Cipher Book Review, Issue E130

Thinking Security: Stopping Next Year's Hackers
by Steven Bellovin

Addison-Wesley 2016.
ISBN ISBN 978-0-13-427754-7 . 

Reviewed by  Richard Austin   01/19/2016 

"I know security is important but what should I be doing?", "Is there really anything to security beyond complying with X?", "It seems like the security budget keeps going up year after year but what am I getting for that investment?" are some questions we've all encountered. They're very good questions but good answers are elusive. Bellovin asserts that the fundamental problem is that word "security" and a generally flawed understanding of what it is and what achieving it might imply. He pithily summarizes the problem as (p. xi): "we're protecting the wrong things, and we're hurting productivity in the process" when we should instead "protect the right things, and make it easy for employees to do the right thing."

The intended audience for the book is not hard-core security professionals or researchers, but system administrators, architects, IT managers, etc., who understand the basics of security but haven't yet taken the step of questioning and understanding the "Why?". Though a large population of educated practitioners is critical to the success of our security programs, there is a dearth of introductory books targeting this population.

Answering the "Why?" takes the reader on a four-step journey: "Defining the problem", "Technologies", "Secure Operations" and finally "The Future".

"Defining the problem" takes a broad view of "security", what it is and how one actually goes about doing it. In a brief sidebar titled "Cyberwar?" (p. 29), Bellovin deftly abolishes the popular hype of "Cyberwar" (military operations exclusively in the cyber domain) in favor of what Dr. Chris Demchak calls "cybered-warfare" (i.e., modern military operations will likely include a cyber component as a matter of course). I am indebted to him for the term "Targetier", introduced on p. 36 to refer to someone who mounts a targeted attack (as he notes, the etymology is questionable but, as in security, language and usage do change over time).

"Technologies" tours the common technologies found in the security aresenal such as anti-virus, firewalls, etc. Notable is Bellovin's discussion of extrusion detection in the chapter on firewalls and IDS. Chapter 6 on "Cryptography and VPNs" is a masterful overview of what crypto can and cannot do as well as what goes into using it correctly.

"Secure Operations" delves into how technologies are used together in solving the security problem. In addition to a solid overview of the usual suspects, Bellovin includes the often overlooked topics of "Keeping Software Up to Date" and "People" (where the poor usability of most of our security measures gets a well-deserved shellacking).

The final section, "The Future", opens with four case studies (including one on the IoT) where the reader is guided in applying what they've learned thus far and concludes with a commentary that examines what is involved in "Doing Security Properly".

This is a charming book for those who have some grasp of the basics of security and are ready to explore the topic further. Bellovin's lively and engaging writing style will draw the reader into an in-depth exploration of the topics under the guidance of a master who has realized that the measure of a true master is not in displaying his knowledge but in sharing it. Experts might consider keeping several copies for sharing.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org