telephone-based social engineering attacks that are targeted at call center agents. The social engineer will pose as a speech-impaired customer or as a person calling on behalf of the speech-impaired customer. The goal of this method is to make the victims; in this case call center agents feel awkward or embarrassed and release the desired information. Given the pressure in which most call center agents are under; this is a simple yet highly effective attack.

Like Hadnagy, this also has a detailed social engineering test methodology. Conheady details a methodology with 5 stages: planning and target identification, research and reconnaissance, scenario creation, attack execution and exit, and reporting. She notes that one does not have to be a slave to the methodology, and it can be modified depending on the project.

Social engineering can often operate on the limit of what is legal and ethical. The author goes to great lengths to write what the ethical and legal obligations are for the tester.

The book is filled with lots of practical advice as Conheady is seasoned and experienced in the topic. From advice to dealing with bathrooms as a holding location, gaining laptop connectivity and more; she writes of the many small details that can make the difference between a successful social engineering test and a failed one.

The book also details many areas where the job of the social engineer is made easy based on poor security practices at the location. Chapter 7 details how many locations have access codes on doors often don't do much to keep social engineers out. Many doors have 4-character codes, and she writes that she has seen keypads where the combination numbers have been so worn down that you can spot them straightaway.

As noted earlier, the book focuses more on the human techniques of social engineering than on software tools. She does not ignore that tools and in chapter 9 provides a list of some of the more popular tools to use, including Maltego, Cree.py and others. She also has lists of other tools to use such as recording devices, bugging devices, phone tools and more.

With all those, she still notes that the cell phone is the single most useful item you can bring with you on a social engineering test. She writes that some of the many uses a cell phone has is to discourage challengers, fake a call to look busy, use the camera and more.

While most of the book is about how to execute a social engineering test, chapter 10 details how you can defend against social engineering. She notes that it is notoriously difficult to defend against social engineering because it targets the weakest link in the security chain: the end-user. She astutely notes that a firm can't simply roll out a patch and immunize its staff against the latest social engineering attack. Even though there are vendors who make it seem like you can.

The chapter also lists a number of indicators that a firm may be experiencing a social engineering attack.

Hadnagy's book is still the gold-standard on the topic. But Social Engineering in IT Security Tools, Tactics, and Techniquescertainly will give it a run for the money.

Hadnagy's approach to social engineering is quite broad and aggressive. Conheady takes more of a kinder, gentler approach to the topic.

For those that are looking for an effective guide on which to build their social engineering testing program on, this certainly provides all of the core areas and nearly everything they need to know about the fundamentals of the topic.

Reviewed by Ben Rothke"

Book review: Introduction to Cyber-Warfare: A Multidisciplinary Approach

benrothke benrothke writes  |  about 6 months ago

benrothke (2577567) writes "Introduction to Cyber-Warfare: A Multidisciplinary Approach

Author: Paulo Shakarian, Jana Shakarian and Andrew Ruef

Pages: 336

Publisher: Syngress

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124078147

Summary: Outstanding overview and guide to cyberwarfare

Cyberwarfare is a controversial topic. At the 2014 Infosec World Conference, Marcus Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again.

Whether it was the topic or just Marcus being Marcus, about a third of the participants left within the first 15 minutes. They should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.

While a somewhat broad term, in Wikipedia, cyberwarfare (often called information warfare)is definedas politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.

The authors define cyber war as an extension of policy by actions taken in cyber space by state or nonstate actors that either constitute a serious threat to a nation's security or are conducted in response to a perceived threat against a nation's security.

As to a book on the topic, for most readers, cyberwarfare is something that they may be victims of, but will rarely be an actively part of.

In Introduction to Cyber-Warfare: A Multidisciplinary Approach, authors Paulo Shakarian, Jana Shakarian and Andrew Ruef provide an excellent overview of the topic. The book takes a holistic, or as they call it multidisciplinary, approach to the topic. It looks at the information security aspect of cyberwarfare, as well the military, sociological and other aspects of the topic.

The book is divided into 3 parts and 13 densely packed and extremely well-researched and footnoted chapters, namely:

Part I: Cyber Attack

Chapter 2: Political Cyber Attack Comes of Age in 2007

Chapter 3: How Cyber Attacks Augmented Russian Military Operations

Chapter 4: When Who Tells the Best Story Wins: Cyber and Information Operations in the Middle East

Chapter 5: Limiting Free Speech on the Internet: Cyber Attack Against Internal Dissidents in Iran and Russia

Chapter 6: Cyber Attacks by Nonstate Hacking Groups: The Case of Anonymous and Its Affiliates

Part II: Cyber Espionage and Exploitation

Chapter 7: Enter the Dragon: Why Cyber Espionage Against Militaries, Dissidents, and Nondefense Corporations Is a Key

Component of Chinese Cyber Strategy

Chapter 8: Duqu, Flame, Gauss, the Next Generation of Cyber Exploitation

Chapter 9: Losing Trust in Your Friends: Social Network Exploitation

Chapter 10: How Iraqi Insurgents Watched U.S. Predator Video—Information Theft on the Tactical Battlefield

Part III: Cyber Operations for Infrastructure Attack

Chapter 11: Cyber Warfare Against Industry

Chapter 12: Can Cyber Warfare Leave a Nation in the Dark? Cyber Attacks Against Electrical Infrastructure

Chapter 13: Attacking Iranian Nuclear Facilities: Stuxnet

The book provides numerous case studies of the largest cyberwarfare events to date. Issues around China and their use of cyberwarfare constitute a part of the book. Chapter 7 details the Chinese cyber strategy and shows how the Chinese cyber doctrine and mindset is radically different from that of those in the west.

