Author: John Viega
Publisher: O'Reilly Media (http://oreilly.com)
Published: June 2009
Print ISBN 13: 978-0-596-52302-2
Print ISBN 10: 0-596-52302-5
eBook ISBN 13: 978-0-596-80413-8
eBook ISBN 10: 0-596-80413-X
Print format: Soft cover, 264 pages
Note: The three different eBook file formats available are Mobi, PDF, ePub. Explanations of those formats, and the devices that they can be used on, are provided on the book publisher's site.
Prices:
Print: $29.99
eBook: $23.99
Print and eBook $32.99
The Myths of Internet Security Explained
Unless you have a special interest in Internet security or work in that particular field everyday, it's unlikely that you can stay up to date with all the latest developments in that area, simply because you are so busy trying to stay on top of your own professional IT commitments. It is vital though that you know how to protect yourself when you are online, and that's where the book, "The Myths of Security", can be of enormous help. Subtitled "What the Computer Security Industry Doesn't Want You to Know", this particular book brings together, into the one place, comprehensive information about the current state of Internet security. The book's author, John Viega, promises you that, by reading his book, "you'll get some insight into what the bad guys do, as well as what the good guys (and gals) do. You'll find that good guys often do bad things – things that put everybody at risk. You'll learn about what's traditionally been wrong with the industry, and how it's slowly starting to change."
John Viega's extensive experience in security provides him with the right sorts of credentials to have written a book such as "The Myths of Security". Currently he is CTO of the SaaS Business Unit at McAfee, and previously was that company's Chief Security Architect too. Computer-based companies that he has founded are Secure Software (now part of Fortify) and Stonewall Software (a company with a mission of delivering anti-virus technology that is faster, better and cheaper). In addition, he consults with a number of security companies, as well as being the author of numerous other books about security including "Building Secure Software" and "Network Security with OpenSSL." Viega's motivation for writing "The Myths of Security" clearly comes across in the book's preface where he writes that "the bad guys are clever, and find lots of ways (often incredibly creative ways) to get around all the defenses others have erected. We need to try to build better defenses so that the bad guys will be less successful."
A major strength of "The Myths of Security" is that it is highly readable. And because the well-written text has been organized into short, sharp chapters – some being just 1, 2, 3 or 4 pages in length (there is a total of 48 chapters plus an epilogue) – that means too you can pick up the book and quickly read a chapter or two whenever you have some spare time. To give you an idea of the type of content you can expect to find in those chapters, here is a random selection of the sorts of topics that Viega raises in his book:
• The poor state of security. Viega asserts that the security industry is "not focused on providing users a good experience with its products. But even worse, it is not really focused on providing the more secure experience that is implicitly promised."
• Misplaced confidence regarding security. Viega reveals that he knows a "lot of arrogant geeks. They think they're never going to get hit by malware because they are so technically savvy, and they will never let themselves be in harm's way. They are wrong." Likewise, he knows "a lot of arrogant computer users, geeks or not. They include the legions of Apple users who think that the company's OS X operating system is magically better than the major alternative. They include the people who have bought into similar marketing from Microsoft about Vista being the most secure operating system ever."
• A fundamental problem with antivirus (AV) software. Viega reminds us that "the bad guys can run AV products, too. Let's say Evil Bill writes a bad piece of software. AV products might detect it out of the gate, but Bill will learn that right away just by running them. He can keep tweaking his malware until the programs stop complaining, then unleash it on the world and be guaranteed some time before anybody stops it." In fact, it could be weeks before a security fix is in place.
• Taking appropriate steps to secure your mobile phone! Viega points out that, "despite what some people believe, there is money to be made from hacking phones. A bad guy could still use malware on a phone to do things like send spam. But there are other things a bad guy can do. For example, in Europe, there's a widely adopted technology called pay-by-SMS, where you can pay for things just by sending a text message. You can pay for online things this way, but you can also buy sodas from soda machines, and things like that. A bad guy could break in to a phone in Germany and use it to buy himself a soda in Finland using pay-by-SMS technology."
• The sources of attacks. Viega poses a rather provocative question when he asks "Do AV vendors write their own viruses?" His "short answer is, of course, no; at least at McAfee (and hopefully everywhere else), that does not happen. But a more accurate answer would be that even though the business doesn't condone it, there might be some very slim chance that somewhere somebody in the organization is a maverick producing malware."
• Passwords suck. Viega is not a lone voice when he describes all the sorts of problems that are associated with passwords, with a common one being that a large percentage of people have just one or two passwords that they use for everything, thereby greatly exposing themselves to major problems if passwords of that nature are discovered and then used illegally. Unfortunately, as Viega reports, "it's difficult to see anything killing the password. First, there aren't lots of great alternatives. Sure, there are things like proximity badges and fingerprint scanners, but those things are expensive and don't always work as well as they should."
Even if what you've read so far in this review hasn't convinced you personally to read John Viega's "The Myths of Security" in its entirety, then you should at least read chapter 17 titled "Helping others stay safe on the Internet". That way you will be armed with the basic, but still vitally important, Internet security knowledge that you can then pass onto your non-technical work colleagues, associates, family members, friends and acquaintances. Viega has even included advice for parents to discuss with their children about staying safe whilst online. For more information about what's contained in "The Myths of Security", I recommend that you take a look at the book's complete Table of Contents available on the book's companion Web page located at http://www.oreilly.com/catalog/9780596523022/
In conclusion, it is sobering to reflect on Viega's overall view of Internet security, namely, that "it's not a game we'll ever win." He bases that on the following scenario: "Imagine," he says, "you're trying to protect the entire Internet, which has at least 1.6 billion users. Let's pretend that those users are all running security mechanisms that are 99.9% effective, and everybody gets attacked at least once a year. That's still over 1.6 million people infected a year." Despite those gloomy odds, it is still worthwhile to protect yourself as much as humanly possible whilst ever you are online. And a practical way of doing that is to heed the advice that Viega has included in his book. But don’t wait until you are hacked or attacked before you respond. Instead, become pro-active, because as Viega says, "it doesn't take a failure in your security to get you in trouble. When there's money involved, there will always be successful criminals. And, even if there are no overt security problems with an IT system, the bad guys will just lie, cheat, and steal if that's what it takes to achieve their goals. Remember, the bad guys were successful before there were computers involved, and they will examine all their options and take the easiest path."