If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue. Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:

• Why it's easier for bad guys to "own" your computer than you think

• Why anti-virus software doesn't work well -- and one simple way to fix it

• Whether Apple OS X is more secure than Windows

• What Windows needs to do better

• How to make strong authentication pervasive

• Why patch management is so bad

• Whether there's anything you can do about identity theft

• Five easy steps for fixing application security, and more

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 26 Ratings

Good, but not what I expected. - 2009-10-01
Reviewer Rating:
After reading a brief overview of this book I was really excited to read it. As an information security professional, I was hoping the author would stir up some controversial thoughts and ideas that may have me rethinking the way I am doing things. What I got was a book that was a very good read, but nothing revolutionary. The book is organized into forty-eight topics, each a separate chapter consisting of a few pages each. Each chapter was just long enough to give some details or opinions about a topic without boring the reader with mundane page filler.

The Likes:

Chapter 16: The Cult of Schneier, was a great chapter. Yes, Bruce Schneier is one of the smartest minds in the industry, but he is the first to tell people not to be sheep. The author takes this one step further and declares do not take everything Schneier says as gospel, he is human, and can be wrong. Although I agree with the authors' thoughts that he will get a lot of flack for these comments from the "Cult of Schneier," I thought it was a great way to tell people to think for themselves and think outside the box.

Chapter 24: Open Source Security: A Red Herring was my favorite chapter in this book. It looks at both sides of the open source software vs. closed source software debate. This portion of the book was written in a way to let the reader come to the own conclusion about the debate, and not just rely on the authors' opinion. It was an unbiased view on the pros and cons to both types of software solutions.

Chapter 30: "Responsible Disclosure" isn't Responsible, was another great chapter. Again the author presented many pros and cons to both sides of the debate about public disclosure of vulnerabilities. This was again a chapter that shows the reader how the software industry currently views disclosure and lets the reader decide how they feel about the issue. In my opinion, this is one of the few chapters that will make you think about your stand on the topic and maybe help you choose a position.

All of the anti-virus chapters were very well written, as expected from someone who has worked for one of the largest anti-virus developers. These chapters gave enough insight and detail about how the software works to let a layman understand, but not so much detail that they drowned in information.

The Dislikes:

In chapter 5 the author talks about the security software he runs, and then common security software that he does not run, including: firewalls and AV. His arguments for not running these items seemed very weak, especially for a guy who works for an anti-virus company. I would have liked more insight into his thought process.

I found one contradiction that stood out, in Chapter 3 the author states that "However, these days, few services are visible by default..." when talking about need of firewalls. In Chapter 5 the author states firewalls are needed because "people typically leave lots of vulnerable services on machines that are directly accessible to a lot of people". Which is it?

Overall this book was a very fast (you could read it on a short flight), but very good read. It may not challenge your perspective as I had previously thought, but it is a good refresher as to why some of us work in the Information Security industry.

Review Written By Wayne M Gipson, CISSP, CISA

An early warning of disasters that might happen in the future - 2009-10-26
Reviewer Rating:
This is a great book for either security specialist or a general computer user. For the former the book gives lots of criticism for the awful state of today's security, for the latter the book identifies traps which users are likely to fall into and provides help in avoiding them. The book's biggest achievement is the breadth with which it considers various aspects of security: from anti-virus programs to secure shopping to secure hardware platforms and identifies possible improvements.

The book consists of many small chapters but the gloabl picture is easily visible. Based on his experience as a leading industry security expert, the author makes a proposal on how to improve the state of security. This is call for action for everybody who wants to avoid global security crisis.

The book starts with mentioning Randy Pausch - a professor who was smashing VCRs because of their bad user interfaces. According to the author, most of what security companies have to offer is worth smashing as well. The author says that security companies are responsible for security being treated as inevitable evil that would slow down your computer and print out lots of false alarms.

He explains in greater detail how an anti-virus works. The companies spend most of their time analysing virus samples and writing signatures. This is a tedious process and the value of this intellectual property is rather minimal. The author calls for better cooperation among security companies. Each company has its own signature format. On the Web everybody is using XML to facilitate interoperability. Why cannot the companies agree on a similar signature format?

The author analyses an opposite method of protection which is behavior-based methods. They do not work in the current environment because of false positives. For example, if a program writes garbage to disk it is possible that it decrypts something. Viruses and media players do this alike, their behavior is the same. The author proposes a solution to this problem. In order to decrease the rate of false positives each program needs to get signed. A signature is verified in a repository of good programs. The problem is that users are not cooperating in creating such directories of programs that are verified. If such directories existed then behavior-based anti-virus suite would not raise an alarm for any trusted application.

Therefore, the author believes that the solution to our problems is in a collaborative approach to security or an approach that involves a trusted authority. One real example of a successful implementation of this idea is SiteAdvisor - a program that runs as a plugin in Firefox and checks every web site a user visits against a database of good/bad sites. The rating of a web site depends on analysis that security experts performed earlier but I guess it is possible to use crowed intelligence as well.

Are the companies spending their money wisely? The economics of security is another issue that the author analyses. His conclusion is that 1 billion dollars that Microsoft spent on imrpoving the security of Vista operating system are spent wrongly. One reason is that the author says security training of developers is not worth spending money on because people will forget everything in a couple of months. Instead, give money to the specialized security audit companies whose employees are doing security work for living. Even though their rates are quite high and reach as much as 75 cents per line of code it would cost less than 1 billion to audit Windows.

Finally, the author challenges the state of security in our society. For example, everybody is very concerned with identity theft. But there are so many interesting documents ending up in your garbage that any potential attacker would rather look into your garbage can than attempt to get into your computer.

