If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue.
Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:
Why it's easier for bad guys to "own" your computer than you think
Why anti-virus software doesn't work well -- and one simple way to fix it
Whether Apple OS X is more secure than Windows
What Windows needs to do better
How to make strong authentication pervasive
Why patch management is so bad
Whether there's anything you can do about identity theft
Five easy steps for fixing application security, and more
Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.
Chapter 1 The Security Industry Is Broken
Chapter 2 Security: Nobody Cares!
Chapter 3 It's Easier to Get "0wned" Than You Think
Chapter 4 It's Good to Be Bad
Chapter 5 Test of a Good Security Product: Would I Use It?
Chapter 6 Why Microsoft's Free AV Won't Matter
Chapter 7 Google Is Evil
Chapter 8 Why Most AV Doesn't Work (Well)
Chapter 9 Why AV Is Often Slow
Chapter 10 Four Minutes to Infection?
Chapter 11 Personal Firewall Problems
Chapter 12 Call It "Antivirus"
Chapter 13 Why Most People Shouldn't Run Intrusion Prevention Systems
Chapter 14 Problems with Host Intrusion Prevention
Chapter 15 Plenty of Phish in the Sea
Chapter 16 The Cult of Schneier
Chapter 17 Helping Others Stay Safe on the Internet
Chapter 18 Snake Oil: Legitimate Vendors Sell It, Too
Chapter 19 Living in Fear?
Chapter 20 Is Apple Really More Secure?
Chapter 21 OK, Your Mobile Phone Is Insecure; Should You Care?
Chapter 22 Do AV Vendors Write Their Own Viruses?
Chapter 23 One Simple Fix for the AV Industry
Chapter 24 Open Source Security: A Red Herring
Chapter 25 Why SiteAdvisor Was Such a Good Idea
Chapter 26 Is There Anything We Can Do About Identity Theft?
John Viega, the founder and CEO of Stonewall Software, is a well-known security expert and the coauthor of Building Secure Software (Addison-Wesley) and Network Security with OpenSSL (O'Reilly). John is responsible for numerous software security tools and is the original author of Mailman, the GNU mailing list manager. He holds a B.A. and M.S. in computer science from the University of Virginia. Mr. Viega is also an adjunct professor of Computer Science at Virginia Tech (Blacksburg) and is a senior policy researcher at the Cyberspace Policy Institute. He serves on the technical advisory board for the Open Web Applications Security Project. He also founded a Washington, D.C.-area security interest group that conducts monthly lectures presented by leading experts in the field. He is the author or coauthor of nearly 80 technical publications, including numerous refereed research papers and trade articles.
Comments about O'Reilly Media The Myths of Security:
This book is a nice introduction about what computer systems security is and means. It explains the various aspects of security and digs into the minds of the "bad guys" to explain the challenges security professional do face.
One nice thing about this book is that it's an easy read, almost entertaining. Each chapter covers independent topics and is short. You can almost consider each chapter as a short story. Hence if one isn't interested in one particular subject, she can easily skip it or browse through it quickly.
This book is only an mainly informational so don't really expect anything practical out of it (technically speaking). As I mentioned in the title, it is essentially food for thoughts.
10/13/2011
1.0
Self-opinionated book without real facts
By joblack
from Berlin, Germany
About Me Sys Admin
Pros
Cons
Self-opinionated
Too many errors
Best Uses
Comments about O'Reilly Media The Myths of Security:
The book begins by praising John Viega's career start at McAfees (vibe: he 'saved' the company and gave it the right direction).
The chapters are full of his own opinions without real scientific background.
The apex of opinions can be found in Chapter 23 and 24 where he claims opinions like ""if you don't have anything to hide, what's the deal ...". He argues that most of the people don't care about privacy and anonymity so it shouldn't be a high priority for you.
11/1/2009
4.0
Security Industry - The Broken Model
By Praveen Karunakaran
from Chennai, India
About Me Designer
Pros
Easy to understand
Helpful examples
Well-written
Cons
Not comprehensive enough
Best Uses
Intermediate
Novice
Comments about O'Reilly Media The Myths of Security:
Most of the Security Products give you a false sense of security. But John Viega shows you the broken picture of the Security Industry and explain you why the Security products/technologies really can't provide you same the level security they are designed to provide.
