tssci security

Implications of The New School

Recently, I finished reading "The New School of Information Security" by Adam Shostack and Andrew Stewart. It's only about 200 pages, so it's certainly worth your time to pick up and read. Some people will compare it to "Security Metrics" by Andrew Jaquith (or many others), but I think this book is very unique.

Into the first chapter, I was dismayed and rather disappointed. At first it appeared as if the book would largely be a repeat of some Shostack and Geer presentations I've already seen in the past. The introduction looked like a sample of Dan Geer's testimony to Congress, Addressing the Nation's Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action. This set me off to the whole book since I've already read that paper.

Additionally, the authors immediately begin the book with how they are going to write it -- how they don't reference anything in great detail, but that the endnotes should suffice. This also put me off a bit... that is -- until I got to the endnotes! Certainly from the beginning to the end of the book I was also kept in a state of constant interest thanks to the excellent writing. Even if you have read all of their past work, this book is certainly worth a read or two or three, maybe even quarterly.

Searching for answers

Since the authors seemed to dump on all security technology products and solutions, I began to get defensive in my mind about how to address my own technology suggestions around the information security space. While I wasn't completely surprised that the authors did not hold the exact same views that I do -- I was hoping that they would have spoke to software assurance, security in the SDLC, and other practices that I tout.

No such luck; the authors provided very few answers in general. This is probably a preferred message because it makes the book timeless in a way. "Security changes over time", right?

Some positive answers that were most clear to me from reading the text came across as, "process over products", and "economics over technology". For process, the authors seemed to suggest one reoccurring theme about the three most important IT controls that can aid decision-making:

I'm obviously fine with the above in theory. However, in practice -- these are often required by the ITIL, COBIT, ISO27k, and NIST standards that the book seems to want to throw out the door. Not only that, but the focus seemed to me as completely attached to IT/Operations and having nothing to do with development.

After further digging into the endnotes and references, it became more apparent what the authors were suggesting. The authors were trying to say that most of ITIL, COBIT, et al -- is completely worthless. Studies such as Visible Ops (which appears to be ready for a second title according to the Visible Ops blog), have more clearly demonstrated that a few choice controls are higher-performing and more efficient than a large majority of the controls listed in those audit frameworks. Now, this concept is very believable.

For statistics, popular cybercrime surveys such as the annual report produced by the Computer Security Institute were thrown out the proverbial window by the authors, but they were able to point to newer data, such as the IT Controls Performance Study as well as the DOJ/DHS National Computer Security Survey (available sometime soon -- 2008 according to the website).

Answers in the breach data

One thing I learned from the book is the importance of breach data to further our understanding of future answers. I tend to concentrate on software development requirements, software engineering design, and raw source code as metrics and patterns. However, the authors bring up some excellent points about breach data.

Breach data is important to get out in the open, and I've mentioned a few sources on our blog before. One project that I wasn't familiar with was the New York State freedom of information laws that Chris Walsh posted about last year. I've seen some of CWalsh's other work and I've spoken with him, and I had no idea he worked on such an interesting project. This is certainly a project you might not want to miss out on.

Answers in Economics models and Social Psychology theories

This might seem too academic for most security professionals. However, these same security professionals are usually armchair experts themselves. I find these recommendations the most fascinating and relevant. I hope the rest of the industry will give these ideas the chance that they deserve.

Quoted several times throughout the book is a paper by Gordon and Loeb, on The Economics of Information Security Investment (it's only 22 pages long). The authors consider this a must read, and tend to summarize this paper as "only spend up to 37% of the value of an asset in order to protect that asset". I enjoyed this recommendation, as well as the authors disdain for ROI / ROSI and ALE. However, while I think their strategy will work for the long-term (and once we have more data), my short-term recommendation continues to be a bit contrary to this.

In Building a security plan, I discussed (towards the end) how using the voice of the customer to drive your spending decisions seemed about as appropriate as any other strategy. I would have appreciated some discussion around customer support, and maybe this is a topic that the authors will bring up in the future.

The authors also discussed how Psychology (many of the topics appear to be centered around Social Psychology at the root of the problems, IMO), and the authors explored a few concepts. One of the more prominent psychology topics was regarding Security & Usability, which I'm sure there are varying levels of opinion about.

After speaking with Marcin -- I was pointed towards an excellent blog post on psychology needs for security teams. Not only is the topic of Security & Usability discussed, but a very interesting look into the future.

I see a bright future in the New School, and would put this book as a "first-read" for anyone who needs to be initiated on the subject of information security / assurance.

Posted by Dre on Monday, March 17, 2008 in Books, Privacy and Security.

blog comments powered by Disqus
blog comments powered by Disqus