White-Hat Security Arsenal: Tackling the Threats

What book do you recommend to someone in that situation?

Until I got a copy of Avi Rubin's `White Hat+AH4-+AH4- Security Arsenal', I'd probably have suggested that they read Cheswick and Bellovin's `Firewalls and Internet Security', or Spafford and Garfinkel's `Practical Unix and Internet Security'. Now, I think Avi's book has edged into the lead. I believe that, like them, it will come to be seen as a classic; unlike them, it was written recently rather than in the early-to-mid 1990s.

As well as the basic nuts and bolts of things like access control, firewalls, and cryptography, it looks at the+AH4-+AH4- latest viruses and worms (on which surprisingly little has been written since Word viruses took over the lead from DOS viruses several years ago); remote backup services; popular crypto protocols and products such as SSL and Passport; and anonymity services.

It is not so much aimed at the engineer who has to design and build new systems (for that, see my own book `Security Engineering'), but the user or administrator who wants to take commodity products such as web servers, routers and+AH4-+AH4- firewalls, and configure them in an intelligent way. I believe it succeeds in this task; it teaches enough of the underlying cryptography and system science, without getting too bogged down in detail. It also includes a number of case studies that illustrate, motivate, and help the reader develop some feel for the technical aspects of security management.

I expect that this book will do well. It deserves to,+AH4-

Rating:
Summary: The security basics we all need to know
Review: Computer security is only one of many things that everyone knows is critical, but few have time for until the situation requires it. However, like documentation, process and all of the other neglected facets we all struggle to achieve, the only way to do it effectively is to incorporate it into your daily schedule. To do that, it is necessary to know the fundamentals of security, which is the point of this book. The security of a computer system is an ultimate team sport. No matter how talented your security experts, all of their efforts can be defeated by a simple error made by the most junior member of the team. In fact, there is an enormous amount of anecdotal evidence indicating that most security breaches are preventable by utilizing the most simple of rules. However, the very simplicity of those rules tend to numb people to their essential nature, as the typical person is more likely to break a simple rule than a complex one that appears critical. After all, doing this simple thing one time won't hurt will it?
The security principles put forward in this book are all in the basic category, presented in a clear, concise manner that is easy to understand. The topics are:

* Viruses and worms
* Secure data storage
* Secure data transfers
* Protecting a network
* Performing secure e-commerce transactions.

I fall into the category of someone who is concerned about security, knows something about it, wants to know more, but always puts it aside because I quickly grow tired of reading material that comes across as sensational. The one thing that really sold me on this book is the lack of sensationalism, with security problems being presented in a professional, non-technical manner rather than dire predictions of disasters lurking on the flip side of every hard drive.
All of us in computing need to know the basics of security at the very least and even basic users should know more than that. This book is a good place to start and I urge everyone to learn the simple rules. Admonitions like 'don't play with fire' may be simple, but they save more grief than any complex rule set could ever do.

Rating:
Summary: White-Hat Tackles the Real problems head on...
Review: For any IT professional, or any executive management that is supported by or has to manage and collaborate with technology teams, finally a book that addresses "problems" and "solutions" across the tech landscape -- all in one book. The sections deal with how to secure systems across the IT landscape, specifically Threat, Storage, Data Transmission, Network Threats, Privacy & Commerce. Whether you are a non-technical manager needing a primer, or a CTO of a Fortune 500 company, Mr. Rubin lays out the landscape in an accessible format, covering the theory and practice of security. Then he goes farther by helping today's execs and IT professionals accomplish what he does for his hi-tech clients, with actionable strategies and solutions.

Rating:
Summary: Not your average network security book; how and why included
Review: I am a senior engineer for network security operations. I read this book because I try to learn from authors who have demonstrated expertise in the security field. I recommend reading "White Hat Security Arsenal" (WHSA) if you are looking for a bridge between the academic/research security world and the practical, hands-on world. I also recommend it if you want in-depth discussions of the how and why of various security "solutions."

Two aspects of WHSA differentiate it from the competition. First, the author (Avi) shows he keeps tabs on the security research community, and relates important findings to the reader. For example, as an intrusion detector I recognized the author's references to papers on "traceback" problems. For areas I don't monitor closely, like cryptography, Avi explains how certain less publicized protocols and algorithms could benefit users and administrators. Should I want to progress beyond Avi's discussion, I can follow the links and read the papers he cites.

Second, the author delivers content via a "problem-threat-answer" method. He doesn't simply list technologies. For example, in chapter 9 Avi asks "Assume that Alice and Bob have session keys for encryption and authentication. How do they protect their communication?" Avi then describes the threat (essentially an adversary who controls the network between Alice and Bob). He continues with a discussion of alternatives (encryption, authentication, etc.) and concludes with a case study (IPSec). Avi's focus on problems rather than technologies is refreshing.