The book compares the board games of chess (a Western game) and Go (a Chinese game) and how the outcomes and strategies of the games are manifest in each doctrine.

The chapter also shows how the Chinese government outlawed hacking, while at the same time the military identified the best and most talented hackers in China, and integrated them into Chinese security firms, consulting organizations, academia and the military.

One of the more fascinating case studies details the cyber war against the corporate world from China. The book provides a number of examples and details the methodologies they used, in addition to providing evidence of how the Chinese were involved.

For an adversary, one of the means of getting information is via social networks. This is often used in parallel by those launching some sort of cyberwarfare attack. LinkedIn is one of the favorite tools for such an effort. The authors write of the dangers of transitive trust; where user A trusts user B, and user B trusts user C. Via a transitive trust, user A will then trust user C based simply on the fact that user B does. This was most manifest in the Robin Sageexercise.

This was where Thomas Ryan created a fictitious information security professional names Robin Sage. He used her fake identity and profile to make friends with others in the information security world, both commercial, federal and military and he was able to fool even seasoned security professionals. Joan Goodchild wrote a good overview of the experiment here.

In chapter 10, the book details how Iraqi insurgents viewed Predator drones video feeds. Woody Allen said that eighty percent of success is just showing up. In this case, all the insurgents had to do was download the feed, as it was being transmitted unencrypted. Very little cyberwarfare required.

When the drone was being designed, the designers used security by obscurity in their decision not to encrypt the video feed. They felt that since the Predator video feeds were being transmitted on frequencies that were not publically known, no access control, encryption or other security mechanisms would be needed.

The downside is that once the precise frequency was determined by the insurgency, in the case of the Predator drone, the Ku-band, the use of the SkyGrabber satellite internet downloader made it possible for them to effortless view the video feeds.

The only negative about the book is a minor one. It has over 100 pictures and illustrations. Each one states: for the color version of this figure, the reader is referred to the online version of the book. Having that after every picture is a bit annoying. Also, the book never says where you can find the online version of the book.

How good is this book? In his review of it, Krypt3ia said it best when he wrote: I would love to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. The reality is that this book should indeed be read by everyone in Washington, as they are making decisions on the topic, without truly understanding it.

For most readers, this will be the book that tells them everyone they need to know that their congressman should know. Most people will never be involved with any sort of warfare, and most corporate information security professional will not get involved with cyberwarfare. Nonetheless, Introduction to Cyber-Warfare: A Multidisciplinary Approachis a fascinating read about a most important subject.

Reviewed by Ben Rothke"

Book review: Data-Driven Security: Analysis, Visualization and Dashboards

benrothke benrothke writes  |  about 7 months ago

benrothke (2577567) writes "Data-Driven Security: Analysis, Visualization and Dashboards

Author: Jay Jacobs and Bob Rudis

Pages: 352

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118793725

Summary: Superb book for effective use of data for information security

There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboardsis all about the later.

In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security.

The book is meant for a serious reader who is willing to put in the time and effort to learn the programming necessary (mainly in Python and R) to truly understand what information exists deep in the recesses of their logs. As to R, it is a GNU project and a free software programming language and software environment for statistical computing and graphics. The R language is widely used among statisticians and data miners for developing statistical software and data analysis. For analysis the level of which Jacobs and Rudis prescribe, R is a godsend.

The following are the 12 densely packed chapters in the book:

1 : The Journey to Data-Driven Security

2 : Building Your Analytics Toolbox: A Primer on Using R and Python for Security Analysis

3 : Learning the "Hello World" of Security Data Analysis

4 : Performing Exploratory Security Data Analysis

5 : From Maps to Regression

6 : Visualizing Security Data

7 : Learning from Security Breaches

8 : Breaking Up with Your Relational Database

9 : Demystifying Machine Learning

10 : Designing Effective Security Dashboards

11 : Building Interactive Security Visualizations

12 : Moving Toward Data-Driven Security

After completing the book, the reader will have the ability to know which questions to ask to gain security insights, and use that data to ensure the overall security of their data and networks. Getting to that level is not a trivial at all a trivial task; even if there are vendors who can promise to do that.

For many people performing data analysis, the dependable Excel spreadsheet is their basic choice for data manipulation. The book calls the spreadsheet a gateway tool between a text editor and programming. The book notes that spreadsheets work as long as the data is not too large or complex. The book quotes a 2013 report to shareholders from J.P. Morgan in which parts of their 2012 $6 billion in losses was due in part to problems with their Excel spreadsheets.

The authors suggest using Excel as a temporary solution for quick one-shot tasks. For those that have repeating analytical tasks or models that are used repeatedly, it's best to move to some type of structured programming language, specifically those that the book suggest and for provides significant amounts of code examples; all of which are available on the companion website here.

The goal of all data extraction is to use data analysis to answer real questions. A large part of the book focuses on how to ask the right question. In chapter 1, the authors write that every good data analysis project begins with setting a goal and creating one or more research questions. Without a well-formed question guiding the analysis, you may wasting time and energy seeking convenient answers in the data, or worse, you may end up answering a question that nobody was asking in the first place.

The value of the book is that it shows the reader how to focus on context and purpose of the data analysis by setting the research question appropriately; rather than simply parsing large amounts of data. It's ultimately irrelevant if you can use Hadoop to process petabytes of data if you don't know what you are looking for.

Visualization is a large part of what this book is about, and in chapter 6 — Visualizing Security Data, the book notes that the most efficient path to human understanding is via the visual sense. It goes on to details the many advantages data visualization has, and the key to making it work.

