Information Security Reading List

Like information security in the real world, most (all?) information security books are about tactics, but what we also need is to understand where we are and where we are going. To do that, its important to read other fields and understand their ideas. Here is a brief reading list to explore some concepts that are useful, but relatively unexplored in information security.

1. Dhandho Investor by Mohnish Pabrai. I posted on how much I enjoyed this book in the past, and James McGovern did as well. Key thing here for us infosec types is to decouple risk and uncertainty and focus more on the former. I have often said, that I have learned more about security from reading Buffett and Munger than anything in information security literature. Pabrai is a fellow traveler on the Buffett Munger trail.

2. World is Flat - ubiquitous, but the best quote on why this work matters comes from Chris Ceppi he said to me that he thinks this book does a better job at explaining federated identity than any technical work. I agree.

3. Pentagon's New Map and Blueprint for Action by Thomas Barnett - these two books are absolutely critical to understanding 21st century security - how to think horizontally about security, deliver decentralized security services, and enable resiliency for the system as a whole. Barnett gives us a 21st century security builder model. The best work I have seen on the overlap of economic models and security models.

4. Brave New War by John Robb as I mentioned in my review Robb is the Black hat to Barnett's White hat. But when he does get perscriptive about dealing with the asymmetric threat problem that globalization has unleashed on us - the action items are all around survivability and resilience.

5. Starfish and the Spider by Ori Brafman and Rod Beckstrom - again a focus on decentralization, mapping services and skills; identifying and enabling catalysts, through trusted networks. Spiders die, starfish regenerate - think about that next time you are designing access control. Interestingly enough, Rod Beckstrom is now the cyber security czar, and I am very hopeful to see some good things come out of this appointment. Its very interesting to think about OWASP as a starfish organization. Totally decentralized, I believe one employee, a major global impact - the single best source for software security (not just web app security) - OWASP is a living testament to the positive power and impact that starfish organizations can have.

One thing these all have in common is decoupling and decentralization. In the field many times people automatically associate security with centralization, but this is often the wrong approach. Many times, the most cost effective, proportional approach is to take a decentralized path, these books give some ideas on how to do that.

Update: Chapter 5 of The New School of Information Security by Adam Shostack and Andrew Stewart is about this same issue of learning from other fields. I will have a review of this book soon, they go into quite a lot of detail about what Information Security can glean from economics, psychology and other disciplines, and I particularly like their last sentence in that chapter:

Lessons from other sciences allow us to observe the world, ask why, and receive an answer.

Chicken Soup for the CISO's Soul

Andrew Jaquith's book Security Metrics - Replacing Fear, Uncertainty and Doubt is all killer no filler. Jaquith provides new directions in a field, information security, that sorely needs them. In a sea of Infosec books this one stands out -a fresh approach too an important yet misunderstood topic; a focus on how to communicate which is a key to success; and using numbers to amplify decision support process.

Simply put, Security Metrics is a cookbook of ideas and you can pick up any chapter, read it, and get actionable ideas on how to improve your decision making in your security organization. The book begins by neatly encapsulating the flailing efforts seen in many enterprise infosec groups, which Jaquith dubs the "Hamster Wheel of Pain" aka ignorance is bliss. Set against this all too common problem statement are security metrics, which Jaquith proposes to measure if your security is getting better.

There are of course more than one way to approach security measurement. Jaquith looks at two - Measurers and Modelers. Measurers look at empirical data, correlation, essential practices, economic spending and before and after views. Modelers are more concerned with risk equations, loss expectancy, attack surfaces, and why questions. Most of the book is focused on a measurers approach so we don't get to see a grand overarching model. On the plus side we do get lots of metrics recipes that can be plugged and used in a real world infosec program.

Probably the best chapter for the uninitated is chapter 2 Defining a Good Security Metric which summarizes these rules for good security metrics - Consistently Measured, Cheap to gather, Expressed as a cardinal number, Expressed using at least one unit of measure. The chapter is equally useful in describing what metrics are not, explicitly excludes infosec sacred cows audit metrics like ISO 17799 and Annual Loss Expectancy. If you are going to send a message to the rest of the hurd, you have to be prepared to shoot some of the lead buffalo. Thank you, Mr. Jaquith.

Chapters 3 & 4 are where the cookbook comes together with a large number of detailed metrics recipes for measuring aspects of network security, host security, application security and so on. This is the "take this back to your desk and start working on this part" stuff. Chapter 5 presents a good overview of measurement analysis techniques so that you can better understand that which you just gathered. Useful again, because we are now in the realm of using numbers to better understand security instead of mere axiom.

