Engineering
Trustworthy Systems: Get Cybersecurity Design Right the First Time
“This is the “bible” for cybersecurity, which needs to be
consulted as we struggle to solve this enormous threat to our national
security.”
--John
M. Poindexter, PhD, Former National Security Advisor to President Ronald Reagan
Cybersecurity poses
the leading threat to global commerce, the military, government agencies,
individual privacy, and data integrity for leading institutions. Tens of billions of dollars are spent
annually to build, upgrade, and fix computer networks to withstand terrorism,
hackers, spies, criminals, and corporate espionage. The next generation of cybersecurity
professionals needs to be armed with a comprehensive defense. internationally
recognized cybersecurity expert O. Sami Saydjari has written the authoritative
bible for crafting cutting-edge cybersecurity solutions to defend against even
the most sophisticated attacks, Engineering Trustworthy Systems; Get
Cybersecurity Design Right the First Time (McGraw-Hill, July 2018, 672 pages; Trade Paper, $60, ISBN:
978-1-260-11817-9).
This professional
guide shows, step-by-step, how to design and deploy highly secure systems on
time and within budget. It offers a comprehensive set of objectives and best
practices and shows how to build and maintain powerful, cost-effective
cybersecurity systems. Whether you are a
cyber-emergency responder, manager of information technology, or a red teamer,
tester, accreditor, evaluator or systems designer, you will learn to think
strategically, identify the highest priority risk, and apply advanced
countermeasures that address the entire attack space.
Saydjari has been a
visionary and thought-leader in cybersecurity for thirty-five years, working
for elite organizations and government powers such as NSA, DARPA, the DoD, and NASA. He has published more than a dozen papers in
the field, consulted to national leaders on cybersecurity policy and has been
featured in interviews with major media, including Time, CNN, The Washington Post, PBS, Wall Street Journal, ABC, and The Financial Times. He is the founder and president of Cyber
Defense Agency, a leading cybersecurity consulting firm.
1. What trends are you seeing today when it
comes to the newest threats in cybersecurity? Cyberattacks are becoming more frequent, complex,
sophisticated, purposeful and targeted. The sheer volume of attacks is
increasing exponentially. It is only a
matter of minutes between when a computer is first connected to the network and
the first attack on that computer.
Attacks are now more complex--they employ more steps, and those steps
attack more fundamental layers, such as operating systems. They are more sophisticated--they leverage
knowledge of flaws in systems design and of the defense systems themselves,
steering around and underneath protections. They are more purposeful and
targeted—when they attack, it is to gain some effect, such as ransomware to
gain money, or Stuxnet to destroy centrifuges.
2. Sami, what inspired you to publish Engineering Trustworthy Systems? Cyberattacks pose an existential
threat to our entire society; addressing this problem has been a lifelong
passion of mine. My career has spanned a good portion of the cybersecurity
field. Much of the field grew and evolved as I was learning and applying it.
There are many good books on particular aspects of cybersecurity, but there are
none that really address the problem holistically, practically, and in an
organized manner that starts with a foundational understanding of the problem.
I feel it is important and urgent to confer this essential knowledge to the
next generation so they can use timeless principles, developed over three
decades, to solve important, emerging, and future problems.
3. What can you do to ensure that those who
engineer, maintain, or grow an electronic data and information system don’t
come back to sabotage, blackmail, extort, steal, or destroy these bits and
bytes? This is
known generally as the insider threat problem. One addresses this problem
through a three-layer architecture that is robust against any single security
failure. The first is prevention, which creates bulkheads so that insiders
cannot access all of the system if they have access to one part of the
system. The second layer is detection,
which detects anomalous activities, such as accessing parts of the system that
a person does not normally access. This indicates an intrusion or abnormal
behavior suggesting insider activity. The third layer is tolerance, in which
the system reconfigures itself to continue operation if the insider damages a
portion of the system.
4. What could global-scale cyberwarfare look
like in a decade?
Imagine a world without electrical power, telecommunications, money, and oil
and gas to run essential machinery. That
is what global-scale cyberwarfare looks like.
Our society depends heavily on computers to run these critical
infrastructures. Cyberwarfare is capable
of not only short-term disabling of these infrastructures, but actually
physically damaging infrastructure such as electrical generators and
transformers, for which there are no easy replacements. The effect is the reduction of humanity back
to a pre-modern world. We must do
everything possible to create a safer and more secure cyberspace to reduce the
probability of an all-out global cyberwar because these consequences are as
serious and significant as nuclear warfare.
5. What are some of the bigger mistakes one
makes when engineering a cybersecurity system? The first is to consider
cybersecurity too narrowly. Most cybersecurity engineers specialize in
firewalls or intrusion detection. A more
holistic approach, stressing how attacks and defenses interplay, is one of the
hardest parts of the discipline and also the least well-understood by
cybersecurity engineers today. Another
big mistake is underestimating the attacker’s breadth and depth, finding ways
around or underneath defenses. The
breadth and depth of defenders must match that of the attackers. Many people make the mistake of spending
their budgets on one mechanism that someone claims is the next best thing,
instead of considering a range of mechanisms and how much each reduces risk
compared to cost.
6. Why do some tend to think of
cybersecurity as purely a technological problem? Why is that bad? If you have a hammer, everything
looks like a nail. Cybersecurity was invented by technology research engineers,
so solutions have naturally been technology focused. We understand that the
solutions involve a great variety of disciplines and ideas, including
sociology, psychology, and decision theory. For example, phishing attacks use
social engineering, which uses psychology to get an authorized user to
unwittingly facilitate an attack. The psychology of users and the sociology of
user communities working within systems is highly relevant. There is some research in this direction, but
it does not receive adequate attention today. The book addresses user behavior
and how people really operate in cyberspace.
