|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
| |||||||||||||||
Frequently Bought Together
Product Details
|
Product Description
Product Description
<>“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”
--David Mortman, CSO-in-Residence Echelon One, former CSO Siebel Systems
Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.
- Better evidence for better decision-making
Why the security data you have doesn’t support effective decision-making--and what to do about it - Beyond security “silos”: getting the job done together
Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve - Amateurs study cryptography; professionals study economics
What IT security leaders can and must learn from other scientific fields - A bigger bang for every buck
How to re-allocate your scarce resources where they’ll do the most good
About the Author
Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques. Before Microsoft, Adam was involved in a number of successful start-ups focused on vulnerability scanning, privacy, and program analysis. He helped found the CVE, International Financial Cryptography association, and the Privacy Enhancing Technologies workshop. He has been a technical advisor to companies including Counterpane Internet Security and Debix.
Andrew Stewart is a Vice President at a US-based investment bank. His work on information security topics has been published in journals such as Computers & Security and Information Security Bulletin. His homepage is homepage.mac.com/andrew_j_stewart
Inside This Book
(Learn More)
Tag this product(What's this?)Think of a tag as a keyword or label you consider is strongly related to this product.
Tags will help all customers organize and find favorite items. |
What Other Items Do Customers Buy After Viewing This Item?
Customer Reviews
|
Share your thoughts with other customers:
|
||||||||||||||||||||||
|
Most helpful customer reviews
3 of 3 people found the following review helpful
4.0 out of 5 stars
Recommended reading for information security practitioners,
By
This review is from: The New School of Information Security (Hardcover)
As an information security professional, I enjoyed reading this book. The authors present a somewhat compelling case for a scientific approach to information security that emphasizes decision making based on empirical evidence, public disclosure of breach data as a means of gathering that evidence, and the application of methods and concepts from other disciplines such as economics, psychology, and sociology to information security problems.In the first part of the book, the authors attempt to make the case that information security as a discipline is failing. High profile examples of various forms of computer crime, spam, phishing, malware, data breaches, and identity theft are cited as evidence. While the material makes for interesting reading, it falls somewhat short of making a convincing argument that the bad guys are winning the war on all fronts. I would have liked to see more solid evidence that the current approaches are not working. Has anti-virus technology truly failed to stem the tide of malware? Are there any statistics on that? What about anti-spam measures? Surely, not everything that the security industry has been up to until now has been a waste of time? The current state of the security industry is examined next. Some criticism of the security industry is certainly warranted. The proliferation of questionable products which are more marketing hype than substance is a phenomenon that has parallels in other domains as well. One need only look at the world of high-end audio, where ridiculously expensive snake-oil products are sold to eager buyers who convince themselves that they can hear the difference in sound quality that these products purportedly afford them. However, this observation does not justify the wholesale rejection of all security products on the market and the security practices they facilitate. Just as technology alone cannot solve most real-world security problems, neither can most security failures be blamed on technology alone. Several potential sources of empirical data are evaluated in the third and fourth chapter. Surveys are largely dismissed as flawed. The value of data from trade publications is questioned due to issues of timeliness and relevance to individual organizations. Software vulnerability data is given a little more respect, although the challenge to drawing meaningful conclusions from it remains largely unsolved. Instrumentation on the Internet in the form of honeypots and other security sensors is described as a promising source of evidence. In a similar vein, breach data locked up within the confines of individual organizations would constitute a veritable goldmine if shared freely, and this is expanded upon in the following chapter. The authors conclude with the observation that while objective evidence is very difficult to come by, the search for it must become the central focus for the "new school". The fifth chapter is an interesting illustration of the explanatory power that a multi-disciplinary approach can bring to the problems of information security. Economic theory is used to elucidate the reasons for the proliferation of insecure software, the resistance to adoption of many security technologies and the failure to stop spam. Concepts from psychology are applied to the problems of patching software vulnerabilities and the management of security risks. The sociological problem of gender bias and lack of ethnic diversity within the computer security community is explored in terms of its exclusionary effect on new insights and fresh ways of thinking about information security. Information security spending is analyzed in chapter six. Several emerging business drivers, such as creating customer trust and the benefits of security capabilities on IT operations efficiency, are described and may be of interest to readers faced with the challenge of selling security within their own organizations. Traditional approaches to security spending are discussed and sometimes rightfully criticized. An interesting recommendation is made: based on a study by Gordon and Loeb at the University of Maryland, the optimal amount to spend on the protection of an asset is 37% of the expected loss. Psychological factors influencing spending decisions are examined. The cost-effectiveness of employee security awareness and training is questioned, as is the return on investment from the development of a comprehensive security policy framework. This chapter is likely to be the most controversial one in the eyes of many security practitioners who are not technologists. If I have been somewhat skeptical of the early parts of the book, I wholeheartedly agree with the overall message in the final two chapters. It is certainly worthwhile to explore new directions in information security, and a scientific, multi-disciplinary approach holds much promise for the future. The "new school" mind-set can only be a positive influence on the industry and I would not hesitate to recommend this book to anyone in the information security profession.
