Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Overview

If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue. Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:

  • Why it's easier for bad guys to "own" your computer than you think

  • Why anti-virus software doesn't work well -- and one simple way to fix it

  • Whether Apple OS X is more secure than Windows

  • What Windows needs to do better

  • How to make strong authentication pervasive

  • Why patch management is so bad

  • Whether there's anything you can do about identity theft

  • Five easy steps for fixing application security, and more

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.

Subscriber Reviews

Average Rating: 3.25 out of 5 rating Based on 4 Ratings

"An early warning of disasters that might happen " - by alexey on 06-NOV-2009
Reviewer Rating: 1 star rating2 star rating3 star rating4 star rating5 star rating
This is a great book for either security specialist or a general computer user. For the former the book gives lots of criticism for the awful state of today's security, for the latter the book identifies traps which users are likely to fall into and provides help in avoiding them. The book's biggest achievement is the breadth with which it considers various aspects of security: from anti-virus programs to secure shopping to secure hardware platforms and identifies possible improvements.

The book consists of many small chapters but the gloabl picture is easily visible. Based on his experience as a leading industry security expert, the author makes a proposal on how to improve the state of security. This is call for action for everybody who wants to avoid global security crisis.

The book starts with mentioning Randy Pausch - a professor who was smashing VCRs because of their bad user interfaces. According to the author, most of what security companies have to offer is worth smashing as well. The author says that security companies are responsible for security being treated as inevitable evil that would slow down your computer and print out lots of false alarms.

He explains in greater detail how an anti-virus works. The companies spend most of their time analysing virus samples and writing signatures. This is a tedious process and the value of this intellectual property is rather minimal. The author calls for better cooperation among security companies. Each company has its own signature format. On the Web everybody is using XML to facilitate interoperability. Why cannot the companies agree on a similar signature format?

The author analyses an opposite method of protection which is behavior-based methods. They do not work in the current environment because of false positives. For example, if a program writes garbage to disk it is possible that it decrypts something. Viruses and media players do this alike, their behavior is the same. The author proposes a solution to this problem. In order to decrease the rate of false positives each program needs to get signed. A signature is verified in a repository of good programs. The problem is that users are not cooperating in creating such directories of programs that are verified. If such directories existed then behavior-based anti-virus suite would not raise an alarm for any trusted application.

Therefore, the author believes that the solution to our problems is in a collaborative approach to security or an approach that involves a trusted authority. One real example of a successful implementation of this idea is SiteAdvisor - a program that runs as a plugin in Firefox and checks every web site a user visits against a database of good/bad sites. The rating of a web site depends on analysis that security experts performed earlier but I guess it is possible to use crowed intelligence as well.

Are the companies spending their money wisely? The economics of security is another issue that the author analyses. His conclusion is that 1 billion dollars that Microsoft spent on imrpoving the security of Vista operating system are spent wrongly. One reason is that the author says security training of developers is not worth spending money on because people will forget everything in a couple of months. Instead, give money to the specialized security audit companies whose employees are doing security work for living. Even though their rates are quite high and reach as much as 75 cents per line of code it would cost less than 1 billion to audit Windows.

Finally, the author challenges the state of security in our society. For example, everybody is very concerned with identity theft. But there are so many interesting documents ending up in your garbage that any potential attacker would rather look into your garbage can than attempt to get into your computer.

The state of secure Web is also challenged. The author claims that man-in-the middle attacks are efficient. He says that people are ignoring expired SSL certificates or those issued by a dubious authority. The author calls for a mutual authentication when not only you know that you are talking to a legitimate web site but the site knows who it is talking to as well.

The author blames academia for re-inventing things that industry has been using for a while. He calls for better cooperation between industry and academia.

This book reminds me of a security book of Ross Anderson. However, this book is much more ciritcal and focused on identifying the vulnerabilities and proposing how to fix them. Despite its criticism the book is written with a great wish for a better state of security.

Report as Inappropriate

Table of Contents

 

Extras

The publisher has provided additional content related to this title.


Description
Content

Visit the catalog page for The Myths of Security

  • Catalog Page

Visit the errata page for The Myths of Security

  • Errata