As important as visualization is, describing the data is equally important. In chapter 7, the book introduces the VERIS(Vocabulary for Event Recording and Incident Sharing) framework. VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS helps organizations collect useful incident-related information and to share that information, anonymously and responsibly with others.

The book shows how you can use dashboards for effective data visualization. But the authors warn that a dashboard is notan art show. They caution that given the graphical nature of dashboards, it's easy to fall into the trap of making them look like pieces of modern or fringe art; when they are far more akin to architectural and industrial diagrams that require more controlled, deliberate and constrained design.

As to dashboards the authors do not like, they consider the Cyber Security Situational Awarenessto be glitzy but not informative. Personally, I thought the dashboard has a lot of good information.

The book uses the definition of dashboardaccording to Stephen Few, in that it's a "visual display of the most important information needed to achieve one or more objectives that has been consolidated in a single computer screen so it can be monitored at a glance". The book enables the reader to create dashboards like that.

Data-Driven Security: Analysis, Visualization and Dashboardsis a superb book written by two experts who provide significant amounts of valuable information in every chapter. For those that are willing to put the time and effort into the serious amount of work that the book requires, they will find it a vital resource that will certainly help them achieve much higher levels of security.

Reviewed by Ben Rothke"

Book review: Security without Obscurity

benrothke benrothke writes  |  about 8 months ago

benrothke (2577567) writes ": Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity

Author: J.J. Stapleton

Pages: 355

Publisher: Auerbach Publications

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-1466592148

Summary: Great guide to enterprise authentication from an expert

Having worked at the same consulting firm and also on a project with author J.J. Stapleton (yes, that was full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world.

When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe.

The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift. This is a significant issue since much of information security is built around the need for strong and effective authentication. Without effective authentication, networks and data are at direct risk for compromise.

The topic itself is not exactly compelling (that is, unless you like to read standards such as ANSI X9.42-2003: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, ISO/IEC 9798-1:2010: Information technology — Security techniques — Entity authentication,etc.), so the book is more of a detailed technical reference. Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding.

For those who don't have a general background on the topic; it may be a book too deep and technical for those looking for something more in line of a CISSP preparation guide.

For those that want to know the deep underpinnings of how encryption algorithms work; they can simply read the RFC's and standards themselves. What the book brings to the table are details about how to effectively implement the standards and algorithms in the enterprise; be it in applications, policies; or the specific procedures to meet compliance and standards requirements. And that is where Stapleton's many decades of experience provide significant and inestimable value.

There are many reasons why authentication systems fail and many times it is due to interoperability issues. Stapleton details how to ensure to minimize those faults in order to achieve seamless authentication across multiple technologies and operating systems.

The 7 chapters cover a dense amount of information around the 3 core topics. The book is for the reader with a solid technical background. While it may be listed as an exploratory text, it is not like a For Dummies title.

As per its title, it covers confidentiality, authentication and integrity; in addition to other fundamental topics of non-repudiation, privacy and key management.

One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement.

For example, in chapter 7, the book provides a really good comparison and summary of different cryptographic modules, including how they are linked to various standards from NIST, NSA, ANSI and ISO. It does the same for a comparison of cryptographic key strengths against various algorithms.

An interesting observation the book makes when discussing the DES encryption algorithm, is that all of the talk of the NSA placing backdoors in it are essentially false. To date, no known flaws have been found against DES, and that after being around for over 30 years, the only attack against DES is an exhaustive key attack. This type of attack is where an adversary has to try each of the possible 72 quadrillion key (256permutations – as the key is 56 bits long) until the right key is discovered.

That means that the backdoor rumors of the NSA shortening the length of the substitution ciphers (AKA s-boxes), was not to weaken it necessarily. Rather it was meant to block DES against specific types of cryptanalytic attacks.

While the book is tactical; the author does bring in one bit of trivia when he writes that the ISO, often known as the International Organization for Standardization, does not in truth realty stand for that. He notes that the organizations clearly states on its web pagethat because International Organization for Standardizationwould have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalization, etc.); its founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. Whatever the country, whatever the language, the short form of the name is always ISO.

While that is indeed ultimately a trivial issue, I have seen certification exams where they ask what that acronym stands for. Perhaps a lot of CISSP's need to have their credentials revoked.

While Stapleton modifies the CIA triad, the book is not one of a security curmudgeon, rather of a security doyen. For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done.

Reviewed by Ben Rothke"

Book review: Hacking Point of Sale:

benrothke benrothke writes  |  about 8 months ago

benrothke (2577567) writes "Title:Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions

Author: Slava Gomzin

Pages: 312

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118810118

Summary: Superb book on POS, PCI and payment security

The only negative thing to say about Hacking Point of Sale: Payment Application Secrets, Threats, and Solutionsis its title. A cursory look at it may lead the reader that this is a book for a script kiddie, when it is in fact a necessary read for anyone involved with payment systems. The book provides a wealth of information that is completely pragmatic and actionable. The problem is, as the book notes in many places, that one is constantly patching a system that is inherently flawed and broken.

Often after a major information security breach incidents, a public official (always in front of cameras and with many serious looking people standing in the wings) will go on TV and say something akin to "we have to make sure this never happens again".

Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.

There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.

The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.

The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.

An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.

Another major weakness with EMV is it doesnt provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.

As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposedto distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.

In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.

Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.

Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.

The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.

The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.

So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.

Hacking Point of Saleis an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.

When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.

