Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

• All book reviews.

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Book Review: “Security Information and Event Management (SIEM) Implementation”

Here is my review for “Security Information and Event Management (SIEM) Implementation” by David Miller, Shon Harris, Allen Harper, Stephen VanDyke, Chris Blask. It has just been published to Amazon as 4 stars out of 5.


I was looking forward to reading this book for a few months – pretty much since the time I’ve heard that it is being written. Obviously, I was very excited when it arrived in my mailbox. Now that I am done reading it, I can say it left a mixed impression. Mostly positive –but still mixed. I definitely enjoyed reading it, despite (or maybe due to) the fact that I’ve been involved with SIEM for nearly 10 years.
Let me first go through all the chapters and then give my overall impression. The book is organized in three big parts: “introduction to SIEM: threat intelligence for IT systems”, “IT threat intelligence using SIEM systems ” and “SIEM tools.”
Chapter 1 covers security basics with minimum connections to SIEM. It might have that over-simplified refresher of what information security is about.
Chapter 2 can be summarized using the quote from the chapter itself: “the bad things that could happen.” It contains another refresher on attacks, somewhat jumbled and somewhat dated. We’re not really touching SIEM yet at this point.
Chapter 3 has an author’s view of regulatory compliance: the usual suspects are mentioned – PCI DSS, HIPAA, FISMA, SB1386, SOX, GLBA, etc. HIPAA is not misspelled which counts as good news
Chapter 4 has a bizarre name: “SIEM concepts: components for small and medium-sized businesses.” It contains an overview of SIEM with little focus on SMB. It is mildly confusing (for example, it calls LogRhythm “a commercial syslog server”). It contains a few outright mistakes as well (like a mention of one log management vendor whose application reportedly covers ”all 228 PCI controls”). The chapter tries to talk about everything (yes, even GRC) and makes a very weak impression.
Chapter 5 looks like a twin of the previous chapter. It also contains an overview of SIEM, but a different one – a better one, in fact. These two chapters don’t contradict each other much, but joint their presence in the book is mysterious and somewhat confusing.
Chapter 6 is a sudden break from SIEM into incident response. It does contain a few useful – but high-level- flow charts for incident response. I doubt that it was written by somebody who did much incident response however.
Chapter 7 is both a curse and a blessing. I loved the ideas in the chapter – using SIEM for BI – but I hated the fact that its author didn’t even bother to check what “SIEM” abbreviation stands for (see page 116)…
Chapter 8 and Chapter 9 are about OSSIM/AlienVault. From all the SIEM product chapters below, these are the weakest and the least useful. They offer little practical guidance and miss – yes, really! – most the details you’d need to know before deploying OSSIM in production. I was especially annoyed by “screenshot-three lines of text-screenshot-three lines of text…” model that most of Ch 8 and Ch 9 follow. It makes pages 152-166 just wasted paper. Ch9 tries to be a bit more useful (has two case studies), but collapses under the load of too many screenshots as well.
Chapter 10 and Chapter 11 talk about Cisco MARS. Since nobody cares about MARS anymore, I won’t be reviewing them here.
Chapter 12 and Chapter 13 cover Q1Labs SIEM. Unlike the above, these are actually useful for practical architecture planning of QRadar deployments. These chapters also contain useful SIEM insights – still, even these can benefit from more real-world tuning tips. The case study in Ch13 is useful as well. If you are thinking of getting a Q1Labs SIEM, grab the book to quickly review what you will encounter when you get the product.
Finally, Chapter 14 and Chapter 15 cover ArcSight SIEM. Despite minor mistakes and “vendor whitepaper feel,” the chapters would be handy for people in early stages of selecting, reviewing and deploying ArcSight SIEM. The chapters suffer a bit from trying to duplicate product help – you’re more likely to learn how to patch ArcSight them how to use it well.. Sadly, no case studies are included in these chapters.
Overall, the book has unfortunate signs of being written by a team of others who didn’t talk to each other. Despite the promises of implementation guidance, it leaves some of the very complex SIEM issues untouched – and even unmentioned. Very few case studies (some good ones are stashed in the appendix for some weird reason) and few tips and tricks for real-world SIEM implementation. Also, it is much stronger on the “what” then on “how.” Still, I suggest that people buying, using and building SIEM products, get their own copy and read at least a few chapters relevant to them. You will likely not be disappointed.

Book Review “Cloud Security and Privacy”

Amazon just posted my review for “Cloud Security and Privacy” by Tim Mather, Subra Kumaraswamy and Shahed Latif.

