- Email: [email protected]
Cyber Attacks
computers & security 31 (2012) 251
Available online at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Book review Cyber Attacks, E.G. Amoroso In the early 1990s, Ed Amoroso fashioned a computer security course out of research papers on the topics of the day such as formal security policy models and then-new theories on how to detect intrusions using behavior anomaly detection. This work culminated in his 1994 volume, Fundamentals of Computer Security Technology, which he followed with Intrusion Detection in 1999. These books still provide solid instruction on how to understand and architect information security solutions in an easy-to-read format. Today, the technical aspects of how to implement information security features is the least of our worries. Rather, today’s information security problem is that we simply don’t know what security features to implement. The ubiquity of electronic communications and corresponding threats have changed the landscape from an information security problem to a systems security problem with both cyber and human elements. Corresponding solutions must also be systemic in nature. Amoroso’s current vantage point as the Chief Information Security Officer at AT&T provides him with a firsthand global view of this situation. His latest book, Cyber Attacks, is an insightful collection of essays on practical ways to think about today’s complex and insidious cyber security problems, as well as models for solving them. There are other books that view security from the point of view of national infrastructure, for example, America the Vulnerable by Brenner and CyberWar by Clarke and Knake. These books tend to be framed around incidents that demonstrate the need to take cyber security seriously, and conclude with calls for action. By contrast, Amoroso’s book is for the already converted. It uses descriptions of cyber attacks to illustrate rather than motivate. Rather than conclude with general advice for embarking on security solutions, it provides models for analyzing both cyber security problems and solutions throughout the body of the text. Because of its focus on enterprise-level security, this book will be a valuable job aid for cyber security managers and policy-makers. It will also be informative for less experienced information security practitioners who would like to better understand how their job functions and organizational practices fit into a larger, more global view of enterprise and national security. Amoroso distills cyber security advice into ten intuitively recognizable principles. These are: deception, separation, diversity, commonality, depth, discretion, collection, correlation, awareness, and response. These form the theoretical
basis for strategic goals in enterprise security architecture. He debunks prevalent misapplications of these principles, while at the same time elaborating on their core value. For example, on the topic of depth, Amoroso confronts those who formally model the efficacy of defense layers using mathematical probability, saying, “Trying to accurately quantify this dependency for probabilistic analysis is a waste of time and will not result in any estimate better than an expert guess.” He suggests instead that we openly acknowledge our reliance on subjective reasoning, and subject it to strict scrutiny based on relevant security factors such as use case scenario analysis and simulation. On the topic of commonality, which he describes as the ubiquitous presence of certain desirable security attributes, Amoroso points out that cyber security best practices are often assumed to be measurable using information assurance auditing standards, but the assumption is false. He further claims that there is minimal overlap between meaningful and measurable security requirements, and that many security best practices are not even auditable. For example, auditors will check for the existence of end-user security education programs, while end-user security education has consistently proven to be of marginal utility and nowhere near as important to manage as end-user security culture. Amoroso’s advice takes the art out of the debate on whether security is art or science. He brings a high level goaloriented approach to practical situations in order for the “right” security decisions to appear obvious to the reader. However, no book is a single solution, and this one is no exception. Some readers may be disappointed not to find comprehensive references for further reading. It is apparent that the book surveys a great deal of literature, but there is no bibliography. Readers may also be disappointed that there is no step-by-step guaranteed path to cyber security solutions. The book provides no procedures or checklists. Nevertheless, those who allow Amoroso to influence their view of the security problem at the level he chooses to present it should more easily be able to recognize cyber security solutions. Jennifer L. Bayuk Stevens Institute of Technology, School of Systems and Enterprises, Castle Point on Hudson, Hoboken, NJ 07030, United States 0167-4048/$ e see front matter doi:10.1016/j.cose.2011.12.008
Available online at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Book review Cyber Attacks, E.G. Amoroso In the early 1990s, Ed Amoroso fashioned a computer security course out of research papers on the topics of the day such as formal security policy models and then-new theories on how to detect intrusions using behavior anomaly detection. This work culminated in his 1994 volume, Fundamentals of Computer Security Technology, which he followed with Intrusion Detection in 1999. These books still provide solid instruction on how to understand and architect information security solutions in an easy-to-read format. Today, the technical aspects of how to implement information security features is the least of our worries. Rather, today’s information security problem is that we simply don’t know what security features to implement. The ubiquity of electronic communications and corresponding threats have changed the landscape from an information security problem to a systems security problem with both cyber and human elements. Corresponding solutions must also be systemic in nature. Amoroso’s current vantage point as the Chief Information Security Officer at AT&T provides him with a firsthand global view of this situation. His latest book, Cyber Attacks, is an insightful collection of essays on practical ways to think about today’s complex and insidious cyber security problems, as well as models for solving them. There are other books that view security from the point of view of national infrastructure, for example, America the Vulnerable by Brenner and CyberWar by Clarke and Knake. These books tend to be framed around incidents that demonstrate the need to take cyber security seriously, and conclude with calls for action. By contrast, Amoroso’s book is for the already converted. It uses descriptions of cyber attacks to illustrate rather than motivate. Rather than conclude with general advice for embarking on security solutions, it provides models for analyzing both cyber security problems and solutions throughout the body of the text. Because of its focus on enterprise-level security, this book will be a valuable job aid for cyber security managers and policy-makers. It will also be informative for less experienced information security practitioners who would like to better understand how their job functions and organizational practices fit into a larger, more global view of enterprise and national security. Amoroso distills cyber security advice into ten intuitively recognizable principles. These are: deception, separation, diversity, commonality, depth, discretion, collection, correlation, awareness, and response. These form the theoretical
basis for strategic goals in enterprise security architecture. He debunks prevalent misapplications of these principles, while at the same time elaborating on their core value. For example, on the topic of depth, Amoroso confronts those who formally model the efficacy of defense layers using mathematical probability, saying, “Trying to accurately quantify this dependency for probabilistic analysis is a waste of time and will not result in any estimate better than an expert guess.” He suggests instead that we openly acknowledge our reliance on subjective reasoning, and subject it to strict scrutiny based on relevant security factors such as use case scenario analysis and simulation. On the topic of commonality, which he describes as the ubiquitous presence of certain desirable security attributes, Amoroso points out that cyber security best practices are often assumed to be measurable using information assurance auditing standards, but the assumption is false. He further claims that there is minimal overlap between meaningful and measurable security requirements, and that many security best practices are not even auditable. For example, auditors will check for the existence of end-user security education programs, while end-user security education has consistently proven to be of marginal utility and nowhere near as important to manage as end-user security culture. Amoroso’s advice takes the art out of the debate on whether security is art or science. He brings a high level goaloriented approach to practical situations in order for the “right” security decisions to appear obvious to the reader. However, no book is a single solution, and this one is no exception. Some readers may be disappointed not to find comprehensive references for further reading. It is apparent that the book surveys a great deal of literature, but there is no bibliography. Readers may also be disappointed that there is no step-by-step guaranteed path to cyber security solutions. The book provides no procedures or checklists. Nevertheless, those who allow Amoroso to influence their view of the security problem at the level he chooses to present it should more easily be able to recognize cyber security solutions. Jennifer L. Bayuk Stevens Institute of Technology, School of Systems and Enterprises, Castle Point on Hudson, Hoboken, NJ 07030, United States 0167-4048/$ e see front matter doi:10.1016/j.cose.2011.12.008