Unwrapping the Myths of Security
October 16, 2009
What the Computer Security Industry Doesn't Want You to Know
Review by Steve Hardwick, CISSP
I have worked in the information security business for more than 10 years, and I’ve learned there is one constant throughout – change. Keeping up with the ever-present cat and mouse battle between the hackers and security industry is a full time job. The Myths of Security by John Viega (O'Reilly Media, $29.95) provides a good view of what the security industry faces and why they sometimes fall short in the eyes of many people. So the next time you are hitting your computer with your keyboard in utter frustration, put it down, pick up this book and take a look at why computer security is so hard. You can also learn what doesn’t work to secure computers – and by extension, good security practices. Some of the biggest security weaknesses will surprise you.
This book begins by outlining how easy it is to have a security problem. Early chapters cover the methods of attacking computer systems and how they have evolved. These include simple viruses focused on specific operating systems up to more sophisticated Web-based attacks and social engineering exploits. New attacks are independent on the operating system; rather, they exploit the lack of knowledge of the user. (Despite their sanguine outlook, even Apple users are wide open to these types of attacks.) Chapter 15 has an excellent example of a phishing attack that demonstrates how the bad guy can get key information without ever touching the operating system. According to the Anti-Phishing Working Group, June of 2009 was the second-highest month for number of new phishing sites detected.
The author makes two very crucial points: First, it is no longer just a battle of viruses anymore – any computer user is vulnerable. Second, users will want an antivirus application that can deal with all manner of information security threats — viruses, malware, adware, phishing, cross site scripting and more.
This book provides an excellent view of many basic security elements, then steps into an overview of the good, the bad and the ugly of the tools that are out there. The author is critical of products that look great on the vendor’s Web site, but would bring a network to its knees if used, for example, intrusion prevention systems.
Viega dedicates several chapters to explain in plain language why some of these tools are not suited for personal use or for small companies. Many solid recommendations throughout inform individual users how to better protect themselves from a wide range of security threats. There is deeper detail on some of the more important security tools, but you'll need a good technical understanding for these sections. Chapter 29 “Application Security on a Budget” highlights the type of issues that are important – emphasizing training and simple free solutions vs. multiple expensive high tech solutions such as those intrusion prevention systems and virtualization.
As a former solutions developer, Viega is in an ideal position to give an informative peek over the fence at the challenges the security vendors face. In Chapters 8, 9 and 10, he breaks down the difficulty of vetting the thousands of pieces of data that daily go into our computers. He also explains why product vendors have some difficult choices in meeting end-users’ security as well satisfying the needs of vendor shareholders. This results in some odd methodologies that do not always have the end user’s interest as the highest priority – Chapter 7, “Google is Evil.” Or at worst, as outlined in Chapter 18, even plain old snake oil in a digital wrapper.
Many users do not realize the high cost of development and sheer manpower it takes to combat the threats that are out there. There are many detailed examples throughout the book showing how the business world shapes security products as much as the hackers.
The author does lend his industry experience to give suggestions on how the industry can better attack the problems. However, they may be somewhat controversial – Chapter 39, “What Antivirus Companies should be doing” is a good example. The chapter proposes that the antivirus vendors act as a “safe application” clearinghouse and restrict programs that have not been classified. But this goes against the open culture of the user community, even though Apple is trying this approach with its iPhone applications, with mixed reviews.
On the flip side, some attention is paid to understanding why there are hackers. Hacking has moved from the era of bravado and bragging rights into organized crime, as well as offering people in disadvantaged countries a way to make easy money. (In one recent example, a Russian consortium offered a malware affiliate bounty: infect a Mac, earn 43 cents.) However, the issue of outdated legal infrastructure in many developing countries which enables this, was not highlighted in the book. Those policies are a major hole in the global response to computer crime.
Similarly, it would have been a good balance to include a discussion on what the various governments are trying to do with new laws and regulations to help combat the problem. Conversely, the book did cover some newer threats such as data hostaging – which is becoming more of a threat to industries at large. For example, consider the salesman who will not return his laptop with all the customer information on it until his last commission check is in the bank.
If you are looking for a quick-fix to stop your computer from grinding to a halt every couple of days after your kids have unwittingly loaded the latest and greatest malware, then this is not the book for you. If you want a more in-depth understanding of today's threats, what you can do -- and what, if anything, anyone is trying to do to fix them -- then I would recommend this book.
Steve Hardwick has over 10 years of information security experience. He has worked with different environments from military customers, financial institutions, healthcare organizations and Fortune 1000 companies, as well as conducting security assessments for large and small corporations. He is currently Partner Manager at Mobile Armor Inc. providing cost effective solutions for securing and protecting mobile data.