It is reposted below for posterity – and my esteemed blog readers :-)

It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim’s take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured…).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following “just the facts” model sometimes might lead the reader towards losing interest, no matter how important the subject is – and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.

Enjoy the book!

Possibly related posts:

• Other book reviews on my blog
• My old book review site.

Book Review: “The myths of Security” by John Viega

My review for “The myths of Security” by John Viega has been posted to Amazon; I gave it 4 out 5 stars.

Think about this book as a printed collection of blog posts – some a dozen pages, some half a page. John’s essays – all 48 of them - read like a typical blog: fun views on hot subjects, controversial opinions, new ideas for the future, dispelled myths, cool technology ideas, etc. I definitely enjoyed reading the book, even if most of the material was at least somewhat familiar to me.

For starters, this was the first time that I have seen a book written by somebody employed by a major antivirus company, who would agree that antivirus solutions don't work too well and slow down systems. It was very impressive to read that the author himself does not use an antivirus solution and didn’t even use one when he' was in charge of building one! (Understandably, he does recommend that consumers use one on their systems)

The following are some of my fave chapter highlights. “Security:”Nobody Cares” is one of my favorites; it covers why people, on average, don’t care about information security. His analysis matches that of some other industry thinkers, but it is presented well in the book.

I also enjoyed his thinking about why Microsoft antivirus solution would never pick up and never present a threat to the big AV vendors. In his opinion, most people do not trust Microsoft as a security brand. He thinks that customers would always go to security specialist and not to MS for antivirus tools, even if such specialist is located in Russia or Czech Republic. Also, it looks like the 30% success ratio for antivirus solutions is pretty much a commonly accepted number nowadays; it is mentioned in the book more than a few times.

One chapter that made me angry was chapter 7 on Google. He basically makes the insinuation that the Google in particular and pay-per-click advertising in general motivates people to hack into systems; a view as illogical as it is silly.

In chapter 26, John has an interesting idea for a Social Security number replacement scheme. Many other chapters contain ideas for improving major parts of security technology, even if in some cases the author has to disclaim them with his disbelief about their implementation potential.

It is quite interesting that in chapter 28 John dispelled the myth that including security early in the application design is cheaper. Compared to ignoring the problem until notice from customers, it is certainly more expensive. He touches most other known security industry “pain points” such as vulnerability disclosure. He proposes to replace “responsible disclosure” with a new scheme from my view looked kinda similar, less dangerous for the world at large but less motivating to software vendors. He also discusses whether disclosing vulnerabilities reduces or increases the risk for consumers (in his view seems to increase it).

Closer to the end of the book chapters get shorter and shorter. For example, chapter 42 ends up being half of a page in length. It pretty much states that he would sacrifice some privacy for more functionality and so would most of the others, which seem to be a very popular view nowadays.

I was very happy to find that he devoted an entire chapter - 2 pages in length - to criticizing academic security research (one of my pet peeves!). He says “lots of academics are reinventing what security industry has been doing for years. “ [They are also reinventing a lot of “epic FAIL”, proven to not work.] The book also mentions that there is nowhere near enough data sharing between security industry, where the problems are, and academia, where - supposedly - the brains are.

Other reviewers have pointed out that it is not clear what is the audience for the book. Many of the chapters seemed written for the “curious consumer” while others are clearly intended for security practitioners or even security managers and imply a degree of IT industry savvy.

Finally, I have to say that multiple mentions of McAfee did not annoy me at all. I fully realize that if somebody employed by the vendor criticizes the very livelihood of that vendor (classic signature AV, in this case), you must throw your employer a major bone. You absolutely have to mention your employer positively to counterbalance the criticism and he does – in many chapters.

To conclude, I read books on information security for fun. This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light writing style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about.

Book Review: “Into the Breach”

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Possibly related posts:

• My other recent book reviews
• My Amazon book reviews
• My old book reviews

Book Review “Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”

“There is no spoon.”

“Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”  by Ryan Trost–but-not-really (it is claimed to contain contributions by five other folks, but exact chapters they wrote are unknown) is not a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking – it is absent. Also, the book is not terribly practical if you define practice as “protection of systems and networks from attacks.”  Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful (“Geospatial ID”, “Physical IDS”, the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what “M” in those stands for… seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow (“Wireless IDS/IPS”). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL – more on this below.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn’t get out much; if works great if you want to really know what the word “befuddled” means (it also mentioned IDMEF for extra punch :-))  Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS.  Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10  that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered “false positives”…). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.

