|
 |
|
 |
 |
Security Engineering: A Guide to Building Dependable Distributed Systems
|
by Ross J. Anderson
Sales Rank: 254926
|
List Price: $75.00
$56.97
At Amazon
|
|
Hardcover: 1080 pages
Publisher: Wiley; 2 edition April 14, 2008
Language: English
ISBN-10: 0470068523
ISBN-13: 978-0470068526
Product Dimensions:
9.4 x 7.7 x 2.6 inches
Shipping Weight: 3.8 pounds
Amazon.com Review
Gigantically comprehensive and carefully researched, Security Engineering makes it clear just how difficult it is to protect information systems from corruption, eavesdropping, unauthorized use, and general malice. Better, Ross Anderson offers a lot of thoughts on how information can be made more secure (though probably not absolutely secure, at least not forever) with the help of both technologies and management strategies. His work makes fascinating reading and will no doubt inspire considerable doubt--fear is probably a better choice of words--in anyone with information to gather, protect, or make decisions about. Be aware: This is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenious ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the cold war brought on a decline in defenses against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say), and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. A terrific read for security professionals and general readers alike. --David Wall Topics covered: How some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the U.S. Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology, and legal matters.
--This text refers to an out of print or unavailable edition of this title.
Customer Reviews & Comments
A large group of programmers were asked a hypothetical question: If Microsoft was to build an airplane, would you get on it? All of the programmers instantly said no, save for a sole programmer who said he would definitely board the plane. When asked why he was so confident about getting on the plane, he replied, "If Microsoft were to ever build an airplane, it would be extremely safe since the plane would never make it out of the gate." When it comes to information security, its current state is similar to that of a Microsoft airplane--built, but often flashy, while not forcefully functional. The root of the problem is that most organizations view security as something added on in a piecemeal fashion, rather than an integral engineering issue. Those in the construction business get this concept; they know that designs, plans, permits, coordination, commitment, buy-in, etc.,; are all requirements, not options. Similarly, before any information security product is rolled-out, the appropriate project plans must exist. While the concept that design must come before implementation is a given in most other industries, many IT departments lack this understanding. Thus is the quandary that Ross Anderson deals with in Security Engineering: A Guide to Building Dependable Distributed Systems. In a nutshell, Security Engineering is one of the best security books ever written. If you are looking for 50 pages of screen prints on how to install and configure a printer under Windows 2000, this is the wrong book for that. What Anderson does, in great detail and with lucidity, is particularize all of the aspects that are required to create a security infrastructure. He relentlessly reiterates that security must be engineered into information systems from the outset. When security is retrofitted into an application or system, it is never as effective. Anderson defines security engineering as "building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves." In its 24 chapters, the book covers every domain of computer security. As noted security guru Bruce Schneier writes in the book's foreword "If you're even thinking of doing any security engineering, you need to read this book." Schneier's comment compliments his own attitude that security is not a product, rather a process. Going with that mantra, Anderson demonstrates in exhaustive detail how information security must be implemented in every aspect of the information system's infrastructure in order for systems to be dependable and secure. The often knee-jerk response to information security is to deal with it at the product level. With that, the security product of the year is purchased (Air Gap, IDS, PKI, etc.) and the company hopes and prays for security. Unfortunately, it does not work like that. Anderson writes that security products can't operate in a vacuum. They must operate in the framework of a comprehensive architecture supported by policies. That is precisely why there are huge amounts of books on security component technology, but very few on how to use them effectively. When it comes to making all of these security technologies interoperate, there are few good titles in print, and that is the value of this book.... In more than 600 pages of intense information, Anderson lays the groundwork on how to build a secure and dependable system. Every aspect of information security is discussed in the book -- from passwords, access control, and attacks, to physical security and policy. Additionally, relevant and timely topics such as information warfare, privacy protection, access control, and more are discussed. This is the only book that covers the end-to-end spectrum of security design and engineering. Just as important as the technical issues covered in the book, the entire range of attacks that distributed systems can face (technical, procedural, and physical) are also covered. Understanding these threats are paramount in order to properly secure the system. Anderson notes from years of personal experience that many security systems are designed solely to keep the good guys out without thinking of the bad guys. There are two mistakes with this approach -- it only solves a smart part of the problem, and more importantly, the bad guys do not follow the rules. Bruce Schneier likens this approach to security as putting a pole in front of your house and hoping the attacker runs into the pole. The reality is that the adversary will simply go around the pole. While many of the chapter topics may sound unexciting, Anderson has a wonderful writing style and at times reads almost like a Tom Clancy thriller with its details of military command and control systems and other similar topics. Anyone responsible for information security should read Security Engineering.
|
Security Engineering: A Guide to Building Dependable Distributed Systems
List Price: $75.00
Available from Amazon
Price: $56.97
| |
|
|
|
|
