The New School of Information Security and over one million other books are available for Amazon Kindle. Learn more
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

The New School of Information Security Hardcover – Apr 5 2008


See all 4 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
Hardcover
"Please retry"
CDN$ 72.97 CDN$ 0.75

2014 Books Gift Guide
Yes Please, the eagerly anticipated first book from Amy Poehler, the Golden Globe winning star of Parks and Recreation, is featured in our 2014 Books Gift Guide. More gift ideas

Special Offers and Product Promotions

  • Join Amazon Student in Canada


Customers Who Bought This Item Also Bought



Product Details

  • Hardcover: 288 pages
  • Publisher: Addison-Wesley Professional; 1 edition (April 5 2008)
  • Language: English
  • ISBN-10: 0321502787
  • ISBN-13: 978-0321502780
  • Product Dimensions: 15.9 x 2.5 x 23.5 cm
  • Shipping Weight: 590 g
  • Average Customer Review: 4.0 out of 5 stars  See all reviews (1 customer review)
  • Amazon Bestsellers Rank: #701,982 in Books (See Top 100 in Books)
  • See Complete Table of Contents

Product Description

About the Author

Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques. Before Microsoft, Adam was involved in a number of successful start-ups focused on vulnerability scanning, privacy, and program analysis. He helped found the CVE, International Financial Cryptography association, and the Privacy Enhancing Technologies workshop. He has been a technical advisor to companies including Counterpane Internet Security and Debix.

 

Andrew Stewart is a Vice President at a US-based investment bank. His work on information security topics has been published in journals such as Computers & Security and Information Security Bulletin. His homepage is homepage.mac.com/andrew_j_stewart

Excerpt. © Reprinted by permission. All rights reserved.

The New School of Information Security

Preface

"I didn't have time to write you a short letter, so I wrote a long one."—Mark Twain

We've taken the time to write a short book, and hope you find it enjoyable and thought-provoking. We aim to reorient security practitioners and those around them to a New School that has been taking shape within information security. This New School is about looking for evidence and analyzing it with approaches from a wide set of disciplines. We'd like to introduce this approach to a wider audience, so we've tried to write so that anyone can understand what we have to say.

This isn't a book about firewalls, cryptography, or any particular security technology. Rather, it's about how technology interacts with the broader world. This perspective has already provided powerful insights into where security succeeds and fails. There are many people investing time and effort in this, and they are doing a good deal of interesting research. We make no attempt to survey that research in the academic sense. We do provide a view of the landscape where the research is ongoing. In the same spirit, we sometimes skim past some important complexities because they distract from the main flow of our argument. We don't expect the resolution of any of those will change our argument substantially. We include endnotes to discuss some of these topics, provide references, and offer side commentary that you might enjoy. Following the lead of books such as Engines of Creation and The Ghost Map, we don't include endnote numbers in the text. We find those numbers distracting, and we hope you won't need them.

Some of the topics we discuss in this book are fast-moving. This isn't a book about the news. Books are a poor place for the news, but we hope that after reading The New School, you'll look at the news differently.

Over the course of writing this book, we've probably written three times more words than you hold in your hands. The book started life as Security Decisions, which would have been a book for managers about managing information security. We were inspired by Joan Magretta's lovely little book What Management Is, which in about 200 pages lays out why people form organizations and hire managers to manage them. But security isn't just about organizations or managers. It's a broad subject that needed a broader book, speaking to a wider range of audiences.

As we've experimented with our text, on occasion removing ideas from it, there are a few fascinating books which influenced us and ended up getting no mention—not even in the endnotes. We've tried to include them all in the bibliography.

In the course of writing this book, we talked to a tremendous number of people. This book is better for their advice, and our mentions are to thank them, not to imply that they are to blame for blemishes that might remain. If we've forgotten anyone, we're sorry.

