Shostack + Friends Blog Archive

 

The New School of Information Security

newschool.jpg

A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley.

My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new sources of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

Incidentally, this isn’t an official project for either of us. (We wouldn’t want anyone to get confused about who gets the credit or blame.)

10 comments on "The New School of Information Security"

  • Pedro says:

    “We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them”
    Spam doesn’t represent a threat to an organisation’s information assets – it’s merely an annoyance to the workforce and a drain on IT resources. Statements like this only perpetuate the muddled line of thinking that confuses Information security with IT Security (hint: they’re different!).

  • Perplexed says:

    Pedro – it says “issue” not “threat”. Perhaps you should buy the book and see what it says before passing judgement 🙂

  • rob sama says:

    Thank you for the clarification, Napoleon Dynamite’s friend.
    Congratulations Adam (and Andrew)!

  • janice says:

    Can’t wait for it to hit ‘available’ status at bookstores here in Canada. Congratulations, Adam!

  • Pedro says:

    I’m planning to buy the book, it should be a good read. This is one of only two or three ‘blogs’ I visit and I respect the authors.
    It just irritates me when I read references to spam (and such like) in InfoSec publications when it hasn’t anything to do with InfoSec. I reckon we’d make much better progress towards ITSec and InfoSec if the IT/ITSec/InfoSec/CorpGov industires could sort our their nomenclature and focus on tackling problems within their remit.
    In any field of the security arena, should something be considered an issue if it isn’t a threat? Aren’t the issues security is supposed to manage all threats?

  • CJ says:

    “In any field of the security arena, should something be considered an issue if it isn’t a threat? Aren’t the issues security is supposed to manage all threats?”
    Surely it must. It lowers the bar for targeted phishing lures, which can enable all sorts of badness targeting your information, or in my case, critical infrastructure.
    Dealing with the spam problem isn’t that hard – just politically damning in today’s environment. Case in point, walk into any bank with a ski mask and watch what happens.

  • Adam says:

    I don’t really want to rathole on the question of “is spam an issue,” but spam affects availability and integrity of email service, by overwhelming systems, and requiring filters, which are imperfect.

  • jayskew says:

    Arbitrary lines between job descriptions that permit some of them to ignore a problem like spam that has effects across all of them and has made many people completely abandon electronic mail seems to me part of the problem.

  • jamsler says:

    Congratulations! Looking forward to your always original thinking on the security issue. Thanks for offering up some basic, practical ideas.

  • Iang says:

    CJ calls it: Spam is used for phishing. If phishing is a threat, then spam must be part of that.
    It is true that spam without meaningful content (noise) could be just modelled as a threat to governance of the organisation’s assets (time & attention & budget). It’s close, but only an estimation; to say that spam is only noise isn’t sustainable. Spam has been around since whenever, and its existence is proof of its success. That success means someone in your organisation might click on it. Quietly…
    So, it’s a threat, but it might still be an acceptable risk.

Comments are closed.