Just a quick post to let you know Beautiful Security from O’Reilly is now available at Amazon as well as directly from O’Reilly. Chapter Five – Beautiful Trade: Rethinking Ecommerce, is my personal favorite, but I may be a little biased :-).
All author proceeds will be donated to charity, so buy an extra copy for the kids!
/shameless self-promo
UPDATE: A decent round o
f commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.
I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.
What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.
Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. 🙂
I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:
“Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.
Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:
Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”
Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!
Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.
Jeremiah Grossman posted an entry on his blog yesterday about why most WAF’s are not currently implemented in blocking mode. To steal from Jeremiah who borrows from Dan Geer,
“When you know nothing, permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then.”
I think both Jeremiah and Dr. Dan are right on with their analysis. In fact, I would take this a step further and say this is ultimately how developers end up deciding whether to use a black list or white list approach when doing things like input validation. If you cannot fully document and articulate EVERYTHING about your site(s), it becomes impossible to create a valid whitelist. While knowing and understanding the majority of your site allows you to create a fairly effective black list, and of course, if you know nothing about your site you must allow all and pray.
To read a much more in-depth explanation of how this plays out in security, check out Dr. Dan Geer’s book. He delves into one of this blog’s favorite topics, the economics of information security and the trade-offs associated with it. Happy Reading!
There is a good interview with Bruce Schneier over at the Freakonomics blog. I am just getting through it, but here are a couple of Q&A excerpts that I tend to get a lot and completely agree with the answer given:
“Q: So seriously, do you shop on Amazon, or anywhere else online for that matter?
A: Of course. I shop online all the time; it’s far easier than going to a store, or even calling a mail-order phone number, if I know exactly what I want.What you’re really asking me is about the security. No one steals credit card numbers one-by-one, by eavesdropping on the Internet connection. They’re all stolen in blocks of a million by hacking the back-end database. It doesn’t matter if you bought something over the Internet, by phone, by mail, or in person — you’re equally vulnerable.”
I cannot stress this enough! It doesn’t matter whether your purchases are online or offline, in reality they’re all online. All of our transactions go through computer systems, are stored in large databases and are transmitted over networks. Look at the large security breaches in the news, many of them are ‘offline’ purchases.
“Q: What was the one defining moment in your life that you knew you wanted to dedicate your life to computer security and cryptography?
A: I don’t know. Security is primarily a way of looking at the world, and I’ve always looked at the world that way. As a child, I always noticed security systems — in retail stores, in banks, in office buildings — and how to defeat them. I remember accompanying my mother to the voting booth, and noticing ways to break the security. So it’s less of a defining moment and more of a slow process.”
Security is a way of thinking. When interviewing candidates for information security roles, one of the things I look for beyond learned skills is how they think about problems. Specifically, a ‘security person’ thinks of different ways to break things. They think of ways to deconstruct the system and make it perform actions it was never intended to perform.
The Workshop on the Economics of Information Security just opened up it’s call for papers for 2008. This year it will be held at Dartmouth College in New Hampshire.
I have written about this workshop in the past (here, here and here). The amount of quality content that comes out of this is incredible. As most readers of this blog know, information security is much greater than a technical issue. This workshop addresses many of those problems including the economic incentives of security and privacy, the various trade-offs individuals and groups must make to achieve a level of security, addressing negative externalities, the psychology of security and more.
If you have an interest in the driving factors of what makes many of our systems more or less secure, I would highly recommend this workshop. Last year’s workshop generated a tremendous amount of buzz about WabiSabiLabi. The online vulnerability marketplace for selling and purchasing vulnerabilities.
I would recommend reading Economics of Information Security as a great primer / introduction to the topics related to the workshop. You can find a link to it on the bookshelf of this site. It contains several papers that came directly from it. This is a great way to dig yourself out of some of the day to day technical details and start thinking about some of the more broad decision factors around security and privacy. While many of the papers come from academia, the information is a great way for those leading security programs in the private sector to understand the decision criteria that ultimately will fund or not fund their initiatives.
I recently finished two books (OK one of them was audio), The Long Tail: Why the Future of Business is Selling More by Chris Anderson and Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michael Zalewski. While they are both very different, they were both good reads and very appropriate topics for this blog. I would recommend both to regular readers here.
Ever since I finished the long tail a couple of weeks ago, I had been meaning to post on it and what it means to information security. Well while I was busy with other things a couple of people went it did just that. Over the weekend Mark Curphey wrote a 2 part post which sums up the book and how it relates to our field at a high level. Part 1 is here and Part 2 is here. I encourage you to read his posts if you have an interest in the economics of information security.
Another area that came to mind while reading this book (sorry, listening to this book) was the ever present topic these days of compliance. Organizations today have a number of regulations and laws that they must comply with in a given industry or geographic region. Some of these requirements make economic sense for the business, others are their to control the negative externalities of security. After reading (argh! LISTENING) to The Long Tail, I spent some time wondering how could a set of tools, processes, etc. make compliance economically sound and a choice organizations would make regardless of outside requirements (laws, regulations, etc).
I would like to challenge readers of this post to come up with some new ideas that would make these requirements that traditionally go against the rules of risk management and make them more sound for YOUR organization. The key here is every organization is different. What may make economic sense within mine, makes little to no sense in yours. That’s what makes the “one size fits all” approach of several regulations difficult on most companies today.
Have an idea? Post it here in a comment or send me an email!
Well, I finally got around to creating a blog and this is my first entry. I will primarily use this location to post and document some of my random thoughts around information security and the economics surrounding this topic. I, of course, reserve the right to veer off topic from time to time.
I was recently speaking to a former associate of mine who tends to keep tabs on my reading habits. I thought this is as good a place as any to create my personal bookshelf of recently read and currently reading books. If you have additional recommendations related to these topics I would love to hear them.
Subscribe in a reader
Ed Bellis - ClearText 