Simson Garfinkel and Bruce Schneier both helped with the proposal, without which we'd never have made it here. We'd both like to thank Andy Steingruebl, Jean Camp, Michael Howard, Chris Walsh, Michael Farnum, Steve Lipner, and Cat Okita for detailed commentary on the first-draft text. But for their feedback, the book would be less clear and full of more awkward constructs. Against the advice of reviewers, we've chosen to use classic examples of problems. One reviewer went so far as to call them "shopworn." There is a small audience for whom that's true, but a larger one might be exposed to these ideas for the first time. We've stuck with the classics because they are classic for a reason: they work. Jon Pincus introduced us to the work of Scott Page. We'd like to apologize to Dan Geer for reasons that are either obvious or irrelevant. Lorrie Cranor provided timely and much appreciated help in the academic literature around security and usability. Justin Mason helped correct some of the sections on spam. Steven Landsburg helped us with some economic questions.

We'd also like to thank the entire community contributing to the Workshop on Economics and Information Security for their work in showing how to apply another science in broad and deep ways to the challenges that face us all in security.

It's tempting in a first book to thank everyone you've ever worked with. This is doubly the case when the book is about the approaches we bring to the world. Our coworkers, managers, and the people we have worked with have taught us each tremendous amounts, and those lessons have been distilled into this book.

Adam would like to thank (in roughly chronological order) cypherpunks Eric Hughes, Steve Bellovin, Ian Goldberg, and others too numerous to name, for fascinating discussions over the years, Ron Kikinis, coworkers at Fidelity, Netect (Marc Camm, David Chaloner, Scott Blake, and Paul Blondin), Zero-Knowledge Systems (Austin and Hamnett Hill, Adam Back, Stefan Brands, and the entire Evil Genius team), my partners at Reflective, and the Security Engineering and Community team at Microsoft, especially Eric Bidstrup and Steve Lipner. In addition, everyone who I've written papers with for publication has taught me a lot: Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Bruce Schneier, Ian Goldberg, Austin Hill, Crispin Cowan, and Steve Beattie. Lastly, I would like to thank my co-bloggers at the Emergent Chaos Jazz Combo blog, for regularly surprising me and occasionally even playing in tune, as well as the readers who've commented and challenged us.

Andrew would like to thank Neil Todd and Phil Venables for their help and guidance at the beginning of my career. I would also like to thank Jerry Brady, Rob Webb, Mike Ackerman, George Sherman, and Brent Potter. Please note that my mentioning these people does not mean that they endorse (or even agree with) the ideas in this book.

Finally, we'd both like to acknowledge Jessica Goldstein, who took a chance on the book; Romny French; our copy editor, Gayle Johnson, and our project editor, Anne Goebel.



Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Table of Contents | Excerpt | Index
Search inside this book:

Customer Reviews

4.0 out of 5 stars
5 star
0
4 star
1
3 star
0
2 star
0
1 star
0
See the customer review
Share your thoughts with other customers

Most helpful customer reviews

3 of 3 people found the following review helpful By Jacob Gajek on June 13 2008
Format: Hardcover
As an information security professional, I enjoyed reading this book. The authors present a somewhat compelling case for a scientific approach to information security that emphasizes decision making based on empirical evidence, public disclosure of breach data as a means of gathering that evidence, and the application of methods and concepts from other disciplines such as economics, psychology, and sociology to information security problems.

In the first part of the book, the authors attempt to make the case that information security as a discipline is failing. High profile examples of various forms of computer crime, spam, phishing, malware, data breaches, and identity theft are cited as evidence. While the material makes for interesting reading, it falls somewhat short of making a convincing argument that the bad guys are winning the war on all fronts. I would have liked to see more solid evidence that the current approaches are not working. Has anti-virus technology truly failed to stem the tide of malware? Are there any statistics on that? What about anti-spam measures? Surely, not everything that the security industry has been up to until now has been a waste of time?