The last part of the book is very important for enterprise infosec because it deals with scorecards and visualization, my partner Pat Christiansen likes to say the architecture is 50% technical ability and 50% communication. These chapters provide some Tufte-esque approaches to communicating the findings to different security stakeholders types with ideas for facilitating communication up, down, and across the organization.

This is really a good book for anyone in IT to demystify the fud-laden world of IT security. If you work in security it is a must read. If you manage a security group, I recommend buying a copy for everyone on your staff, wait 2-4 weeks, and come back ask where the heck are all the decision support metrics?

Book Review: Brave New War

John Robb's Brave New War provides an excellent summary of the major security issues that military, governments and businesses have to deal with. Robb explores the asymmetries in information, technology, intelligence, and agility that can give a small, disgruntled band of people certain advantages over very large and powerful systems. His excellent blog is rife with these examples.

Due to a number of technological factors, small groups of people can bring very powerful weapons to bear on large systems, due to our hypermedia age, Robb's so-called Global Guerillas can learn from each other in an open source type way, Robb gives examples of the Iraq IED marketplace where IED entrepreneurs learn how to improve techniques from each other.

There are many parallels with the above and computer security. In computer security, enterprises have to defend thousands of machines and connections. An attacker need only find one exploit. It is very likely that the attacker knows far more about the security vulnerabilities in your operating system, app server, web server, and database than the person who is administering it. This is an information asymmetry that can be(and is) exploited. In the computer security world we typically think of things in white hat and black hat ways. I tend to think of Robb as the physical world's uber Black Hat and Thomas Barnett as the White Hat (heck he even advocates for a sys admin approach).

Sadly, another parallel is investment in security. While the US military fights guerillas, the Pentago invests in more battleships and submarines. While enterprise IT connects millions of customers and partners throughout their systems, IT security buys firewalls and network secuity gear. This is not just fighting the last war, this is fighting in the last century.

The last part of the book "Rethinking Security" was the most interesting for me. Robb points out that you cannot really expect to deal with all the threats. Attacks evolve. As Pete Lindstrom says there are three reasons for this

1. Intelligent adversary
2. Intelligent adversary
3. Intelligent adversary

So instead of assuming the naive "patch and pray" approach, Robb advocates for survivability as the centerpiece for a 21st century approach to security. This was quite a nice surprise to find at the end of an already enjoyable book. One of my favorite people to work with, Howard Lipson has been beating the drum for computer security to deal with survivability for awhile. Howard's three R's for survivability are:

Resistance - ability of a system to repel attacks Recognition - ability to recognize attacks and the extent of the damage Recovery - ability to restore essential services during attack, and recover full services after attack

Of course, as I blogged yesterday the Anasazi were pretty good at this stuff a few hundred years ago. Wonder when computer scientists will catch up?

Book Review: Secure Coding

When clients are starting down the road to software security and ask me what book is the best starting place, I recommend "Secure Coding Principles and Practices" by Mark Graff and Ken vanWyk.

The hardest thing about software security is that in most organizations no one person or group really owns it. So you have this dichotomy where software people don't really have the requisite security knowledge, and security people don't really understand all the details of software development. It is difficult to navigate the terrain in between these domains, in a way that is specific enough to understandable and actionable, without overwhelming the reader from one background or the other. This is what makes Seucre Coding such a great starting point.

Chapter 1 hits a number of important software security issues, and most importantly for software developers, provides an intro to thinking about the software design from the attacker's point of view. The authors also hit an extremely important point on composition, quoting an expert bridge player saying "No one made any mistakes. Only the result was ridiculous." The fact that most OO and distributed systems are built on composition, is a major issue in security because security mechanisms and protocols are generally not composeable.

Chapters 2 and 3 examine security architecture and design, this is generally where the most egregious issues come into play. As with the majority of the book, there are actionable steps laid out to help you incorporate the secure coding principles the authors describe. And the authors detail a good balance of what to do and what not to do. Too many security books only address the latter.

Chapters 4,5, and 6 look at the remainder of the development lifecycle, defining practical ways to integrate security into software implementation, testing, and operations. What is most valuable in the author's approach is that a top down methodology is not required on the part of the enterprise to begin down the software security path. The authors do describe some top down techniques, but each and every phase described in the book contains numerous actions that enterprises can adopt with little to no cost. For example, the implementation chapter looks at peer reviews and checklists for secure coding, and the operations chapter looks at specific ways to implement security event logging, there is effectively a very low barrier to entry for organizations to deploy any number of the concepts described in this book.