Now, ch12 (“Return on Investment: Business Justification”) is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. Also, I am proud to be mentioned there (on page 404 – is this numerologically significant? :-)) In any case, the work computes the precise ROI for any IDS system, like that:

Gain  [IDS] from investment = ALE = SBE x ARO = $517,580

SBE comes from 2007 (!) CSI survey data, SBE = $345,005. ARO comes from risk  probability x expected number of incidents  = 0.46 x 3.2 = 1.5.  IDS is assumed to prevent all breaches (!), for computational simplicity, I am sure.  … Anyhow, you get the drift.

Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.

Finally, Addison-Wesley provided me with a review copy.

Possibly related posts:

• All book reviews on this blog
• My older book reviews
• My Amazon reviews

Book Review “Chained Exploits”

As you might guess, I often read security books for fun, not for solving  a particular technical problem. So I approached “Chained Exploits” by Andrew Whitaker, et al with that filter in mind. The book worked just fine for that purpose – it is well-written and has a story line, while covering enough technical details to be educational (for those who are reading it to learn about security and not just for fun). It covers the exploits of a malicious hacker “Phoenix” who fulfills the assignments of some underground criminal mastermind and sometimes just goes and 0wns somebody on his own. Obviously, the book does not cut it as “fiction” since it has actually commands, configuration, etc.

The book is not about a new cutting edge technique or an “oh-day”, its main goal is to actually tie “that security stuff” together for folks who are not skilled with it yet. IMHO, IT folks getting into security will benefit from it the most. If you 0wn boxes for fun and profit, you will not learn anything fundamentally new about security, but likely will have fun in the process. Think about it as “Life-like Security Horror Stories” or realistic scenarios. Still, these are a bunch of good story of how mundane, “uncool” attacks tie together to achieve some rampant 0wnage, like having people at a hospital almost die as a result of one particular scenario…

Each story covers motivation and goals of the attach, planning stage, sometimes failed attempts (and why they fail), tool selection and some guidance on tool use. Then it explains what happens and finally covers countermeasures that could have stopped it.

The book bears unfortunate, but noticeable signs of being written by multiple people who didn’t talk to each other much.

Finally, the name (“Chained Exploits”) first turned me away from the book, I thought it was kinda silly; now I suspect that it will attract some folks to the book.

Recommendation: definitely worth a read if you are new to security, especially if moving from IT. Useful for students in computer science classes to get motivated about security. Also useful for technical management to learn what is not just possible, but very real.   Finally, useful for security folks – as a fun read – and also as a reminder about things in their own (still their own, not 0wned…) environments.

Possibly related posts:

• All book reviews on this blog
• My older book reviews
• My Amazon reviews

Book Review “Beautiful Security”

As I mentioned before, I just had to celebrate the release of this awesome security book “Beautiful Security” from O’Reilly, which I just finished reading.

Now, I will probably have a high opinion of my own chapter (“Beautiful Log Handling”) since it took some work (eh… and one complete rewrite :-)) to create (this why people LOVE O’Reilly books!!) However, I am just about as excited about the rest of the chapters in the book.

Namely:

1. Psychological Security Traps  by Mudge: awesome chapter with some fun ideas. Must read.

2. Wireless Networking: Fertile Ground for Social Engineering

3. Beautiful Security Metrics by Betsy Nichols: if you are “a metrician”, there won’t be anything new (apart from here interesting medical research analogy); otherwise, a MUST read!

4. The Underground Economy of Security Breaches: not a bad, even if a bit dated, review of underground economics.

5. Beautiful Trade: Rethinking E-Commerce Security  by Ed Bellis: this is one of the 2 chapters  that I like more than my own (and that is coming from a fairly egotistic person ;-)); this has lots of visionary ideas on payment security.

6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West by Ben Edelman: this one is a fascinating read about attacks by and on online advertizing. Definitely both enjoyable and insightful.

7. The Evolution of PGP’s Web of Trust

8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits: a good read for those not familiar with “client honeypots” or “honeyclients”

9. Tomorrow’s Security Cogs and Levers  by Mark Curphey: this chapter exudes pure awesomeness and is the best in the book; read it three times already and plan to read a few more. A quick preview of what is in the chapter is here on Mark’s blog. Sorry that it sounds cliché, but this chapter definitely stimulates new, beautiful ways of “thinking security”!!