The current state of the security industry is examined next. Some criticism of the security industry is certainly warranted. The proliferation of questionable products which are more marketing hype than substance is a phenomenon that has parallels in other domains as well. One need only look at the world of high-end audio, where ridiculously expensive snake-oil products are sold to eager buyers who convince themselves that they can hear the difference in sound quality that these products purportedly afford them.
Read more ›
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again.

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: 22 reviews
23 of 27 people found the following review helpful
Book review I wrote for ITToolbox April 24 2008
By Monkey - Published on Amazon.com
Format: Hardcover Verified Purchase
If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of "The new school of information security" by Adam Shostack and Andrew Stewart.

The book reads like this blog, everything from Noam Epple and the "Security Absurdity" with the response article Noam Eppel Follow up to Security Absurdity and Security Absurdity - Is information security "Broken". All the way through some of the latest hacks from Two weeks, two security breaches in web 2.0 applications to Tom's excellent article on Even Oracle is not without security problems. There are some short sharp jabs in the side for information security people and managers that think they are safe behind their firewalls.

If anything is going to serve as the cup of coffee after Noam Epple's wake up call, it has to be this book. Which means you have to go buy it to get where we are going as an industry.

The New School of Information Security asks a lot of questions, that as a security community we need to answer. Everything from the value of the CISSP (is it just showing you can take a test, or does it really imply that the person knows something?), in a debate here that even people in the industry who love what we do can not answer. The idea of the CISSP is good, but the book speaks heresy, reliance on the CISSP is dangerous, dangerous to a company, it narrows the confines of the box when information security people need to be everywhere helping out.

The book also talks about issues within the company as simple as the firewall, to how programmers got around firewall blocks by routing programs over port 80, to the untrusted and trusted insider, to the fundamental bedrock of how we make decisions, the flawed and often meaningless statistics that come from research labs.

The whole industry is broken, and while we bask in our unregulated age, HIPAA, SOX, and other rules like PCI are just the shot across the bow on regulation, and more will be coming.

Programmers do not get it, neither do security folks. From requesting a 6 million dollar solution for a 30 minute test, to saying "no" to watching businesses move their IT requirements to Amazon EC2 or AWS, to dumping the traditional attitude - we are a group of people in trouble, and we need to read this book.

We need to shake up our communities, and the way that we work, not smarter, not harder, but working within the confines of realistic information security for the company that we are in. Best practices are just that, generic, you must tailor them for the risks that you have in your industry. To rely on Best Practices, NIST 800, ITIL, and other standards is to court disaster because no one is taking the specifics or unique issues of your particular industry.

They also talk about security appliances, vendors, trusted sites that have the branding truste and hacker safe, with some interesting comments on how those systems and certifications provide a false sense of security not just to the people running the site, but to the customers who visit them as well.

Much to ponder, some of it has shown up with the writers here at ITtoolbox as well, which is very nice, we have been talking about these very same issues for the last 2 years if you read this site. The book is a nice digest of what has been here, and available to folks who visit here or read via syndication or RSS.

Otherwise, we really will not need a "security industry" per say, we will just get rolled up into something else, and loose our unique and distinct culture.
24 of 29 people found the following review helpful
Amateurs Study Cryptography; Professionals Study Economics April 28 2008
By James Harper - Published on Amazon.com
Format: Hardcover
What a delightful chapter title in Adam Shostack's and Andrew Stewart's new book, The New School of Information Security. They have produced a readable, compact tour of the information security field as it stands today - or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.

Shostack and Stewart helpfully review the stable of plagues on computing, communication, and remote commerce: spam, phishing, viruses, identity theft, and such. Likewise, they introduce the cast of characters in the security field, all of whom seem to be feeling along in the dark together.

Why are the lights off? Lack of data, they argue. Most information security decisions are taken in the absence of good information. The authors perceptively describe the substitutes for good information, like following trends, clinging to established brands, or chasing after studies produced by or for security vendors.

The authors revel in the breach data that has been made available to them thanks to disclosure laws like California's SB 1386. A purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.

