My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”
The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009
This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.
The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise. These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.
A central revelation is that AV vendors have a difficult time keeping up with new malware. There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware. He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.
These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors. However the author’s suggestions are not revelations of secrets.
Viega goes on to compare the workings of AV with firewalls and with IDS. While these analogies are clever, they are hardly central to the book’s premise of revelation.
I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point. Unsubstantiated opinion, and in my opinion, overly negative.
Which brings me to the next point about the author’s many references of praise about MacAfee. After 20, I lost count of references to MacAfee, liberally spread throughout the book. This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.
It seems the author has liberally substituted hyperbole for fact. For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit. Hardly a surprise. The Chapter “VPNs Usually Decrease Security” states the obvious: a compromised VPN’d client workstation indeed is a threat to a host network.
Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect. No further comment is necessary here.
It is not clear to me to whom the book is intended. It can not be for security practitioners with certifications such as CISSP or CISM. In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)
End users who are not technology savvy might find the book verbose. The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.
Time reading this book would be better spent elsewhere.
PS I feel guilty writing such a negative article, especially since it is far easier to criticize than to create. So please take my comments with a grain of salt.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Computer Security, Information Security, IT Security, Security Industry, The Myths of Security