Its a wonderful book for anyone who is concerned about security
10/11/2009
5.0
Very Entertaining; Practical;
By jdruin
from Kentucky
About Me Designer, Developer, Educator
Pros
Accurate
Easy to understand
Well-written
Cons
Best Uses
Expert
Intermediate
Novice
Student
Comments about O'Reilly Media The Myths of Security:
This book is an easy, fun, and somewhat scary read all at the same time. It accomplishes its goal of raising awareness about security issues by presenting material in small chapters that focus on a particular point.
The book is really a collection of short stories; each about a particular topic that is either directly about security or affected by security. The average chapter is probably about 5 pages, with most being between 2 and 7 pages. (230 pages in all, 48 chapters). I like this approach because it keeps the stories interesting. )If the reader does get bored with a particular topic, it will be over soon anyway.) Also, the chapters are independently written so the reader can skip around at will.
The style used is quite entertaining. There is a slight hint of sarcasm in some areas but it is not overwhelming. The material itself is fairly serious (i.e. - identity theft, anti-virus, corporate security, etc), but the problems are presented in way that is easy to read. Also, while the problems presented seem generally impossible to solve if one only reads the popular press (the world is coming to and end -turn to page 3 to see why), the book gives practical advice and/or suggestions of what we might do about such problems. There is a fair amount of "warnings" also given.
Overall, what advice is given is practical. For some problems where the author does not have an answer, he says so and points to areas that may be able to help in the future.
The point of the book it seems is to raise awareness of security issues. It does an excellent job of this.
Security professionals will like the book although I suspect they probably already know much of the material. More importantly, readers whose main profession is not security will be able to easily understand the problems presented. This should provide a fun/scary read but also get people thinking about these issues and their implication to our daily lives.
10/1/2009
(1 of 1 customers found this review helpful)
4.0
Good, but not what I expected
By Wayne M. Gipson, CISSP, CISA
from West Point, UT
About Me Security Engineer, Sys Admin
Pros
Accurate
Concise
Easy to understand
Well-written
Cons
Too basic
Best Uses
Intermediate
Novice
Student
Comments about O'Reilly Media The Myths of Security:
The Myths of Security, by John Viega
After reading a brief overview of this book I was really excited to read it. As an information security professional, I was hoping the author would stir up some controversial thoughts and ideas that may have me rethinking the way I am doing things. What I got was a book that was a very good read, but nothing revolutionary. The book is organized into forty-eight topics, each a separate chapter consisting of a few pages each. Each chapter was just long enough to give some details or opinions about a topic without boring the reader with mundane page filler.
The Likes:
Chapter 16: The Cult of Schneier, was a great chapter. Yes, Bruce Schneier is one of the smartest minds in the industry, but he is the first to tell people not to be sheep. The author takes this one step further and declares do not take everything Schneier says as gospel, he is human, and can be wrong. Although I agree with the authors' thoughts that he will get a lot of flack for these comments from the "Cult of Schneier," I thought it was a great way to tell people to think for themselves and think outside the box.
Chapter 24: Open Source Security: A Red Herring was my favorite chapter in this book. It looks at both sides of the open source software vs. closed source software debate. This portion of the book was written in a way to let the reader come to the own conclusion about the debate, and not just rely on the authors' opinion. It was an unbiased view on the pros and cons to both types of software solutions.
Chapter 30: "Responsible Disclosure" isn't Responsible, was another great chapter. Again the author presented many pros and cons to both sides of the debate about public disclosure of vulnerabilities. This was again a chapter that shows the reader how the software industry currently views disclosure and lets the reader decide how they feel about the issue. In my opinion, this is one of the few chapters that will make you think about your stand on the topic and maybe help you choose a position.
All of the anti-virus chapters were very well written, as expected from someone who has worked for one of the largest anti-virus developers. These chapters gave enough insight and detail about how the software works to let a layman understand, but not so much detail that they drowned in information.
The Dislikes:
In chapter 5 the author talks about the security software he runs, and then common security software that he does not run, including: firewalls and AV. His arguments for not running these items seemed very weak, especially for a guy who works for an anti-virus company. I would have liked more insight into his thought process.
I found one contradiction that stood out, in Chapter 3 the author states that "However, these days, few services are visible by default..." when talking about need of firewalls. In Chapter 5 the author states firewalls are needed because "people typically leave lots of vulnerable services on machines that are directly accessible to a lot of people". Which is it?
Overall this book was a very fast (you could read it on a short flight), but very good read. It may not challenge your perspective as I had previously thought, but it is a good refresher as to why some of us work in the Information Security industry.
