Beautiful Security - Leading Security Experts Explain How They Think

Read more

Although most people don't give security much attention until their personal or business systems are attacked, this thought-provoking anthology demonstrates that digital security is not only worth thinking about, it's also a fascinating topic. Criminals succeed by exercising enormous creativity, and those defending against them must do the same.

Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:

The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey
How social networking, cloud computing, and other popular trends help or hurt our online security
How metrics, requirements gathering, design, and law can take security to a higher level
The real, little-publicized history of PGP

This book includes contributions from:

Peiter "Mudge" Zatko
Jim Stickley
Elizabeth Nichols
Chenxi Wang
Ed Bellis
Ben Edelman
Phil Zimmermann and Jon Callas
Kathy Wang
Mark Curphey
John McManus
James Routh
Randy V. Sabett
Anton Chuvakin
Grant Geyer and Brian Dunphy
Peter Wayner
Michael Wood and Fernando Francisco

All royalties will be donated to the Internet Engineering Task Force (IETF).

List of contents

Preface;
Why Security Is Beautiful;
Audience for This Book;
Donation;
Organization of the Material;
Conventions Used in This Book;
Using Code Examples;
Safari® Books Online;
How to Contact Us;
Chapter 1: Psychological Security Traps;
1.1 Learned Helplessness and Naïveté;
1.2 Confirmation Traps;
1.3 Functional Fixation;
1.4 Summary;
Chapter 2: Wireless Networking: Fertile Ground for Social Engineering;
2.1 Easy Money;
2.2 Wireless Gone Wild;
2.3 Still, Wireless Is the Future;
Chapter 3: Beautiful Security Metrics;
3.1 Security Metrics by Analogy: Health;
3.2 Security Metrics by Example;
3.3 Summary;
Chapter 4: The Underground Economy of Security Breaches;
4.1 The Makeup and Infrastructure of the Cyber Underground;
4.2 The Payoff;
4.3 How Can We Combat This Growing Underground Economy?;
4.4 Summary;
Chapter 5: Beautiful Trade: Rethinking E-Commerce Security;
5.1 Deconstructing Commerce;
5.2 Weak Amelioration Attempts;
5.3 E-Commerce Redone: A New Security Model;
5.4 The New Model;
Chapter 6: Securing Online Advertising: Rustlers and Sheriffs in the New Wild West;
6.1 Attacks on Users;
6.2 Advertisers As Victims;
6.3 Creating Accountability in Online Advertising;
Chapter 7: The Evolution of PGP's Web of Trust;
7.1 PGP and OpenPGP;
7.2 Trust, Validity, and Authority;
7.3 PGP and Crypto History;
7.4 Enhancements to the Original Web of Trust Model;
7.5 Interesting Areas for Further Research;
7.6 References;
Chapter 8: Open Source Honeyclient: Proactive Detection of Client-Side Exploits;
8.1 Enter Honeyclients;
8.2 Introducing the World's First Open Source Honeyclient;
8.3 Second-Generation Honeyclients;
8.4 Honeyclient Operational Results;
8.5 Analysis of Exploits;
8.6 Limitations of the Current Honeyclient Implementation;
8.7 Related Work;
8.8 The Future of Honeyclients;
Chapter 9: Tomorrow's Security Cogs and Levers;
9.1 Cloud Computing and Web Services: The Single Machine Is Here;
9.2 Connecting People, Process, and Technology: The Potential for Business Process Management;
9.3 Social Networking: When People Start Communicating, Big Things Change;
9.4 Information Security Economics: Supercrunching and the New Rules of the Grid;
9.5 Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All;
9.6 Conclusion;
9.7 Acknowledgments;
Chapter 10: Security by Design;
10.1 Metrics with No Meaning;
10.2 Time to Market or Time to Quality?;
10.3 How a Disciplined System Development Lifecycle Can Help;
10.4 Conclusion: Beautiful Security Is an Attribute of Beautiful Systems;
Chapter 11: Forcing Firms to Focus: Is Secure Software in Your Future?;
11.1 Implicit Requirements Can Still Be Powerful;
11.2 How One Firm Came to Demand Secure Software;
11.3 Enforcing Security in Off-the-Shelf Software;
11.4 Analysis: How to Make the World's Software More Secure;
Chapter 12: Oh No, Here Come the Infosecurity Lawyers!;
12.1 Culture;
12.2 Balance;
12.3 Communication;
12.4 Doing the Right Thing;
Chapter 13: Beautiful Log Handling;
13.1 Logs in Security Laws and Standards;
13.2 Focus on Logs;
13.3 When Logs Are Invaluable;
13.4 Challenges with Logs;
13.5 Case Study: Behind a Trashed Server;
13.6 Future Logging;
13.7 Conclusions;
Chapter 14: Incident Detection: Finding the Other 68%;
14.1 A Common Starting Point;
14.2 Improving Detection with Context;
14.3 Improving Perspective with Host Logging;
14.4 Summary;
Chapter 15: Doing Real Work Without Real Data;
15.1 How Data Translucency Works;
15.2 A Real-Life Example;
15.3 Personal Data Stored As a Convenience;
15.4 Trade-offs;
15.5 Going Deeper;
15.6 References;
Chapter 16: Casting Spells: PC Security Theater;
16.1 Growing Attacks, Defenses in Retreat;
16.2 The Illusion Revealed;
16.3 Better Practices for Desktop Security;
16.4 Conclusion;
Contributors;
Colophon;

About the author

John Viega, the founder and CEO of Stonewall Software, is a well-known security expert and the coauthor of Building Secure Software (Addison-Wesley) and Network Security with OpenSSL (O'Reilly). John is responsible for numerous software security tools and is the original author of Mailman, the GNU mailing list manager. He holds a B.A. and M.S. in computer science from the University of Virginia. John is also an adjunct professor of Computer Science at Virginia Tech (Blacksburg) and is a senior policy researcher at the Cyberspace Policy Institute. He serves on the technical advisory boardfor the Open Web Applications Security Project. He also founded a Washington, D.C.-area security interest group that conducts monthly lectures presented by leading experts in the field. He is the author or coauthor of nearly 80 technical publications, including numerous refereed research papers and trade articles.

Summary

An anthology that describes methods used to secure computer systems in the face of threats. It covers topics that include: rewiring the expectations and assumptions of organizations regarding security; security as a design requirement; evolution and new projects in Web of Trust; and, legal sanctions to enforce security precautions.