More than a year ago now, I (Jesper) decided that I was finally going to write a book on security. Partially it was because I was getting tired of answering the same questions over and over again, partially because I thought I had something unique to say, and partially because I am hoping to buy a small boat with the proceeds.
After writing the outline and the first chapter, I decided that I needed a co-author to help out, particularly because I simply do not know nearly as much as I would like about certain topics. Because Steve had already had his own thoughts about writing a book, this was a great match. Steve is a perfect complement in the sense that both of us started the same way, in networking, but unlike myself , who went into IT so I could avoid having to deal with people, Steve is actually an extrovert who loves to figure out how to protect people from people. Of course, both of us enjoy debating controversial opinions , mostly just for the thrill of the argument. Working together, the book slowly started to take shape.
The book is focused around the defense- in-depth model we helped develop and refine in our work at Microsoft, and it gives a logical flow to the book that helps in building an overall security strategy, something both of us believed was lacking in the current literature. You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intendit will only give you a false sense of security, which in fact can be more dangerous than no security at all.
Much of what you see in these pages has been said before, in various presentations. Both of us travel the world to deliver speeches on security, and if you have ever heard us you will no doubt recognize some of the things you will read in these pages. In a sense, the book is the lecture notes everyone who has heard our presentations keeps asking for. Of course, those notes are sorely needed because most of our presentations are increasingly light on slides to avoid that all-too-common malady: death by PowerPoint.
Everyone we know who has written a book always says in the foreword that their first book is one they wanted to write for a long time. (We are now wondering what's left for us to write in our second book.) That is good, because it takes a long time to write a book. Neither of us thought that we had the competency to write one until recently, so it is not really true that we have wanted to write it for a long time. We have certainly thought about security for a long time, though, and you could certainly say that we wanted to learn enough about it for a long time to have something meaningful to say. After we had spent a few years talking to people, it was clear that security is an area that is fraught with misunderstandings (as we see them) and snake oil (pseudo-solutions that do not do what they purport to do at best, and are harmful at worst).
We find this type of "security theater" all around us. Consider, for instance, next time you go through an airport security check, who would be capable of causing more damage: a 92-year-old great-grandmother with a pair of cuticle scissors, or a 22-year-old martial arts black belt? They will confiscate the cuticle scissors, but they will allow the martial arts champion on the plane without putting him in shackles first. Some secure facilities will confiscate USB drives (and GPS receiverswhy in the world?) "for security reasons," but they allow 80 GB FireWire (i1394) drives through because the security personnel cannot imagine any "threats" associated with digital music players. Many organizations have a password policy that requires users to use passwords too long and complicated to remember (and then routinely complain about the expense of resetting locked-out accounts), they block any kind of information gathering from ancient operating systems, and they do it all on computers that have not been patched for more than a year! It may appear that they are providing security but in reality this is nothing more than security theater.
We finally decided that the right way to dispel these myths was to write a book. At the time, it seemed like a really good idea, and we are sure that at some point it will seem like a good idea again.