WHSA has a few shortcomings. A good portion of the book (chapters 4-9) centers on cryptography. Users who can decipher function notations like "a^y mod p" and so on will be comfortable, but others may cringe. I also felt a mismatch existed between the explanation of threats (mainly viruses in chapter 3) and the material that followed. While Avi's discussion of historically important malicious code (Morris worm, Melissa virus, etc.) was useful, it seems to reinforce the uninformed manager's opinion that malicious code is the ultimate threat to computer security. (DDoS was briefly a concern, but viruses impacting end users gets the most air time.)

Overall, WHSA is a good book for security professionals looking to answer the how and why questions. Avi gives insights on such topics as PGP vs. S/MIME, the drawbacks of Microsoft Passport, and why long-term secret keys should be used to create short-term session keys. Readers are guided by his problem-threat-solution framework, and have an opportunity to learn of some of the best academic work available. Given that all of the material is framed with case studies (how to use SSL in a web browser, how to perform back-ups, and so on), most readers will find WHSA valuable.

Rating:
Summary: Not your average network security book; how and why included
Review: I am a senior engineer for network security operations. I read this book because I try to learn from authors who have demonstrated expertise in the security field. I recommend reading "White Hat Security Arsenal" (WHSA) if you are looking for a bridge between the academic/research security world and the practical, hands-on world. I also recommend it if you want in-depth discussions of the how and why of various security "solutions."

Two aspects of WHSA differentiate it from the competition. First, the author (Avi) shows he keeps tabs on the security research community, and relates important findings to the reader. For example, as an intrusion detector I recognized the author's references to papers on "traceback" problems. For areas I don't monitor closely, like cryptography, Avi explains how certain less publicized protocols and algorithms could benefit users and administrators. Should I want to progress beyond Avi's discussion, I can follow the links and read the papers he cites.

Second, the author delivers content via a "problem-threat-answer" method. He doesn't simply list technologies. For example, in chapter 9 Avi asks "Assume that Alice and Bob have session keys for encryption and authentication. How do they protect their communication?" Avi then describes the threat (essentially an adversary who controls the network between Alice and Bob). He continues with a discussion of alternatives (encryption, authentication, etc.) and concludes with a case study (IPSec). Avi's focus on problems rather than technologies is refreshing.

WHSA has a few shortcomings. A good portion of the book (chapters 4-9) centers on cryptography. Users who can decipher function notations like "a^y mod p" and so on will be comfortable, but others may cringe. I also felt a mismatch existed between the explanation of threats (mainly viruses in chapter 3) and the material that followed. While Avi's discussion of historically important malicious code (Morris worm, Melissa virus, etc.) was useful, it seems to reinforce the uninformed manager's opinion that malicious code is the ultimate threat to computer security. (DDoS was briefly a concern, but viruses impacting end users gets the most air time.)

Overall, WHSA is a good book for security professionals looking to answer the how and why questions. Avi gives insights on such topics as PGP vs. S/MIME, the drawbacks of Microsoft Passport, and why long-term secret keys should be used to create short-term session keys. Readers are guided by his problem-threat-solution framework, and have an opportunity to learn of some of the best academic work available. Given that all of the material is framed with case studies (how to use SSL in a web browser, how to perform back-ups, and so on), most readers will find WHSA valuable.

Rating:
Summary: Incomplete and dated
Review: I bought this book along with many others a while back. I am a network security consultant. I wanted to broaden my skills a bit and make sure my knowledge was up to par with others in the field.

I found this book very incomplete and dated. Most of the information was relevant about 5 years ago. Since then tatics and technologies have changed rather significantly.

For example, the book does not even mention intrusion detection systems. This is a staple technology of the security community and any hacker worth his weight would focus a great deal of energy on circumnavigating or overloading these devices.

Also, the book treats firewalls as the "end all be all" of network security. Which simply is not the case. Firewalls are important, but certainly not the only security product you implement.

Pass this book by and go for much better books such as Hackers Challenge or Know Your Enemy by the Honeynet team.

Rating:
Summary: Security for the Real World
Review: I have known Avi Rubin for many years now, and whenever he writes something it's almost always worth reading. As an early reviewer of the manuscript, I knew that the IT community, charged with actually implementing security as opposed to simply studying it, was in for a real treat. While most security books (including my two books "Java Security" and "Securing Java") focus on technologies and require readers to internalize many concepts in order to get something useful out of them, the "White-Hat Security Arsenal" keeps its eye on the ball. It is directly focused on solving real security problems that IT professonals have to contend with every day. For example, Avi's book has answers that explain:
How to secure data.
The threats on the Internet, and what can you do about them.
Why malicious code is an issue, and how to deal with it.