In the most delightful chapter in the book (I've used it as the title of this review), Shostack and Stewart go through the some of the most interesting problems in information security. Technical problems are what they are. Economics, sociology, psychology, and the like are the disciplines that will actually frame the solutions for information security problems.

In subsequent chapters, Shostack and Stewart examine security spending and advocate for the "New School" approach to security. I would summarize theirs as a call for rigor, which is lacking today. It's ironic that the world of information lacks for data about its own workings, and thus lacks sound decision-making methods, but there you go.

The book is a little heavy on "New School" talk. If the name doesn't stick, Shostack and Stewart risk looking like they failed to start a trend. But it's a trend that must take hold if information security is going to be a sound discipline and industry. I'm better aware for reading The New School of Information Security that info sec is very much in its infancy. The nurturing Shostack and Stewart recommend will help it grow.
16 of 19 people found the following review helpful
A Must-Read Book on a Proper IT Outlook May 14 2008
By Robert J. Sama - Published on Amazon.com
Format: Hardcover Verified Purchase
The New School's thesis is straightforward: publish data and use that data to approach IT security questions with a more scientific mindset, utilizing other academic disciplines such as economics and psychology to aid in solving problems.

The book would be a great primer for an MBA course on IT systems and organizational behavior. I suspect that so much of what causes secrecy around breaches in business organizations are the overblown fears of MBAs of customers fleeing. Shostack and Stewart do a good job calming those fears, and showing how disclosure really helps all parties move toward better security.

The book is a quick read, and it's more of a philosophical treatise than a how-to manual. For that reason I think it would be beneficial for anyone in IT or an organization's management to read it, as the book speaks to both parties.

I should disclose that I've known Adam Shostack for years, I do not know Andrew Stewart.
12 of 14 people found the following review helpful
It is High Time for the New School July 2 2008
By Justin C. Klein Keane - Published on Amazon.com
Format: Hardcover Verified Purchase
The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.

Chapter 1 begins with a quick look at some prominent problems in the information security landscape today. By looking at spam, malware, identity theft, and computer breaches the authors provide a rough sketch of the current infosec landscape. Given the apparent failure of current approaches to security in the face of these threats the authors rhetorically pose the question of simply starting over and building a new approach from scratch before providing the opening sketch of their New School. The authors advocate the need for a new approach to computer security, the New School. The New School is described as quantifiable, "putting our ideas and beliefs through tests designed to draw out their flaws and limitations." This concept of metrics and empiricism is a common thread throughout the book.

Chapter 2 describes the "scene," or the state of the computer security industry today. By applying some elementary game theory the authors sketch out some of the dilemmas facing information security today. Then they delve into some of the historic origins of modern computer security. They point out that much of the computer security "conventional wisdom" has grown out of the military's needs for computer security and how that foundation isn't necessarily the best. They also explore the influence of hackers and crackers on the evolution of the industry. Finally they explore the relationship of capitalism and money to the field, including the driving factors of making money and how these have shaped the development of security today. The authors point out that while many good things have come from these various influences, they have also produced some unfortunate side effects that don't necessarily have to be taken for granted. The chapter goes on to examine the economy of the security industry, including the idea of "best practices" (which the authors very roundly decry) as well as turnkey solutions. The authors also point out the difficulty in measuring security products given the lack of objective test data produced in the sector. The chapter concludes with the though that "without proper use of objective data to test our ideas, we can't tell if we are mistaken or misguided in our judgement." They provide further evidence that the industry as a whole isn't often guided by any sort of quantifiable data (thus removing the 'science' from computer science) and that all too often "conventional wisdom" is misguided and sometimes blatantly wrong because it lacks a solid empirical foundation.

