Your Memberships & Subscriptions
Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.
Read instantly on your browser with Kindle for Web.
Using your mobile phone camera - scan the code below and download the Kindle app.
Follow the author
OK
Thinking Security: Stopping Next Year's Hackers (Addison-Wesley Professional Computing Series) 1st Edition, Kindle Edition
If you’re a security or network professional, you already know the “do’s and don’ts”: run AV software and firewalls, lock down your systems, use encryption, watch network traffic, follow best practices, hire expensive consultants . . . but it isn’t working. You’re at greater risk than ever, and even the world’s most security-focused organizations are being victimized by massive attacks.
In Thinking Security, author Steven M. Bellovin provides a new way to think about security. As one of the world’s most respected security experts, Bellovin helps you gain new clarity about what you’re doing and why you’re doing it. He helps you understand security as a systems problem, including the role of the all-important human element, and shows you how to match your countermeasures to actual threats. You’ll learn how to move beyond last year’s checklists at a time when technology is changing so rapidly.
You’ll also understand how to design security architectures that don’t just prevent attacks wherever possible, but also deal with the consequences of failures. And, within the context of your coherent architecture, you’ll learn how to decide when to invest in a new security product and when not to.
Bellovin, co-author of the best-selling Firewalls and Internet Security, caught his first hackers in 1971. Drawing on his deep experience, he shares actionable, up-to-date guidance on issues ranging from SSO and federated authentication to BYOD, virtualization, and cloud security.
Perfect security is impossible. Nevertheless, it’s possible to build and operate security systems far more effectively. Thinking Security will help you do just that.
- ISBN-13978-0134277547
- Edition1st
- PublisherAddison-Wesley Professional
- Publication dateDecember 3, 2015
- LanguageEnglish
- File size21728 KB
Kindle E-Readers
- Kindle Paperwhite (5th Generation)
- Kindle Voyage
- Kindle
- Kindle (10th Generation)
- Kindle Paperwhite (10th Generation)
- Kindle Oasis
- All New Kindle E-reader (11th Generation)
- Kindle Touch
- All new Kindle paperwhite
- All New Kindle E-reader
- Kindle Oasis (9th Generation)
- Kindle Scribe (1st Generation)
- Kindle Paperwhite
- Kindle Oasis (10th Generation)
- Kindle Paperwhite (11th Generation)
Fire Tablets
Shop this series
See full series-
First 3$135.07
-
First 5$231.05
-
First 10$438.26
-
All 12 available$537.52
-
First 3$135.07
-
First 5$231.05
-
First 10$438.26
-
All 12 available$537.52
This option includes 3 books.
This option includes 5 books.
This option includes 10 books.
This option includes 12 books.
Customers who bought this item also bought
Editorial Reviews
About the Author
Product details
- ASIN : B018WFEESS
- Publisher : Addison-Wesley Professional; 1st edition (December 3, 2015)
- Publication date : December 3, 2015
- Language : English
- File size : 21728 KB
- Simultaneous device usage : Up to 5 simultaneous devices, per publisher limits
- Text-to-Speech : Enabled
- Screen Reader : Supported
- Enhanced typesetting : Enabled
- X-Ray : Not Enabled
- Word Wise : Not Enabled
- Print length : 648 pages
- Best Sellers Rank: #597,728 in Kindle Store (See Top 100 in Kindle Store)
- #160 in Network Security (Kindle Store)
- #536 in Computer Hacking
- #578 in Computer Networking (Kindle Store)
- Customer Reviews:
About the author
Discover more of the author’s books, see similar authors, read book recommendations and more.
Customer reviews
- 5 star4 star3 star2 star1 star5 star78%0%22%0%0%78%
- 5 star4 star3 star2 star1 star4 star78%0%22%0%0%0%
- 5 star4 star3 star2 star1 star3 star78%0%22%0%0%22%
- 5 star4 star3 star2 star1 star2 star78%0%22%0%0%0%
- 5 star4 star3 star2 star1 star1 star78%0%22%0%0%0%
Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.
To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.
Learn more how customers reviews work on AmazonTop reviews from the United States
There was a problem filtering reviews right now. Please try again later.