Avi did an excellent job bringing the right problems to the forefront, and the solutions demonstrate his great expertise and experience. Building secure systems (and especially software...see my new book "Building Secure Software") is the best pro-active solution to security, but as long as we're stuck in the real world, there are plenty of other things to focus on! Avi's book complements "Building Secure Software" wonderfully.

Buy this book.

Rating:
Summary: Excellent problem solving book
Review: I have read many security books, but this one is unique. The thing that I really like about it is the way the author tackles problems (pun from the book cover - football theme) rather than just going through cryptography and network security. Some of the problems that are dealt with are exactly the ones I encounter in my job, and I found this book to be a great way to learn about them. The author is obviously a real expert, and the writing style is informal but precise. It's almost like being in the room with a good instructor. I give this book the highest recommendation, and I have already loaned my copy to colleagues.

Rating:
Summary: Foundation Material for Network Threat & Exposure Analysis
Review: If you are responsible for network security then you are at war with anonymous enemies who are probably attempting at this moment to find any holes in your security perimeter. In The Art of War, Sun Tzu advised, "Know yourself and know your enemy. You will be safe in every battle." This book adds a modern dimension to The Art of War. Think of it as a network security report that discusses your enemy's strengths and tactics.

Part I of this book succinctly covers the basics of risk identification and some of the more common sources of risks. It covers some of the more famous viruses and worms using a 5-part format for each of the ten examples that I particularly liked: (1) What it hit and what it did, (2) how and why it worked, (3) the consequences, (4) how we recovered and (5) lessons learned. Yes, the incidents are old, but the same pattern keeps resurfacing. The "How and why it worked" part of each discussion was particularly interesting, and is the cornerstone of why the author's format provides a wealth of information from which a model emerges. The five-part structure is an excellent template for maintaining profiles of threats as they are reported by CERT CC or your preferred source of security incident information.

The remainder of the book covers (Part II) storing data securely. The chapter on secure backup is particularly good, (PART III) secure data transfers. Contains a treasure trove of information on cryptographic vulnerabilities and how to mitigate or avoid the associate risks, (Part IV) protecting against network threats. Chapters in this part give some excellent defensive strategies, and (Part V) commerce and privacy. The credit card discussion is must reading for anyone who makes or accepts credit card payments over the web; the discussion on privacy is also must reading).

This book will provide you with intelligence on your enemy. You may never know who that enemy is, but understanding their strengths, weapons, and tactics will give you a fighting chance. The reality is you need to be connected to do business, which means you will always be on the defensive, "White Hat Security Arsenal" will help you build a strong defense.

Five stars for filling a void in the network security body of knowledge.

Rating:
Summary: Good overview of information security
Review: On the cover of White-Hat Security Arsenal: Tackling the Threats is a huge football player who represents a hacker. On the hacker's uniform are the names of various computer tools and vulnerabilities, such as Ping of Death. Lined up opposite the hacker is a group of eight much smaller information security professionals. This picture effectively displays the nature of information security today: a lone powerful hacker attempting to break through the (often weak) overmatched defensive line of information security.

But author Aviel D. Rubin does not rely on cute illustrations alone. A noted security educator and researcher, Rubin collects his experiences in the information security arena in this book and provides an excellent field guide to the fundamentals of securing computer systems against attack. Rubin gives a solid overview of each security problem; he then provides advice and refers the reader to additional resources for deeper analysis and understanding, all in easy-to-read prose. While Rubin has a Ph.D., his writing style is decidedly unacademic, and he never talks down to the reader.

Most of the chapters begin by giving the reader a real-world introduction to the problem at hand. Rubin then elaborates on the various technologies and solutions involved. Most chapters also include a case study, which helps to make these esoteric security concepts more understandable.

Rubin also succeeds in putting the plethora of risks and vulnerabilities into perspective. Knowing which ones to worry about (and to worry less about) is critical to the proper ranking and handling of information security issues.

Among the issues addressed are viruses and worms, physical security, firewalls, cryptography, denial of service attacks, and privacy. The reader comes out of the detailed discussion of these issues with a broad understanding of the elements involved within information systems security.

In this case, one can judge a book by its cover. Readers looking for practical, hard-hitting answers about information security will find White-Hat Security Arsenal:Tackling the Threats an excellent resource to tackle.