- Shopping Bag ( 0 items )
Chapter 1 The Security Industry Is Broken 1
Chapter 2 Security: Nobody Cares! 5
Chapter 3 It's Easier to Get "Owned" Than You Think 9
Chapter 4 It's Good to Be Bad 19
Chapter 5 Test of a Good Security Product: Would I Use It? 25
Chapter 6 Why Microsoft's Free AV Won't Matter 29
Chapter 7 Google Is Evil 33
Chapter 8 Why Most AV Doesn't Work (Well) 41
Chapter 9 Why AV Is Often Slow 49
Chapter 10 Four Minutes to Infection? 55
Chapter 11 Personal Firewall Problems 59
Chapter 12 Call It "Antivirus" 65
Chapter 13 Why Most People Shouldn't Run Intrusion Prevention Systems 71
Chapter 14 Problems with Host Intrusion Prevention 75
Chapter 15 Plenty of Phish in the Sea 79
Chapter 16 The Cult of Schneier 87
Chapter 17 Helping Others Stay Safe on the Internet 91
Chapter 18 Snake Oil: Legitimate Vendors Sell It, Too 95
Chapter 19 Living in Fear? 99
Chapter 20 Is Apple Really More Secure? 105
Chapter 21 Ok, Your Mobile Phone Is Insecure; Should You Care? 109
Chapter 22 Do AV Vendors Write Their Own Viruses? 113
Chapter 23 One Simple Fix for the AV Industry 115
Chapter 24 Open Source Security: A Red Herring 119
Chapter 25 Why SiteAdvisor Was Such a Good Idea 127
Chapter 26 Is There Anything We Can Do About Identity Theft? 129
Chapter 27 Virtualization: Host Security's Silver Bullet? 135
Chapter 28 When Will We Get Rid of All the Security Vulnerabilities? 139
Chapter 29 Application Security on a Budget 145
Chapter 30 "Responsible Disclosure" Isn't Responsible 153
Chapter 31 Are Man-in-the-Middle Attacks a Myth? 163
Chapter 32 An Attack on PKI 167
Chapter 33 HTTPS Sucks; Let's Kill It!171
Chapter 34 CrAP-TCHA and the Usability/Security Tradeoff 175
Chapter 35 No Death for the Password 181
Chapter 36 Spam Is Dead 187
Chapter 37 Improving Authentication 191
Chapter 38 Cloud Insecurity? 197
Chapter 39 What AV Companies Should Be Doing (AV 2.0) 203
Chapter 40 VPNs Usually Decrease Security 213
Chapter 41 Usability and Security 215
Chapter 42 Privacy 217
Chapter 43 Anonymity 219
Chapter 44 Improving Patch Management 221
Chapter 45 An Open Security Industry 223
Chapter 46 Academics 225
Chapter 47 Locksmithing 227
Chapter 48 Critical Infrastructure 229
After reading a brief overview of this book I was really excited to read it. As an information security professional, I was hoping the author would stir up some controversial thoughts and ideas that may have me rethinking the way I am doing things. What I got was a book that was a very good read, but nothing revolutionary. The book is organized into forty-eight topics, each a separate chapter consisting of a few pages each. Each chapter was just long enough to give some details or opinions about a topic without boring the reader with mundane page filler.
Chapter 16: The Cult of Schneier, was a great chapter. Yes, Bruce Schneier is one of the smartest minds in the industry, but he is the first to tell people not to be sheep. The author takes this one step further and declares do not take everything Schneier says as gospel, he is human, and can be wrong. Although I agree with the authors' thoughts that he will get a lot of flack for these comments from the "Cult of Schneier," I thought it was a great way to tell people to think for themselves and think outside the box.
Chapter 24: Open Source Security: A Red Herring was my favorite chapter in this book. It looks at both sides of the open source software vs. closed source software debate. This portion of the book was written in a way to let the reader come to the own conclusion about the debate, and not just rely on the authors' opinion. It was an unbiased view on the pros and cons to both types of software solutions.
Chapter 30: "Responsible Disclosure" isn't Responsible, was another great chapter. Again the author presented many pros and cons to both sides of the debate about public disclosure of vulnerabilities. This was again a chapter that shows the reader how the software industry currently views disclosure and lets the reader decide how they feel about the issue. In my opinion, this is one of the few chapters that will make you think about your stand on the topic and maybe help you choose a position.
All of the anti-virus chapters were very well written, as expected from someone who has worked for one of the largest anti-virus developers. These chapters gave enough insight and detail about how the software works to let a layman understand, but not so much detail that they drowned in information.
In chapter 5 the author talks about the security software he runs, and then common security software that he does not run, including: firewalls and AV. His arguments for not running these items seemed very weak, especially for a guy who works for an anti-virus company. I would have liked more insight into his thought process.
I found one contradiction that stood out, in Chapter 3 the author states that "However, these days, few services are visible by default..." when talking about need of firewalls. In Chapter 5 the author states firewalls are needed because "people typically leave lots of vulnerable services on machines that are directly accessible to a lot of people". Which is it?
Overall this book was a very fast (you could read it on a short flight), but very good read. It may not challenge your perspective as I had previously thought, but it is a good refresher as to why some of us work in the Information Security industry.
Review Written By Wayne M Gipson, CISSP, CISA
Posted September 13, 2010
No text was provided for this review.