Chapter 3 looks at some of the underpinnings of gathering solid scientific evidence with which to test the ideas of the New School. Without good evidence, they point out, it is nearly impossible to make accurate decisions. The authors point out the problems with much of the evidence used to support common claims in computer security, including surveys, and show the bias present in much of the survey data used to justify security decision making. The chapter goes on to lament the lack of an objective trade press in the industry and then delves into the vulnerability discovery lifecycle that drives much of computer security. The authors examine how vulnerabilities are discovered, how vendors often ignore flaws in their products in their rush to market, and the fact that there are sometimes problems with using vulnerability reports as solid metrics for security. The chapter then goes on to examine how data about security can be collected, either by hobbyists or individuals. Ultimately, the authors lament the fact that much of the data collected about security isn't shared with the community and thus it becomes nearly impossible to make better decisions. The lack of objective, available data makes it extremely difficult for us to draw reliable conclusions based on trends or quantify the current state of security.

Chapter 4 looks at security breaches and specifically argues for the benefits of breach notification as one of the best ways to produce quantifiable metrics in security. The authors point out that breach notification rarely has long term consequences to a companies stock price or customer loyalty and the benefit of breach data would be invaluable to researchers. The authors argue that breach notification is a key component to the outlook of the New School. In joining the New School organizations have to learn "to focus on observation and objective measurement." They argue that only by doing so can we move information security from an art to a science. They say that while "it is true that computer security consists of a fog of moving parts...complex problems do get solved. Investigators bring a broad set of analytic techniques ranging from explanatory psychology...to complex economic models." At this point in the book the authors begin to introduce another key component of the New School, that is the need for integration of other fields of study into computer security. The authors argue that by utilizing approaches and theories developed in the fields of psychology, economics, sociology, and other academic areas our understanding of information security can be broadened and greatly enhanced. They always come back to ideas of empiricism, however, stating that "the core aspect of scientific research - the ability to gather objective data against which to test hypotheses - has been largely missing from information security." The authors emphasize that not only does data need to be collected, it must also be shared in order to aid in our understanding of the data.

Chapter 5 begins to draw upon outside fields of academia to enhance the New School. This chapter begins by introducing several economic models and explaining how they influence information security. While economic approaches to security are nothing new (risk mitigation, calculations of value and exposure equaling risk, etc.) the New School argues that "because computers are inevitably employed within a larger world, information security as a discipline must embrace lessons from a far wider field." The authors argue that economic models don't only have to be applied at a macro level to computer security, but can also be applied to more compartmentalized security problems (such as getting users to select good passwords). They also examine the success potential of certain security products based on economic analysis. The chapter goes on to discuss how lessons from psychology can be incorporated into our security decision making and to help us understand computer security more fully. Finally the chapter draws on lessons from sociology and shows how they too can inform our understanding of security.

Chapter 6 focuses on spending. The chapter is devoted to examining how organizations spend their money on information security and why. Like the earlier chapters, this one applies the New School approach to attempt to analyze spending habits and challenges many of the foundational logic that supports common security spending plans. The chapter draws on lessons from economics and psychology to examine the patterns of spending and suggests some ways in which we can improve our spending on security. Ultimately the authors argue that we understand the factors that should influence spending and focus our efforts on the most quantifiably effective expenditures of money.

Chapter 7, or Life in the New School, discusses many of the challenges facing the New School. These range from the lack of quality data to the dearth of a standardized security vocabulary. This chapter mainly points out the challenges that lie ahead and the many ways that a new approach can help overcome them.

Chapter 8 is a blanket call to join the New School along with instructions for how to begin. The authors argue that New School proponents should collect good data, analyze that data and seek new perspectives. They point out that the New School draws from a diverse body of academic knowledge and advocates synthesizing work from other academic area into the New School approach. Ultimately the New School challenges us to change how we think about information security. Not only should we question the "conventional wisdom" we take for granted, but we should also seek out new hypothesis and ways to test them in order to expand our understanding of computer security as a whole.