10. Security by Design by John McManus: a very good chapter that mixes NASA, security and software design. Read it and learn from it.

11. Forcing Firms to Focus: Is Secure Software in Your Future? by Jim Routh: great chapter that describes one company’s battle for securing software (first, its own and then 3rd party)

12. Oh No, Here Come the Infosecurity Lawyers: way too much ROI and ROSI to my taste; also has ALE horror. Killed all the fun for me.

13. Beautiful Log Handling  by Anton Chuvakin: eh…make your own opinion here :-)

14. Incident Detection: Finding the Other 68%  by Grant Geyer: good old data correlation of IDS alerts, logs and other information is covered in this well-written chapter.

15. Doing Real Work Without Real Data

16. Casting Spells: PC Security Theater: this chapter was sad as it was the last. It was a sad piece of misdirected marketing that should have no place in O’Reilly books, IMHO.

Overall, this was BY FAR the most insightful and enjoyable security book that I’ve read in a long time!

BTW, authors of this book are not getting paid, but feel free to grab your own copy at Amazon or elsewhere.

Possibly related posts:

• It Changed My Life: My Review of "Geekonomics” book
• All security book review posts.

Book Review: "Googling Security: How Much Does Google Know About You?" by Greg Conti

I just reviewed "Googling Security: How Much Does Google Know About You?" by Greg Conti and gave it 3 out of 5 Amazon stars. Here is the review, also posted here:

Fails to Scare A Paranoid

I think the book has good information and I enjoyed reading it. However, as I was reading the book, I developed an impression that this was a book meant to scare the reader into some kinda behavior change. In other words, I felt that the book was written to highlight the risks, to explain why given somebody so much information about your online activities is a risky, bad thing and that you should do something differently.

Despite the fact that I enjoyed the book, I think this is where it fails. As somebody who works in security, I consider myself to be pretty paranoid, but the book failed even to scare me! After reading it, I did not become afraid of Google at all. The author highlights some of the presumed risks, but he fails to present scenarios that make the dangers come alive; instead, he makes vague statements ("you know, it can be pretty bad"). So he ends up with a “non-scary Scary Tale.”

For example, when talking about ads, and especially targeted ads, the book suggests that such consumer profiling is scary, but doesn't explain how and why.

To conclude: the book presents a good story of how much Google knows about you, but my impression was that the risks are not made to be scary enough and few resulting behavior changes are suggested. It goes a little like this at time: “OMG, you CAN be hit by the car if you cross the street!” A couple of times while reading it I thought that “you have no privacy, get over it” trumps what's written in the book...

Raffy’s Visualization Book

Here is my long-overdue book review for “Applied Security Visualization“  by Raffy Marty.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

“Amazingly useful (and fun to read!) book that does justice to this  somewhat esoteric subject - and this is coming from a long-time  visualization skeptic! What is most impressive that  this book is  actually 'hands-on-useful," not conceptual, with examples usable by  readers in their daily jobs. Chapter 8 on insiders is my favorite!”

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers  the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization.  As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

BTW, I am posting it at Amazon as well.

"PCI Compliance" Book Slashdotted....

"PCI Compliance" book slashdotted... A lot of really stupid comments on the thread that follows the review; many folks somehow thought this is a book about the hardware PCI cards ;-) Ooops!

Book Review: ”Understanding Voice over IP Security"

Book Review: ”Understanding Voice over IP Security" by Dave Piscitello and Alan Johnston

Now, VOIP security has been talked about for a few years; it started even before organizations started to deploy VOIP in greater numbers. Many folks like to say that “VOIP security is a disaster,” but usually they don’t explain how or why.

Dave Piscitello does. In his excellent book “”Understanding Voice over IP Security” he provides excellent coverage of both VOIP technology basics as well as internet security fundamentals (which are admittedly more useful to the security beginners) Then he fuses the above information into a comprehensive coverage of VOIP security issues, from protocols to call fraud.

VOIP and NAT? Security analysis of SIP protocol? VOIP and honeypots? PSTN gateway security? Public VOIP vs private VOIP? Is VOIP spam inevitable? Yes, all those and much much more are covered in the book.

On the negative side, I had to skip through some of the security basics (yes, even a castle metaphor is there …), but I am conscious of the fact that such content is indeed useful to people with networking background. At the same time, some of the esoterica of phone networks was completely new to me and thus exciting to read.

I enjoyed the book; I liked that it is written to be useful to both security folks – who need to learn about VOIP - and network folks – who often need to acquire better security education.