Reviewed by Ben Rothke"

Book review: Designing with the Mind in Mind

benrothke benrothke writes  |  about 9 months ago

benrothke (2577567) writes "Designing with the Mind in Mind, a Simple Guide to Understanding User Interface Design Guidelines

Author: Jeff Johnson

Pages: 240

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124079144

Summary: Excellent reference on the integration of user interface design and the min

Neurologists and brain scientists are in agreement that in truth, we know very little about how the brain works. With that, in the just released second edition of Designing with the Mind in Mind, a Simple Guide to Understanding User Interface Design Guidelines, author Jeff Johnson provides a fascinating introduction on the fundamentals of perceptual and cognitive psychology for effective user interface (UI) design and creation. UI is a facet of human–computer interaction (HCI), of which HCI involves the study, planning, design and uses of the interaction between people and the computers and devices they are using.

Johnson heads up a consulting firm that specialized in evaluating and designing UI and brings significant experience to every chapter. He writes that following user-interface design guidelines is not as straightforward as something like following a cooking recipe; even though people often compare the two. Design rules often describe goals rather than actions, as they are purposefully very general to make them broadly applicable. The downside to that is that it means that their exact meaning and applicability to specific design situations is open to interpretation.

With that, the book provides an exceptional foundation on how to ensure effective usability is successfully implemented. The book spends a long time detailing how users make decisions and choices.

What's really good about the book is that Johnson provides ample details about the topic, but doesn't reduce it to so just a set of rules or mind-numbing (and thusly unreadable) checklists. His synopsis of the topics provides the reader with a broad understanding of the topic and what they need to do in order to ensure effective UI design is executed.

While the focus in the book is heaving on general and cognitive psychology, the book is written for the reader who is a novice in the area, and stays quite practical, without getting in the vague theoretical areas.

The book provides scores of examples of how people relate to an interface, and how to design accordingly. One of many fascinating examples is when the author details the notion of attentional blink. After we see or hear something, either in real-life or on a monitor, for a very brief amount of time following the recognition, between .15 and .45 of a second; we are nearly deaf and blind to other visual stimuli, even though our eyes and ears stay functional. Researchers call this attentional blinkand it is thought to be caused by the brain's perceptual and attentional mechanism being briefly fully occupied with processing the first recognition.

What this means for a UI designer is that attentional blink can cause the user to miss information or events if things appear in rapid succession. The book then goes on to describe techniques in which to create an effective UI to deal with the effects of attentional blink. And he does this for scores of other similar issues.

Another fascinating example is around visual hierarchy, which lets people focus on the relevant information. The book notes that one of the most important goals in arranging information presentations is to provide a visual hierarchy, an arrangement that breaks the information into distinct sections, labels each section prominently, and presents the sections and subsections as a hierarchy.

The book details the myriad areas which are crucial for an effective interface. Chapters 4 and 5 provide significant detail about the importance of color for effective visual representation.

As the title suggests, the book takes a deep approach to the neuroscience and psychology in UI design. Other chapters include topics on human vision, sound, task, cognition, memory and more.

As to memory, chapter details issues around the working memory of a user. He gives numerous examples of error boxes and help screens that work and are epic failures, and how to do it right. The classic example he provides is a 4-step Windows XP wireless error message. If the user were to follow the directions, the instructions would close after step 1.

Each chapter provides numerous implications of proper and improper design, and provides the needed recommendations. While the topics may sound dry, Johnson writes in an engaging and often humorous style.

The book clearly and empirically shows how effective UI design makes all the difference on how users interact with an application or web site. The book will certainly be an important reference to software designers, web designers, web application designers and those interested in HCI, and usability.

For the designers that can't understand why their users are frustrated, they can understand why here. For designers that really want to know what is going on in their users minds, one is hard pressed to find a better reference than this.

As the subtitle of the book is Simple Guide to Understanding User Interface Design Guidelines, the book is an invaluable resource for those serious about effective UI design.

Reviewed by Ben Rothke"

Book review

benrothke benrothke writes  |  about 10 months ago

benrothke (2577567) writes "Title: How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code

Author: David Kahn

Pages: 469

Publisher: Auerbach Publications

Rating: 8/10

Reviewer: Ben Rothke

ISBN: 978-1466561991

Summary: Very good collection of a large number of excellent articles from David Kahn

When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated.

His first book was written almost 50 years ago: The Codebreakers – The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's.

With such a pedigree, many were looking forward, including myself, to his latest book "How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code". While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles.

For those that are long-time fans of Kahn, there is nothing new in the book. For those that want a wide-ranging overview of intelligence, espionage and codebreaking, the book does provide that.

The book gets its title from a 2007 article in which Kahn tracked down whom he felt was the greatest spy of World War 2. That was none other than Hans-Thilo Schmidt, who sold information about the Enigma cipher machine to the French. That information made its way to Marian Rejewski of Poland, which lead to the ability of the Polish military to read many Enigma-enciphered communications.

An interesting question Kahn deals with is the old conspiracy theory that President Franklin Roosevelt and many in is administration knew about the impending attack on Pearl Harbor. He writes that the theory is flawed for numerous reasons. Kahn notes that the attack on Pearl Harbor succeeded because of Japan's total secrecy about the attack. Even the Japanese ambassador's in Washington, D.C., whose messages the US was reading were never told of the attack.

Chapter 4 from 1984 is particularly interesting which deals with how the US viewed Germany and Japan in 1941. Kahn writes that part of the reason the US did not anticipate a Japanese attack was due to racist attitudes. The book notes that many Americans viewed the Japanese as a bucktoothed and bespectacled nation.

Chapter 10 Why Germany's intelligence failed in World War II, is one of the most interesting chapters in the book. It is from Kahn's 1978 book "Hitlers Spies: German Military Intelligence In World War II".