This book does not contain the nth layer of every major security design decision you need to make, but it is a great place to begin the journey. Quoting Martin Fowler "comprehensiveness is the enemy of comprehensibility."

Book Review - Digital Identity by Phil Windley

Ever noticed how many of the most useful books are really short? Kernighan and Ritchie on C Programming and Kent Beck on Extreme Programming come to mind, well now we have a short, to the point, and similarly useful book on identity Phil Windley's book, "Digital Identity". Increased integration, security concerns, distributed computing, SOA and Web Services, privacy issues, crimeware/malware, and compliance all conspire to make identity a mission critical element in software architecture. Many of the key concerns get conflated and confused amidst the buzzwords and arcane terminology used by the identerati. What is needed is conceptual clarity about the key elements in identity management architecture, and how they relate to each other as well as the software platform and its users.

Phil Windley's book, "Digital Identity" delivers the needed clarity, breaking down identity management architecture into Process Architecture ("how your business accomplishes identity related tasks and how they should be accomplished in the future."), Data Architecture ("The data architecture is a model of the identity data in your organization"), and Technical Reference Architecture ("how the IMA communicates implementation guidance to system architects"). None of these architectural elements are a vendor-specific solution, so architecture is required to design the correct approach for your organization. Windley describes two important parts of an IMA - Policies ("crucial in creating identity infrastructures that work for the simple reason that it's impossible to create technical solutions to every problem.") and Interoperability Framework ("list of standards that your organization has chosen to support and use."). The supporting website contains useful policy templates for a wide variety of identity policy domains.

The early chapters deal with setting a consistent terminology for identity data and processes. Chapter 5 defines an identity lifecycle including two helpful in the trenches observations 1) that identity maintenance is one of the most costly areas and 2) deprovisioning is just as important as the notion of provisioning. Chapter 6 talks about cryptosystems, message digests, hashing, and related infrastructure (such as PKI) the part I found most useful is that Windley shows what solutions deliver particular properties such as confidentiality, integrity, and non-repudiation.

Refreshing discussion in Chapter 8 on Access Control and Principle of least privilege in the real world. Many security policies blithely state (and restate) the principle of least privilege, but in reality when it is assumed but in place this creates an issue. This chapter also has a good RBAC discussion. Chapter 9 draws important distinctions between directory services and relational databases, and gives prescriptive guidance on where each is appropriate. Chapter 9 also introduces the notion of metadirectories and virtual directories. Again, these concepts are mapped directly by Windley to the specific issues they solve, making the book a very handy design partner for identity management architects.

Chapter 11 correlates standards to the identity lifecycle. SPML is geared towards provisioning, propagating, and deprovisioning; SAML is geared towards using identity; and XACML is geared towards maintaing identity (I am not sure why XACML is not included in using identity though). The power and challenges of SAML and XACML are well defined, some additional examples would be helpful. For traditional information security people who need to understand how these important XML-based technologies work in decentralized SOA and Web Services systems, this chapter will be very helpful.

Chapter 12 on federating identity is my favorite. "Mirage of centralized efficiency...Centralized digital identity systems do not scale. Identity relationships are inherently web-like in structure while centralized technologies like directories are hierarchical." Windley also points out lack of privacy support in SAML (which is why Dick Hardt calls federation Identity 1.5). The latter chapters show example identity data architectures, technical reference architecture, and other elements. In sum, this book is extremely useful at the conceptual level for identity architects to think/plan/act strategically and real world in the trenches advice on how to execute tactically.

Practical SOA Book

"Understanding SOA with Web Services" by Eric Newcomer and Greg Lomow is one of the main books I recommend to clients on SOA and Web Services. Several parts of the book that stand out from what I have seen in the rest of the field including the section on Advanced Messaging and Transactions. The work is particularly strong in the "why are we here and how did we get here" with regard to web service evolving from various technologies like MQ, Tx systems, and mainframes, and describes where Web services has advantages and disadvantages over those technologies in a non-religious format. In Chapter 3, for example, MQ, CORBA, and XML web Services are compared across a set of criteria including: service contracts, data management, registration and discovery, security, interaction patterns, communication, and QoS. These objective analyses are some of the most valuable resources in the book, because when looking at Web Services' integration it helps the architect see where the strengthes and weaknesses lie.

