Beautiful Security

Beautiful Security is a collection of 16 chapters which are not arranged in any particular scheme. I'm providing a listing of the chapters as it will give the potential reader an idea of what makes up Beautiful Security:
1) Psychological Security Traps - Peiter "Mudge" Zaiko
2) Wireless Networking: Fertile Ground for Social Engineering - Jim Stickley
3) Beautiful Security Metrics - Elizabeth A. Nichols
4) The Underground Economy of Security Breaches - Chenxi Wang
5) Beautiful Trade: Rethinking e-Commerce Security - Ed Bellis
6) Securing On-line advertising: Rustlers and Sheriffs in the New Wild West - Benjamin Edleman
7) The Evolution of PGP's Web of Trust - Phil Zimmerman and Jon Callas
8) Open Source Honey Client - Proactive Detection of Client Side Exploits - Kathy Wang
9) Tomorrow's Security Cogs and Levers - Mark Curphey
10) Security by Design - John McManus
11) Forcing Firms to Focus: Is Secure Software in Your Future? - James Routh
12) Oh No! Here Comes the Infosecurity Lawyers - Randy Sabett
13) Beautiful Log Handling - Anton Chavukin
14) Incident Detection: Finding the Other 68% - Grant Geyer and Brian Dunphey
15) Doing Real Work Without Real Data - Peter Wayner
16) Casting Spells - PC Security Theater - Michael Wood and Fernando Francisco

Each of the 16 chapters is well-written, organized and well articulated. For this reader, chapters 1, 3, 6, 13, and 14 were particularly noteworthy (13 & 14 are best read in continuum). Other readers will likely choose a different subset of favorites.
In chapter 1, Peiter "Mudge" Zaiko's observation that most entities think of security as a sunk cost, and that this will likely lead to inadequate and expensive implementation is compelling. His view of security being a realized by-product of focused and streamlined enterprise systems is shared by this reader.

Elizabeth A. Nichols analogy of Medical history to a security history in Chapter 3 is of interest. She lists a series of high-level questions to aid in characterizing an organization IT assets protection mechanisms. She than provides a couple of examples: Barings and TJX, with more time spent on TJX being that it is "the biggest case of payment card theft ever recorded (as of 2008)". Technical lapses are presented and these reiterate to the reader that basic security measures are fundamentally important. Poor configuration management, monitoring, patch management, and password protection are common themes throughout TJX's case.

Chapter 6, Securing On-line advertising: Rustlers and Sheriffs in the New Wild West by Benjamin Edleman provides some great reading on some of the culprits. If exploit laden banner ads, malvertisements, deceptive advertisements, and false impressions are your cup of tea, then this chapter is for you.

Chapters 13 and 14, Beautiful Log Handling by Anton Chavukin, and Incident Detection: Finding the Other 68% by Grant Geyer and Brian Dunphey complement each other. Chavukin stresses the management of logs and their importance in investigative, regulatory, and governance matters. Geyer and Dunphey, with their experience at Symantec's Managed Security Services, focus on improving what you get out of these logs. To Anton,"logs equal accountability". To Grant and Brian, logs are building blocks in a resilient detection model.

Overall, Beautiful Security is a recommended read for those interested in a wider security subject matter than most books, which tend to be topic specific. It is a collection of authors including doctors, chief technology officers, and security experts and even though I mentioned some chapters as favorites, this should not diminish the reader from excluding any one of the 16 contained within.


You can buy the book from Amazon.com.