In the Allies vs. the Axis, the Allies were far from perfect. Battles at Norway, Arnhem and the Bulge were met with huge losses. But overall, the Allies enjoyed significant success in their intelligence, much of it due to their superiority in verbal intelligence because of their far better code-breaking. Kahn writes that the Germans in contrast, were glaringly inferior.

Kahn writes that there were five basic factors that led to the failure of the Germans, namely: unjustified arrogance, which caused them to lose touch with reality; aggression, which led to a neglect of intelligence; a power struggle within the officer corps, which made many generals hostile to intelligence; the authority structure of the Nazi state, which gravely impaired its intelligence, and anti-Semitism, which deprived German intelligence of many brains.

The Germans negative attitude towards intelligence went all the way back to World War I, when in 1914 the German Army was so certain of success that many units left their intelligence officers behind. Jump to 1941 and Hitler invaded Russia with no real intelligence preparation. This arrogance, which broke Germany's contact with reality, also prevented intelligence from seeking to resume that contact.

Other interesting stories in the book include how the US spied on the Vatican in WW2, the great spy capers between the US and Soviets, and more.

For those that want a broad overview of the recent history of cryptography, spying and military intelligence, How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code, is an enjoyable, albeit somewhat disjointed summary of the topic.

The best part of the book is its broad scope. With topics from Edward Bell and his Zimmermann Telegram memoranda, cryptology and the origins of spread spectrum, to Nothing Sacred: The Allied Solution of Vatican Codes in World War II and a historical theory of intelligence, the book provides a macro view of the subject. The down side is that this comes at the cost of the 30 chapters being from almost as many different books and articles, over the course of almost 40 years.

For those that are avid readers of David Kahn, of which there are many, this title will not be anything new. For those that have read some of Kahn's other works and are looking for more, How I Discovered World War IIs Greatest Spywill be an enjoyable read.

Reviewed by Ben Rothke"

Book review: Threat Modeling: Designing for Security

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Title: Threat Modeling: Designing for Security

Author: Adam Shostack

Pages: 624

Publisher: Wiley

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1118809990

Summary: Invaluable guide to create a formal threat modeling program

Full disclosure: The author of this book and I are friends.

When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale.

The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented "little practical information" to the public

While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts.

Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.

In the introduction, Shostack sums up his approach in four questions:

1. What are you building?

2. What can go wrong with it once it's built?

3. What should you do about those things that can go wrong?

4. Did you do a decent job of analysis?

The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.

While the term threat modelingmay seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.

An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.

The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.

While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.

For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.

Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.

Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.

As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.

For those that still think the topic is complex, the book references Elevation of Privilege(EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.

Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.

Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.

There are only a handful of books on this topic and Threat Modeling: Designing for Securityis perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.

Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.

For those serious about the topic, Threat Modeling: Designing for Securitywill be one of the most rewarding information security books they could hope for.

Reviewed by Ben Rothke."

Book review: The Art of the Data Center

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environments

Author: Douglas Alger

Pages: 368

Publisher: Prentice Hall

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1587142963

Summary: Some of the smartest guys in the data center share their build and design advice

At first glance, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsappears like a standard coffee table book with some great visuals and photos of various data centers throughout the world. Once you get a few pages into the book, you see it is indeed not a light-read coffee table book, rather a insightful book where some of the brightest minds in the industry share their insights on data center design and construction.

The book takes a holistic view of how world-class data centers are designed and built. Many of the designers were able to start with a greenfield approach without any constraints; while others were limited by physical restrictions.

Some of the firms profiled in the book are Citi, Digital Realty Trust (who run the world's largest data center in Chicago), eBay, Facebook, IBM, Intel and Yahoo!.

One of the interesting things about hearing 18 different viewpoints, both from the US and Europe-based firms, is that it shows there is not just one way to build a data center. Fundamental data center components such as raised floors are reconsidered in some of the data centers in the book. From UPS, to cooling systems and more, Alger details how the nuances of various data centers have influenced their design.

It is an unfortunate reality that many expensive data center builds and expansions fail.The book profiles those that have succeeded, and it is hoped the reader will take the advice to heart in their build and design.

The book is written in an interview style, where Alger asked the designers various question on how their came to their design, the rationale behind it, what their strategy was, what constraints they ran into, and more

The book highlights a broad range of data centers; from those built into a century old church in Spain, a former Swedish underground military bunker renovated into a modern data center with artificial daylight, manmade waterfalls and submarine engines providing standby power, to those powered by all solar energy.

Many of the data centers that he showcases are designed in order to be LEED (Leadership in Energy and Environmental Design) and Energy Star certified. LEED is a rating systems for the design, construction, operation and maintenance of green buildings, homes and neighborhoods, created by the US Green Building Council (USGBC). It should be noted that as of now, the USGBC hasn't set specific criteria for data center LEED certification.

An important point about LEED made in the book is that for those designers that are thinking about LEED certification, it mustbe done in the design stage and not as an addendum. Obtaining LEED certification must start at design and end with a formal certification after project completion. It was noted that consulting with a qualified LEED professional or consulting firm at the start of the planning process is a must.

While this is not a coffee table book, it does make good use of photos to highlight the nuances and layouts of the various data centers. There are many pictures that show the various types of equipment in use.

As noted, the book showcases many different aspects and often counterintuitive notions of data center design. One of the most significant is ACT, Inc., a nonprofit that runs the ACT test – a college admissions and placement test taken by more than 1.3 million high school graduates every year, who decided to runs their active and backup data centers in Iowa City, Iowa just 5 miles apart. The book details the designer's rationale behind that. Similar case studies are detailed in the book.

One of the major methods in the book used to reduce power consumption and cost is via the use of virtualization, which many of the data centers have used and optimized.