The book is an easy read and make quite an impression. Shostack and Stewart lead the charge towards a more empirical approach to computer security. The field has matured enough that we should begin treating it seriously, and in order to do so we need to be able to speak authoritatively about issues. The voodoo of conventional wisdom is no longer good enough when making recommendations as experts. We need to be able to point to solid evidence to justify security strategies and implementations. We also need to be able to look at quantifiable data when evaluating new products and tools. Ultimately I see the field moving in this direction and I give kudos to Shostack and Steward for issuing this clarion call to an industry that will hopefully take their message to heart.
8 of 10 people found the following review helpful
Recommended reading for information security practitioners June 13 2008
By Jacob Gajek - Published on Amazon.com
Format: Hardcover
As an information security professional, I enjoyed reading this book. The authors present a somewhat compelling case for a scientific approach to information security that emphasizes decision making based on empirical evidence, public disclosure of breach data as a means of gathering that evidence, and the application of methods and concepts from other disciplines such as economics, psychology, and sociology to information security problems.

In the first part of the book, the authors attempt to make the case that information security as a discipline is failing. High profile examples of various forms of computer crime, spam, phishing, malware, data breaches, and identity theft are cited as evidence. While the material makes for interesting reading, it falls somewhat short of making a convincing argument that the bad guys are winning the war on all fronts. I would have liked to see more solid evidence that the current approaches are not working. Has anti-virus technology truly failed to stem the tide of malware? Are there any statistics on that? What about anti-spam measures? Surely, not everything that the security industry has been up to until now has been a waste of time?

The current state of the security industry is examined next. Some criticism of the security industry is certainly warranted. The proliferation of questionable products which are more marketing hype than substance is a phenomenon that has parallels in other domains as well. One need only look at the world of high-end audio, where ridiculously expensive snake-oil products are sold to eager buyers who convince themselves that they can hear the difference in sound quality that these products purportedly afford them. However, this observation does not justify the wholesale rejection of all security products on the market and the security practices they facilitate. Just as technology alone cannot solve most real-world security problems, neither can most security failures be blamed on technology alone.

Several potential sources of empirical data are evaluated in the third and fourth chapter. Surveys are largely dismissed as flawed. The value of data from trade publications is questioned due to issues of timeliness and relevance to individual organizations. Software vulnerability data is given a little more respect, although the challenge to drawing meaningful conclusions from it remains largely unsolved. Instrumentation on the Internet in the form of honeypots and other security sensors is described as a promising source of evidence. In a similar vein, breach data locked up within the confines of individual organizations would constitute a veritable goldmine if shared freely, and this is expanded upon in the following chapter. The authors conclude with the observation that while objective evidence is very difficult to come by, the search for it must become the central focus for the "new school".

The fifth chapter is an interesting illustration of the explanatory power that a multi-disciplinary approach can bring to the problems of information security. Economic theory is used to elucidate the reasons for the proliferation of insecure software, the resistance to adoption of many security technologies and the failure to stop spam. Concepts from psychology are applied to the problems of patching software vulnerabilities and the management of security risks. The sociological problem of gender bias and lack of ethnic diversity within the computer security community is explored in terms of its exclusionary effect on new insights and fresh ways of thinking about information security.

Information security spending is analyzed in chapter six. Several emerging business drivers, such as creating customer trust and the benefits of security capabilities on IT operations efficiency, are described and may be of interest to readers faced with the challenge of selling security within their own organizations. Traditional approaches to security spending are discussed and sometimes rightfully criticized. An interesting recommendation is made: based on a study by Gordon and Loeb at the University of Maryland, the optimal amount to spend on the protection of an asset is 37% of the expected loss. Psychological factors influencing spending decisions are examined. The cost-effectiveness of employee security awareness and training is questioned, as is the return on investment from the development of a comprehensive security policy framework. This chapter is likely to be the most controversial one in the eyes of many security practitioners who are not technologists.

If I have been somewhat skeptical of the early parts of the book, I wholeheartedly agree with the overall message in the final two chapters. It is certainly worthwhile to explore new directions in information security, and a scientific, multi-disciplinary approach holds much promise for the future. The "new school" mind-set can only be a positive influence on the industry and I would not hesitate to recommend this book to anyone in the information security profession.


Feedback