The state of secure Web is also challenged. The author claims that man-in-the middle attacks are efficient. He says that people are ignoring expired SSL certificates or those issued by a dubious authority. The author calls for a mutual authentication when not only you know that you are talking to a legitimate web site but the site knows who it is talking to as well.

The author blames academia for re-inventing things that industry has been using for a while. He calls for better cooperation between industry and academia.

This book reminds me of a security book of Ross Anderson. However, this book is much more ciritcal and focused on identifying the vulnerabilities and proposing how to fix them. Despite its criticism the book is written with a great wish for a better state of security.

Very Good; Practical - 2009-10-11
Reviewer Rating:
This book is an easy, fun, and somewhat scary read all at the same time. It accomplishes its goal of raising awareness about security issues by presenting material in small chapters that focus on a particular point.

The book is really a collection of short stories; each about a particular topic that is either directly about security or affected by security. The average chapter is probably about 5 pages, with most being between 2 and 7 pages. (230 pages in all, 48 chapters). I like this approach because it keeps the stories interesting. )If the reader does get bored with a particular topic, it will be over soon anyway.) Also, the chapters are independently written so the reader can skip around at will.

The style used is quite entertaining. There is a slight hint of sarcasm in some areas but it is not overwhelming. The material itself is fairly serious (i.e. - identity theft, anti-virus, corporate security, etc), but the problems are presented in way that is easy to read. Also, while the problems presented seem generally impossible to solve if one only reads the popular press (the world is coming to and end -turn to page 3 to see why), the book gives practical advice and/or suggestions of what we might do about such problems. There is a fair amount of "warnings" also given.

Overall, what advice is given is practical. For some problems where the author does not have an answer, he says so and points to areas that may be able to help in the future.

The point of the book it seems is to raise awareness of security issues. It does an excellent job of this.

Security professionals will like the book although I suspect they probably already know much of the material. More importantly, readers whose main profession is not security will be able to easily understand the problems presented. This should provide a fun/scary read but also get people thinking about these issues and their implication to our daily lives.

A very fun read; hard to put down - 2009-11-06
Reviewer Rating:
Think about this book as a printed selection of blog posts - some a dozen pages, some half a page. John's essays - all 48 of them - reads like a typical blog: fun views on hot subjects, new ideas for the future, dispelled myths, cool technologies, etc. I definitely enjoyed reading the book, even if most of the material was at least somewhat familiar to me.

For starters, this was the first time that I have seen a book written by somebody employed by an antivirus company, who would agree that antivirus solutions don't work too well and slow done systems. It was very impressive to read that the author himself does not use an antivirus solution and even didn't use one when he' was in charge of building one!

The following are some of my fave chapter highlights. "Security:"Nobody Cares" is one of my favorites; it covers why people, on average, don't care about information security.

I also enjoyed his thinking about why Microsoft antivirus solution would never pick up and never present a threat to the big AV vendors. In his opinion, most people do not trust Microsoft as a security brand. He thinks that customers would always go to security specialist and not to MS for antivirus tools, even if such specialist is located in Russia or Czech Republic. Also, it looks like the 30% success ratio for antivirus solutions is pretty much a commonly accepted number nowadays; it is mentioned in the book more than a few times.

One chapter that made me angry was chapter 7 on Google. He basically makes the insinuation that the Google in particular and pay-per-click advertising in general motivates people to hack into systems; a view as illogical as it is silly.

In chapter 26, John has an interesting idea for a Social Security number replacement scheme.
It is quite interesting that in chapter 28 John dispelled the myth that including security early in the application design is cheaper. Compared to ignoring the problem until notice from customers, it is certainly more expensive. He touches most other known security industry "pain points" such as vulnerability disclosure. He proposes to replace "responsible disclosure" with a new scheme from my view looks kinda similar. He also discusses whether disclosing vulnerabilities reduces or increases the risk for consumers (sadly, it seems to increase it).

Closer to the end of the book chapters get shorter and shorter. For example, chapter 42 ends up being half of a page in length. It pretty much states that he would sacrifice some privacy for more functionality and so would most of the others, which seem to be a very popular view nowadays.

I was very happy to find that he devoted an entire chapter - 2 pages in length - to criticize an academic security research (one of my pet peeves!). He says "lots of academics are reinventing what security industry has been doing for years. " He also mentions that there is nowhere near enough data sharing between security industry, where the problems are, and academic security research, where - supposedly - the brains are .
Other reviewers have pointed out that it is not clear what is the audience for the book. Many of the chapters seemed written to "curious consumer" while others are clearly intended for security practitioners or even security managers and imply a degree of IT industry savvy.

Finally, I have to say that multiple mentions of McAfee did not annoy me at all. I fully realize that if somebody employed by the vendor criticizes the very livelihood of that vendor, you must throw your employer a major bone. You absolutely have to mention he is employer positively and he does - in many chapters.

To conclude, I read books on information security for fun. This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about.

Less controversial than I expected - 2009-10-02
Reviewer Rating:
I am not a security expert, so I am not in a position to understand how much information contained in the book is new, part of it was new and valuable to me. The author is, opinionated, but, after all, the book is less controversial than I expected, mostly dominated by pragmatic common-sense. The chapters on "Open Source Security" and "Responsible Disclosure" were very interesting to me, even if they show the peculiar author's bias (but we are all biased in a way or another).
The book format is indeed very handy, divided into multiple, short, self-contained chapters. I've read most of it during my lunch breaks

Browse Similar Topics

Top Level Categories:
Security

Sub-Categories:
Security > Security Firm Operations