- Reviewed in the United States on February 13, 2016Prof. Bellovin is a well-known IT security expert. His book is quite thought-provoking, very recently published. At times it can seem a bit academic in tone. That's OK for me, as his information is very sound and thoroughly researched. It's a very dense, sometime tongue-in-cheek narrative. I'm not quite done with reading it my usual twice for books of this nature, but I will. I highly recommend acquiring and reading it, if you work or have responsibilities in the Information Technology Security area. You may not agree with each and every thing he says, but the book will lead you to sit back and reexamine many of the existing IT security "givens," upon which he casts well-deserved criticism. Owing to the publishing cycle, Microsoft's most recent desktop operating system, Windows 10, is not mentioned in the book. I hope there will be a second edition soon.
- Reviewed in the United States on December 4, 2015As a security practitioner on the "front-lines", I really enjoyed this book. Good coverage of threat modeling, and rational defense tactics and strategy. Most of the focus is on first principles (centralized auditing, logging, authentication, rational cloud storage & vm techniques, practical crypto considerations) which are easy to lose sight of in the trenches. Strongly recommended for students, technology professionals, and security researchers. Really, well done Dr. Bellovin.
- Reviewed in the United States on February 13, 2017Preliminaries: I requested the book for review from a publisher agent (one year delay for which I deeply apologize).
TL/DR: Computer security practice is in terrible shape. It will remain in terrible shape as long as we fail to heed Thinking Security’s central message: Revisit on a much more frequent basis the assumptions that inform ‘best practices’ security advice, and retool accordingly. The rapid co-evolution of technology and threats demands no less.
Consider the assumptions underlying the advice to pick strong passwords. Suggested by a 1979 Morris-Thompson paper in an era of electromechanical dumb terminals and few logins with no local computational power to speak of, this advice turns out to be spectacularly ineffective in the era of “smart” phones, tablets, dozens of individual credentials stored non-locally, and 7-8 orders of magnitude increase in computing power. Threats evolved from essentially tech exploration of the 1980s (watch “Freedom Downtime" to get a feel for these bygone times) to the current Crimeware-as-a-service model, complete with bulk discounts, auctions, monetization, ticketing; money-back guarantees and help desk. Attackers succeed because they violate assumptions (google “2010 bilar assumption subversion” for a discussion).
Keeping this framing in mind, one goal of Thinking Security is to help the diligent practitioners think through the implications of security decisions.
Bellovin tells us to look for the blindspots (“what aren’t you showing me?’) that may skew such decisions. He stays clear of the current quantification absolutism, stating plainly that no reliable numbers for a given component’s trustworthiness exists. Furthermore, should they hypothetically exist, they’d be unlikely to be useful in different contexts. I appreciated his effective “make it easier for programmers to do the right thing than the wrong one” (ESAPI safety wrappers, LANGSEC based parsers come to mind). The commonsense advice to discuss technical risks in a comprehensible fashion, framing it in terms of effects (“attacker can steal login credentials and we are liable”) rather than vectors (“2nd order MSSQL injection”) is far too often ignored.
Aside from “mindware”, the second goal of "Thinking Security" is teaching architecture design that can deal with failure, illustrated by quasi-realistic hypothetical scenarios in the medical practice, e-commerce and IoT space. A critique of the traditional ‘walls and doors’ paradigm would have benefited from a discussion of Google’s no perimeter zero-trust BeyondCorp model.
In closing, Bellovin mentions that he has yet to see a system analysis that makes explicit the time and threat assumptions. This is a topic near and dear to my heart, and one in which there has been very recently unexpected progress (google “bilar medium attacker work effort”). He furthermore wishes for a magic wand that could fix all of today’s security problems, the wand needing to be kept in motion, continually casting and re-casting spells. In that context, it is a lost opportunity that security and resiliency-oriented workflows like Mozilla’s test-driven CI/CD security and Etsy’s/Netflix’s Chaos Engineering were not brought up.
The book’s stated primary purpose is to teach how to think about change; outlasting, as it were, any specific facts cited. It’s a deep, thinking man’s meta-security treatise which this short review cannot possibly do justice.
Top reviews from other countries
- SquadReviewed in Germany on October 23, 2016
5.0 out of 5 stars Great book
I find this book very good. It provides a lot of details and ideas on what to consider about most security topics. However, since the book speaks also about tomorrow, I would have liked some words on the role of artificial intelligence in cybersecurity.