One topic lacking in the book is that Alger did not ask detailed questions around the physical security of the buildings. Why power, UPS, flooring and the like are critical to the efficacy of a data center; physical security components such as mantraps, access control systems, bollards, surveillance and the like are necessary to ensure all of the previous design items are not placed at risk.

One of the questions he asked every designer is if they could go back and design the data center all over again, what; if anything would they do different. Surprisingly, everyone one of them said that they put a lot of planning in and there was nothing major they would change. Most of the designers did though say each data center had small items though could have been revisited to make the center better. Bu most agreed that many of them are so minor in some respects, that it would not be meaningful to go through them.

An interesting point the data venter architect at Syracuse University stated is that one of the things they did in constructing their data center was to not necessarily be driven by rules of thumb or best practices. Rather they looked at their own requirements and how they could best optimize everything that they could in the design of the facility.

One common metric used throughout the book is power usage effectiveness (PUE). It is a measure of how efficiently a computer data center uses energy; specifically, how much energy is used by the computing equipment, as opposed to cooling and other data center overhead. The lower the number, closest to 1.0, the more of its power is used for computing.

Poor data center planning leads to poor use of valuable capital, can significantly increase operational expense and obviate any computation gains. Many organizations get overwhelmed on the design and focus far too much on speed and power, without taking a larger holistic view of their data center needs.

For those looking for guidance on how to design a world-class data center, The Art of the Data Center: A Look Inside the Worlds Most Innovative and Compelling Computing Environmentsshould be the place you start.

Reviewed by Ben Rothke."

Book review: The Digital Crown

benrothke benrothke writes  |  1 year,19 days

benrothke (2577567) writes "Title: The Digital Crown: Winning at Content on the Web

Author: Ahava Leibtag

Pages: 358 pages

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124076747

Summary: Invaluable resource and reference for building an effective web content strategy

With Adobe Flash, it's possible to quickly get a pretty web site up and running; something that many firms do. But if there is no content behind the flashy web page, it's unlikely anyone will return.

In The Digital Crown: Winning at Content on the Web, author Ahava Leibtag does a fantastic job on showing how to ensure that your web site has what it takes to get visitors to return to the website, namely great content.

Make no mistake, creating good content for a large organization is a massive job. But for those organizations that are serious about doing it right, the book provides the extensive details all of the steps required to create content that will bring customers back to your web site.

Leibtag writes in the introduction that the reason so many websites and other digital strategy projects fail is because the people managing them don't focus on what really matters. They begin changing things for the sake of change and to simply update, without first asking why. They also forget to ask what the updates will accomplish. What this does is create a focus on the wrong priorities. Leibtag notes that the obvious priority is content.

So what is this thing called content? The book defines it as all of the information assets of your company that you want to share with the world.

The book is based around 7 rules, which form the foundation of an effective and comprehensive content strategy, namely:

1. Start with Your Audience

2. Involve Stakeholders Early and Often

3. Keep it Iterative

4. Create Multidisciplinary Content Teams

5. Make Governance Central

6. Workflow that Works

7. Invest in Professionals and Trust Them

Chapter 1 (freely available here) takes a high-level look at where branding and content meet, and details the need for a strategic content initiative.

An interesting point the book makes in chapter 2 which is pervasive throughout the book is to avoid using the term users. Rather refer to them as customers. Leibtag feels that the term users as part of a content strategy, makes them far too removed and abstract. Dealing with them as customers makes them real people and changes the dynamics of the content project. Of course, this transition has to be authentic. Simply performing a find/replace of user/customer in your documentation is not what the author intended; nor will such an approach work.

The book is heavy on understanding requirements and has hundreds of questions that need to be asked before creating content. The book is well worth it for that content alone.

It also stresses the importance of getting all stakeholders involved in the content creation process. As part of the requirements gathering process, the book details 3 roadmap steps which much be done in order to facilitate an effective strategy.

The book notes that content is much more than web pages. Content includes various formats, platforms and channels. An effective strategy must take allof these into account. The book notes that there are hundreds of possible formats for content. While it is impossible to deal with every possible option; an organization must know what they are in order to ensure they are creating content that is appropriate for their customers.

By the time you hit page 100, it becomes quite clear that content is something that Leibtag is both passionate about and has extensive experience with. An important point she makes is that it is crucial not for focus on design right away in the project, as it eats up way too much time. The key is to focus the majority of your efforts on the content.

The dilemma that the book notes is that during the requirements gathering process, far too many organizations are imagining a gorgeous web site with all kinds of bells and whistles, beautiful colors and pictures. That in turn moves them to spend (i.e., waste) a tremendous amount of time on design; which leads them to neglect contact creation and migration.

The book details multichannel publishing, which is the ability to publish your content on any device and any channel. This is a significant detail, as customers will be accessing your site from desktops with huge screens and bandwidth to mobile devices with smaller screens and often limited bandwidth. This requires you to adapt and change your content publishing process. This is clearly not a trivial endeavor. But doing it right, which the book shows how to do, will payoff in the long run.

Another mistake firms make is that they often think content can be done by just a few people. The book notes that it is an imperative to create multidisciplinary content teams, since web content will touch every part of the organization, and needs their respective input.

One of the multidisciplinary content teams that must be involved is governance. The book notes that governance standards help you set a consistent customer experience across all channels. By following them, you can avoid replicating content, muddying your main messages and confusing your customers. Governance is also critical in setting internal organizational controls.

Leibtag lays out what needs to be done in extreme detail. She makes it quite clear that there are no quick fixes that can be done to create good content. Creating an effective content marketing strategy and architecture is complex, expensive and challenging. But for most organizations, it is also absolutely necessary for them in order to compete.