The only nit is section on security is good by normal programming books standards, but more emphasis on the gaps in the standards would be useful, for example input validation, and security exceptions which are a fact of life in distributed security, but are not dealt with by standards are not covered.

This book describes what gaps SOA/Web Services address and why, where the technology is going, and what you can do about it today. Very valuable.

All About Early 21st Century Risk

John Quarterman's book
Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance is unique, as far as I know, as a very timely analysis on technical issues and their impact on risk management. The combined forces of technology, increased integration, business reliance on networks and systems, and the market/legal/regulatory forces set the context for this book.

Chapter 1 looks at three power laws for scaling networks - Sarnoff, Metcalfe and Reed. Valuing assets is a precursor to any risk management activity. Chapter 2 looks at the differences between traditional risk and Internet-style risks. There is an important distinction in perils and anomalies. Perils are defined as bugs and vulnerabilities. Anomalies are defined as the problems that arise once a vulnerability is exercised. There is also a section on monoculture which compares computing monoculture to bollweevils and other physical world monoculture risks.

Chapter 3 describes high level strategies like redundancy and backups for dealing with risks. These are high level not detailed operational planning, but they are useful for directors to plan what actions manage what risks. Federation is mentioned as having a positive impact on higher assurance integration between service providers and consumers. Another theme is the positive and negative aspects of decentralization, Quarterman concludes it is largely a positive development, and a decade and half into the web, that looks like a safe assumption.

For a book with Sarbanes in its title, there is not a ton of information on compliance. This is not a big a problem for me, since I, like this book, view compliance as a subset of risk management. Chapters 4-8 look at the implications of risk in various business sizes and verticals.

Chapter 6 examines some physical world controls that work fine in the real world but are insufficient in the digital world such as 4 digit PINs for ATMs. This chapter also covers various types of insurance schemes such as Cat Bonds.

Chapter 7 compares Frederick Winslow Taylor (command and control) to John Boyd (smart nodes) and concludes - Taylor Wrong. Boyd Right. Speed and autonomy are more valuable in a networked world. It is often said the important stuff is not exciting, risk management may not be a thrill a minute for everyone, but this book shows why risk management is important to businesses.

Chapter 8 contains an history of technologies, but does not address SOA, Web Services, Web 2.0 et. al in the context of the 5th Wave. Chapter 9 deals with a recurring theme on differentiating between risk inside the perimeter and outside the perimeter and the disparate strategies available. Chapter 10 describes some key differences between SOX (looking for black list items) and Basel II (culture change). Boyd's OODA loop is revisited in the context of self-healing networks. There is a section on the modern military's reliance on the web, which reminded me of a story I heard from Thomas Barnett about how soldiers in Iraq were going into chat rooms to teach other about counterinsurgency. The officers instructed them to stop because Al Qaeda would listen in, the soldier's response:"Al Qaeda already knows this. We are the ones with the knowledge gap." Now the training manuals are being updated.

My favorite part of the book is Cliff Forts versus Coordinated Mesas which detailes the ancient Anasazis Protect-Detect-Respond strategy.

Chapter 11 discerns between first party loss and third party loss. Chapter 12 contains a set of actionable items for companies wanting to improve their risk management.

Overall, a useful window into the current risks and risk management opportunities in the early 21st century.

Beautiful Evidence

Yes! Adam reported that Edward Tufte's fourth book is in queue. Tufte's books were a revelation for me when my father-in-law first showed them to me after taking his class about 10 years ago. Tufte's class was one of the best $300 I ever spent, and I highly recommend the class that is held in a variety of lactions. In the class, Tufte described:

The Grand Principles of Information Display

First Grand Principle: Enforce Wise Visual Comparisons: always ask "Compared with What?"

Second Grand Principle: Show Causality.

Third Grand Principle: Use Multivariate Data

Fourth Grand Principle: Completely Integrate Word, Number and Image.

Fifth Grand Principle: Quality, Relevance and Integrity of the Content.  If your numbers are boring you have the wrong numbers.  Design won't help, it is too late. 

Sixth Grand Principle: Information for Comparison Should be Put Side by Side., Stack in space not time

Seventh Grand Principle: Use Small Multiples.

The Eighth Grand Principle: Don't Dequantify.  Good design is clear thinking, made visible.

When we think about dealing with vast amounts of security data in a large enterprise and mining it for information for a variety of audiences: developers, security, risk management, executive, management, and so on, SEM, SIM, and *IDS vendors would do well to keep these principles front and center.