Share your thoughts with other customers: Create your own review
Most Helpful Customer Reviews on Amazon.com (beta) Amazon.com:
4.0 out of 5 stars (20 customer reviews) 23 of 27 people found the following review helpful
4.0 out of 5 stars
Amateurs Study Cryptography; Professionals Study Economics,
By James Harper - Published on Amazon.com
This review is from: The New School of Information Security (Hardcover)
What a delightful chapter title in Adam Shostack's and Andrew Stewart's new book, The New School of Information Security. They have produced a readable, compact tour of the information security field as it stands today - or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.Shostack and Stewart helpfully review the stable of plagues on computing, communication, and remote commerce: spam, phishing, viruses, identity theft, and such. Likewise, they introduce the cast of characters in the security field, all of whom seem to be feeling along in the dark together. Why are the lights off? Lack of data, they argue. Most information security decisions are taken in the absence of good information. The authors perceptively describe the substitutes for good information, like following trends, clinging to established brands, or chasing after studies produced by or for security vendors. The authors revel in the breach data that has been made available to them thanks to disclosure laws like California's SB 1386. A purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome. In the most delightful chapter in the book (I've used it as the title of this review), Shostack and Stewart go through the some of the most interesting problems in information security. Technical problems are what they are. Economics, sociology, psychology, and the like are the disciplines that will actually frame the solutions for information security problems. In subsequent chapters, Shostack and Stewart examine security spending and advocate for the "New School" approach to security. I would summarize theirs as a call for rigor, which is lacking today. It's ironic that the world of information lacks for data about its own workings, and thus lacks sound decision-making methods, but there you go. The book is a little heavy on "New School" talk. If the name doesn't stick, Shostack and Stewart risk looking like they failed to start a trend. But it's a trend that must take hold if information security is going to be a sound discipline and industry. I'm better aware for reading The New School of Information Security that info sec is very much in its infancy. The nurturing Shostack and Stewart recommend will help it grow. 22 of 26 people found the following review helpful
5.0 out of 5 stars
Book review I wrote for ITToolbox,
By Monkey "Monkey Moniker" - Published on Amazon.com
Amazon Verified Purchase(What's this?)
This review is from: The New School of Information Security (Hardcover)
If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of "The new school of information security" by Adam Shostack and Andrew Stewart.The book reads like this blog, everything from Noam Epple and the "Security Absurdity" with the response article Noam Eppel Follow up to Security Absurdity and Security Absurdity - Is information security "Broken". All the way through some of the latest hacks from Two weeks, two security breaches in web 2.0 applications to Tom's excellent article on Even Oracle is not without security problems. There are some short sharp jabs in the side for information security people and managers that think they are safe behind their firewalls. If anything is going to serve as the cup of coffee after Noam Epple's wake up call, it has to be this book. Which means you have to go buy it to get where we are going as an industry. The New School of Information Security asks a lot of questions, that as a security community we need to answer. Everything from the value of the CISSP (is it just showing you can take a test, or does it really imply that the person knows something?), in a debate here that even people in the industry who love what we do can not answer. The idea of the CISSP is good, but the book speaks heresy, reliance on the CISSP is dangerous, dangerous to a company, it narrows the confines of the box when information security people need to be everywhere helping out. The book also talks about issues within the company as simple as the firewall, to how programmers got around firewall blocks by routing programs over port 80, to the untrusted and trusted insider, to the fundamental bedrock of how we make decisions, the flawed and often meaningless statistics that come from research labs. The whole industry is broken, and while we bask in our unregulated age, HIPAA, SOX, and other rules like PCI are just the shot across the bow on regulation, and more will be coming. Programmers do not get it, neither do security folks. From requesting a 6 million dollar solution for a 30 minute test, to saying "no" to watching businesses move their IT requirements to Amazon EC2 or AWS, to dumping the traditional attitude - we are a group of people in trouble, and we need to read this book. We need to shake up our communities, and the way that we work, not smarter, not harder, but working within the confines of realistic information security for the company that we are in. Best practices are just that, generic, you must tailor them for the risks that you have in your industry. To rely on Best Practices, NIST 800, ITIL, and other standards is to court disaster because no one is taking the specifics or unique issues of your particular industry. They also talk about security appliances, vendors, trusted sites that have the branding truste and hacker safe, with some interesting comments on how those systems and certifications provide a false sense of security not just to the people running the site, but to the customers who visit them as well. Much to ponder, some of it has shown up with the writers here at ITtoolbox as well, which is very nice, we have been talking about these very same issues for the last 2 years if you read this site. The book is a nice digest of what has been here, and available to folks who visit here or read via syndication or RSS. Otherwise, we really will not need a "security industry" per say, we will just get rolled up into something else, and loose our unique and distinct culture. 17 of 20 people found the following review helpful
5.0 out of 5 stars
A Must-Read Book on a Proper IT Outlook,
By Robert J. Sama - Published on Amazon.com
Amazon Verified Purchase(What's this?)
This review is from: The New School of Information Security (Hardcover)
The New School's thesis is straightforward: publish data and use that data to approach IT security questions with a more scientific mindset, utilizing other academic disciplines such as economics and psychology to aid in solving problems.The book would be a great primer for an MBA course on IT systems and organizational behavior. I suspect that so much of what causes secrecy around breaches in business organizations are the overblown fears of MBAs of customers fleeing. Shostack and Stewart do a good job calming those fears, and showing how disclosure really helps all parties move toward better security. The book is a quick read, and it's more of a philosophical treatise than a how-to manual. For that reason I think it would be beneficial for anyone in IT or an organization's management to read it, as the book speaks to both parties. I should disclose that I've known Adam Shostack for years, I do not know Andrew Stewart. |
|
Listmania!
Look for similar items by category
- Books > Business & Investing > Industries & Professions > E-commerce
- Books > Computers & Internet > Business & Culture > Privacy
- Books > Computers & Internet > Certification Central > Exams > Security+
- Books > Computers & Internet > Computer Science > Software Engineering > Information Systems
- Books > Computers & Internet > Home Computing > Internet
- Books > Computers & Internet > Networking > Network Security
- Books > Computers & Internet > Web Development > Security & Encryption > Encryption
- Books > New & Used Textbooks > Computer Science & Information Systems
Look for similar items by subject
Feedback
Would you like to update product info or give feedback on images?
|