The author is the head of a content strategy and content marketing consultancy firm. Like all good consultants, they focus on getting answers to the questions clients often don't even know to ask. With that, the book has myriad questions and requirements that you must answer before you embark on getting your content online.

The book also provides numerous case studies of sites that understand the importance of content and designed their site accordingly. After reading the book, the way you look at web sites will be entirely different. You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want.

My only critique of the book is that the author quotes herself and references other articles she wrote far too often. While these articles have valid content, this can come across as somewhat overly promotional. Aside from that, the book is about as good as anything could get on the topic.

For firms that are serious about content and looking for an authoritative reference on how to build out their content and do it right, The Digital Crown: Winning at Content on the Web is certain to be an invaluable resource.

Reviewed by Ben Rothke."

Book review: Digital Archaeology: The Art and Science of Digital Forensics

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Title: Digital Archaeology: The Art and Science of Digital Forensics

Author: Michael Graves

Pages: 600

Publisher: Addison-Wesley Professional

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0321803900

Summary: Excellent introductory text to digital forensics

The book Digital Archaeology: The Art and Science of Digital Forensicsstarts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts.

Archaeology is definedas the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes.

The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media.

In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.

The book shows you precisely how to extract those artifacts effectively. And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics. The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.

Rather than provide dry overview of the topics and associated hardware and software tools. The books take a real-world approach and provides a detailed narrative of real-world scenarios.

An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage. Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.

The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.

The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.

The author notes that Warren Kruse and Jay Heiser wrote in Computer Forensics: Incident Response Essentialsthat the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report. Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.

Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.

As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations. Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn't apply.

The only chapter that was deficient was chapter 13 – Excavating a Cloud. Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator. The chapter does a good job of detailing the basic implications of cloud forensics. But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters.

Each chapter closes with a review of the topic and various exercises. Those wanting to see a sample chapter can do so here.

For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensicsis an excellent read. Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.

Reviewer: Ben Rothke"

Book review: Digital Outcasts

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Untitled documentTitle: Digital Outcasts: Moving Technology Forward without Leaving People Behind

Author: Kel Smith

Pages: 288

Publisher: Morgan Kaufmann

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0124047051

Summary: Manifesto for technology accessibility for all

Many of us have experimented what it means to be disabled, by sitting in a wheelchair for a few minutes or putting a blindfold over our eyes. In Digital Outcasts: Moving Technology Forward without Leaving People Behind, author Kel Smith details the innumerable obstacles disabled people have to deal with in their attempts to use computers and the Internet.

The book observes that while 1 in 7 people in the world have some sort of disability, (including the fact that 1 in every 10 U.S. children has been diagnosed with ADHD), software and hardware product designers, content providers and the companies who support these teams often approach accessibility as an add-on, not as a core component. Adding accessibility functionality to support disabled people is often seen as a lowest common denominator feature. With the companies unaware of the universal benefit their solution could potentially bring to a wider audience.

One of the many examples of this which the book provides is how sidewalk ramps are often an easier access method to streets; not just for those in wheelchairs, but for those simply walking and desiring an easier method.

In the book, Smith details how digital outcastsoften rely on technology for everyday things that we take for granted. The problem is that poorly designed products create an abyss for these outcasts, who number in the hundreds of millions.

So just what is this digital outcast? Smith notes that the term was first introduced by Gareth White of the University of Sussex to describe people who are left behind the innovation curve with respect to new advances in technology. The term is also relevant to today's Internet user who can't perform a simple function such as making an e-commerce purchase or checking their financial statement; due to inaccessibility of the content, platform or device. These outcasts represent large swaths of forgotten populations.

In the first chapter, Smith makes the chilling observation that all of us, at some point or another, will find that our capabilities have diminished. Today's disabled users are not outliers of the able-bodied population – they are a prototype of what our future looks like.

The book provides a detailed overview of how people with disabilities use technology. More importantly, it shows that creating effective user interfaces for those with disabilities is beneficial for all users.

It showcases numerous application and case studies, including how iPad apps have been used for cognitive therapy, video games to help many types of illnesses and more.

An important point the book makes is that there are no easy answers or silver-bullet solutions. There are no quick add-ons which a firm can use to quickly make their user interfaces outcast compliant. Rather it takes a concerted effort from senior management to make accessibility work.

A key point Smith makes many times is that students with disabilities are left behind. There are many students who fail in antiquated educational systems since the administration can't restructure their curricula around a child's individual talents or aptitudes. He writes that students with disabilities get stigmatized into special educationprograms, some of which are very good, but can be socially ostracizing.

Throughout the book, Smith quotes many studies and significant amounts of data that shows the power of how software can make significantly positive impacts on the lives of those with disabilities. In chapter 7, he writes that at the Center for BrainHealth at The University of Texas, they used virtual worlds and avatars to help autistic children. That form of therapy has proven to be successful and that 4 or 5 sessions using that technology, is worth 2 or 3 years of real world training.

As detailed in many parts of the book, many doctors say the best high-tech treatments are in fact the ones you can download from an app store.

As the end of the book, Smith writes that for accessibility to work, it has to be an enterprise initiative. He provides 8 strategic steps to doing that, including creating an accessibility task force (and engaging them from the very beginning of the project), knowing the legal landscape (and not to be driven solely by law), to designing mobile applications to be run universally, and more.

Smith sadly writes at the end of the book that while Apple has been at the forefront of accessibility, in 2012, despite having no legal mandate, Apple removed the Speak for Yourself (SFY) application; which was an extremely popular and helpful augmentative and alternative communication app. It seems that SFY is now once again available in the App Store, but with legal maneuvering what it is, that could change at any moment.

