Zen and the
The book is written for naive computer users with limited prior knowledge of information security, although part of chapter 3 and most of chapter 4 speak to corporate information security managers. Readers familiar with Ira’s previous books (Corporate Espionage and Spies Among Us) will probably recognize the style and examples.
Ira avoids technical descriptions of information security risks and controls, thereby avoiding the technical jargon common in other infosec books. On the whole, he sticks to non-technical attack methods (such as social engineering) and defenses, with barely a mention of network hacking and malware.
The subject matter is essentially the same as Ira’s previous books so it could be said that this is another re-hash of those - however, Ira has made a conscious decision to write a more succinct and high-level book to make the topic more accessible to the layman who is less likely to have read the previous books.
“Risk” is a central theme throughout the book. Ira takes the trouble to explain information security risk concepts in reasonable depth early in the book, although I have some issues with the proposed application of those same concepts to investment decisions (i.e. financial risks).
Given the stated intent to write a short book on such a complex technical subject, the writing is necessarily quite superficial in places, frequently glossing over the realities thus giving the impression that ‘security is just a matter of doing X then Y’. On the other hand, as in Ira’s other books, the unstoppable nature of genuine spies is emphasized.
As with other Syngress books I have reviewed, there are symptoms of shoddy editing such as gross spelling mistakes and grammatical errors. The phrasing is repetitious, for example excessive use of “Again,” to start sentences. The author’s blatant digs at negative review comments on his previous books may be heartfelt but are rather unprofessional and hardly enhance the present book.
A thread throughout the book is that simple security controls are good enough to stop most threats. The Zen in the title appears to refer to martial arts rather than Eastern philosophies, and is used in the context of explaining that there is no need to be a ‘black belt’ information security expert to be effective. There is some merit in the argument, in the same way that basic first aid techniques can help save lives. Personally, however, I wouldn’t take the argument quite so far as to suggest that there is no need for trained professional medics.
In several places, Ira refers to his ‘golden rule’, a version of the Pareto principle (known as ‘the 80/20 rule’), namely that 5% of the effort will achieve 95% of the results. Unfortunately, this is simply an assertion that stretches an already vague rule-of-thumb too far, in my opinion - whether stretched for creative impact or because the author genuinely believes it is unclear but doesn’t really matter. It is particularly misleading in the security context due to the inequality of effort required by attackers (who may only need to exploit a single vulnerability) and defenders (who must defend all points of potential compromise and avoid accidental vulnerabilities simultaneously). Perhaps Ira’s penetration testing background leads him to underestimate the problems of defense?
A few technical inaccuracies caught my eye, some of which I could put down to the book’s rather superficial coverage but others appear to be genuine misunderstandings by the author.
Ira states categorically that security controls address vulnerabilities, not threats or ‘value’ (more usually termed ‘impacts’): this is simply wrong. It is certainly possible, for instance, for an organization to adjust the nature of its business to avoid or deal with certain threats (e.g. buying out or paying off competitors is one way to resolve patent disputes), and controls such as incident management/response procedures, backups and contingency plans are expressly designed to minimize the impacts of security incidents.
The cost-benefit analysis (pages 40-41) and budgeting/return on investment section (page 47) are quite naive. Rather than explain and develop the basic ideas into something meaningful and useful, Ira resorts to advising readers to ‘approach Risk Optimization on a micro level’ (page 40), then presents a garbled example relating weak passwords to the cumulative cost of password resets to justify investment in a Single Sign On tool.
In several places, the author makes disparaging remarks about script kiddies, fair enough, but he is also dismissive of skilled hackers. I find this attitude troubling since hackers can be worthy adversaries of even the best and most resourceful information security managers. There are far too many incidents to dismiss all hackers out of hand, therefore it would be foolhardy to discount hacking risks.
There are no formal references in the book, meaning no acknowledgment or discussion of the wider field of study and no obvious places for the interested reader to get more information. This is a shame if the book whets the appetite of its intended audience.
If you have no background in information security, this book makes an interesting introduction to the issues but falls short on useful advice. If you have read the author’s previous books, you are unlikely to learn anything new.
Copyright © 2012 IsecT Ltd.