7. How do cyberattacks pose an existential
threat to our entire society?
Many people think cyberspace is an optional space of convenience, enabling
email or online shopping. In reality, every major infrastructure now depends
critically on cyberspace, making it essential to modern life. If a city such as New York loses access to
rail deliveries because of a cyberattack, it could not survive beyond three
days, thus requiring complete evacuation. Because cyberattacks can destroy
physical things, the consequence is not a matter of inconvenience for a day,
but rather regional devastation lasting years. If the Unites States or any like
nation were to lose power for six months, its very sovereignty would be at
stake. That is the level of threat we are now experiencing in this world, and
it is untenable.
8. Based on your successful career
experiences, your book provides wisdom from those who worked at NASA,
Department of Defense, IBM, Honeywell, Cornell University, Columbia University,
National Science Foundation, DARPA, Naval Research Lab, Carnegie Mellon
University, Orincon, and dozens of other leading institutions, corporations,
and government agencies. Does it
surprise you that everyone knows pieces of cybersecurity but few, if any, truly
command complete knowledge of it?
It is no surprise at all. Research in the community developed in a fragmented
way. There were intrusion-detection researchers, firewall, and cryptographic
researchers. Thus, each discipline grew and developed their own
sub-disciplines, their own sub-lingos and their own sub-communities. Often, these
sub-communities did not communicate with one another and, in fact, often
disrespected the other’s contribution. At DARPA, I focused on bringing together
these disciplines, including outside disciplines such as reliability and
dependability, to address the problem systematically. We continue to need the
deep expertise in areas such as firewall design, but we also need the
generalists who understand the strengths and weaknesses of a broad set of
mechanisms and how they can be woven together for effective defense.
9. What does the cybersecurity solution
landscape look like?
We are used to thinking in only three dimensions. Cyberspace is
hyper-dimensional, with hundreds of dimensions. The cybersecurity solution
landscape is thus equally complicated. An attacker can get from one side of the
world to the other in minutes, and a cyber weapon that costs a few dollars to
create can cause millions of dollars of damage. If an attacker has a zero-day
attack (i.e., one that has never been seen before) in the operating system, the
attacker comes from underneath, as if reaching out from underground and
grabbing your feet. If we do not foresee such attacks, it's hard to defend
against them. This book helps cybersecurity professionals to appreciate
required solution space against the complex attack space.
10. Do today’s business leaders and entrepreneurs
have a proper foundation of understanding what needs to be done to protect
their company’s transactions, data, and consumer privacy? Given the number of recent major
breaches in supposedly well-defended systems, the answer is clearly no. Business
leaders today are ill-equipped to understand threats to cybersecurity, the
gravity of the consequences, or to distinguish good solutions crafted by
experts from snake oil talismans sold by charlatans. In the same way that they
must manage risk for their company’s funds, stock values, and vulnerability to
competition, today’s leaders must broadly understand cybersecurity risk to make
intelligent decisions to protect their companies. This book is written in such
a way that company leadership can easily understand the broad concepts, while
professional cybersecurity engineers can grasp the depths of how to design
effective systems.
11. You were mentored by Brian Snow, the former
National Security Agency Technical Director of National Cryptologic School. Who mentors those seeking to crack the
cybersecurity of corporations, governments, or individuals? There are two cyberattacker
worlds: informal hackers, who hack for fun and mischief, and professional
(including military) attackers who attack for high stakes. The hacker community has a hierarchy in which
position is established by the coolness and difficulty of various attacks
demonstrated to their colleagues. The best of the best, the so-called “uber
hackers,” become mentors for the hackers who then create tools for what we call
the “script kiddies”—those who attack using pre-made scripts, which they tailor
without understanding what they’re doing. Professional attackers, on the other
hand, have a normal organizational infrastructure in which experts rise up to
the become mentors. Those cyberattackers are dangerous and capable of major
destruction of cyberspace.
Please
note: This author is a client for the public relations firm that I work for.
DON”T MISS THESE!!!
Exclusive: Book Expo
Panel on Book PR Preview
Yes, this is how you get your book reviewed
What is the payoff for authors to getting a million clicks?
Do you think like a
book marketer?
How should authors
sell themselves?
The keys to great book
marketing
How Authors Can
Capture The Media’s Attention
Big Marketing Lessons
From My All-Time Top 10 Blog Posts
Enjoy New 2018 Author
Book Marketing & PR Toolkit -- 7th annual edition just released
Brian
Feinblum’s
insightful views, provocative opinions, and interesting ideas expressed in this
terrific blog are his alone and not that of his employer or anyone else. You
can – and should -- follow him on Twitter @theprexpert and email him
at brianfeinblum@gmail.com. He feels much more important when discussed in
the third-person. This is copyrighted by BookMarketingBuzzBlog © 2018. Born and
raised in Brooklyn, he now resides in Westchester. His writings are often
featured in The Writer and IBPA’s Independent.
This was named one of the best book marketing blogs by Book Baby http://blog.bookbaby.com/2013/09/the-best-book-marketing-blogs and recognized by Feedspot in 2018 as one of the
top book marketing blogs. Also named by WinningWriters.com as a "best
resource
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.