While the accessibility of technology is getting better every year, there are still many challenges to ahead. Digital Outcasts: Moving Technology Forward without Leaving People Behind articulately and passionately details the groundwork, itemizes what needs to be done, and implores the reader to do something to ensure this trend continues.

This book is an important read for everyone. As there are two types of people, those that are currently digital outcasts, and those that will be sometime in the future.

The book closes with a most accurate observation: digital outcasts are not a biological model for a future we should fear, they are an inspiration for what we can all become.

Reviewer: Ben Rothke"

Book review: Testing Cloud Services: How to Test SaaS, PaaS & IaaS

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "}

Testing Cloud Services: How to Test SaaS, PaaS & IaaS

Authors: Kees Blokland, Jeroen Mengerink, Martin Pol

Pages: 184

Publisher: Rocky Nook

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1-937538-38-5

Summary: Brings to light the imperative of testing cloud services before deployment

David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computinglast year — that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements.

While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaSis the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective.

The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.

At 160 pages, the book is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.

The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.

Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.

In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.

An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.

About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.

An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.

In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.

Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.

With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.

The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix(CCM) and Consensus Assessments Initiative(CAI) questionnaire.

With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaSshould be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.

Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.

Reviewer: Ben Rothke"

Book review: Secret History: The Story of Cryptology

benrothke benrothke writes  |  about a year ago

benrothke (2577567) writes "Secret History: The Story of Cryptology

Author: Craig P. Bauer

Pages: 620

Publisher: CRC Press

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1466561861

Summary: Excellent comprehensive and decipherable text on the history of cryptography

Narrating a compelling and interesting story about cryptography is not an easy endeavor. Many authors have tried and failed miserably; attempting to create better anecdotes about the adventure of Alice and Bob. David Kahn probably did the best job of it when wrote The Codebreakers: The story of secret writingin 1967 and set the gold standard on the information security narrative. Kahn's book was so provocative and groundbreaking that the US Government originally censored many parts of it.

While Secret History: The Story of Cryptologyis not as groundbreaking, it also has no government censorship. With that, the book is fascinating read that provides a combination of cryptographic history and the underlying mathematics behind it.

As a preface; the book has cryptologyin its title, which is for the most part synonymous with cryptography. Since cryptography is more commonly used, I'll use it in this review.

Kahn himself wrote that he felt this book is by far the clearest and most comprehensive of the books dealing with the modern era of cryptography including classic ciphers and some of the important historical ones such as Enigma and Purple; but also newer systems such as AES and public-key cryptography.

The book claims that the mathematics detailed in it are accessible requiring minimal mathematical prerequisites. But the reality is that is does require at least a college level understanding, including algebra, calculus and more.

As an aside, nearly every book on encryption and cryptography that claims no advanced mathematical knowledge is needed doesn't meet that claim. With that, Bauer does a good job of separating the two narratives in the book (cryptography and history), so one who is not comfortable with the high-level math can easily parse through those sections.

Bauer brings an extensive pedigree to the book, as he is a former scholar-in-residence at the NSA Center for Cryptologic History. While Bauer has a Ph.D. in mathematics, that does not take away from his ability as an excellent story teller. And let's face it; telling the story of cryptography in a compelling and readable manner is not an easy task.

The 20 chapters in the book follow a chronological development of encryption and cryptography; from Roman times to current times. Each chapter has a set of exercises that can be accessed here. Besides being extremely well-researched, each chapter has numerous items for further reading and research.

Chapters 1-9 are focused on classical cryptology, with topics ranging from the Caesar cipher, Biblical cryptology, to a history of the Vigenère cipher, the ciphers of WW1 and WW2 and more.

In chapter 8 World War II: The Enigma of Germany, Bauer does a great job of detailing how the Enigma machine worked, including details regarding the cryptanalysis of the device, both in its rotor wirings and how recovering its daily keys ultimately lead to is being broken. The chapter also asked the question: what if Enigma had never been broken,and provides a provocative answer to that.

Chapter 8 opens with the famous quote from Ben Franklin that "three may keep a secret if two of them are dead". He notes that the best counterexample to that is of the 10,000 people that were involved in the project to break the Enigma. They all were able to maintain their silence about the project for decades; which clearly shows that large groups can indeed keep a secret. Bauer notes that it is often a reaction to conspiracy theories that large groups of people could never keep a secret for so long.

Chapter 9 provides a fascinating account of the Navajo code talkers. These were a group of Navajo Indians who were specially recruited during World War II by the Marines to serve in their communications units. Since the Navajo language was unknown to the Axis powers; it ensured that all communications were kept completely secret.

While part 1 is quite interesting; part 2, chapters 10-20 focuses on modern cryptology and is even more fascinating. Bauer does a fantastic job of encapsulating the last 60 years of cryptography, and covers everything from the origins of the NSA, the development of DES and AES, public key cryptography and much more.

The book was printed in March 2013 just before the NSA PRISM surveillance program became public knowledge. If there is any significant mistake in the book, it is in chapter 11 where Bauer writes that "everything I've seen and heard at the NSA has convinced me that the respect for the Constitution is a key component of the culture there".

Aside from the incorrect observation about how the NSA treats the Constitution, the book does an excellent job of integrating both the history of cryptography and the mathematical element. For those that aren't interested in to the mathematics, there is plenty of narrative in the book to keep them reading.

For those looking for a comprehensive and decipherable text on the history of cryptography, this is one of the best on the topic in many years.

Kahn's book laid the groundwork that made a book like this possible and Secret History: The Story of Cryptology is a worthy follow-up to that legendary text.

Reviewed by Ben Rothke



benrothke has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?