Thursday 10 January 2013

Book Review: Risk Intelligence - How to Live with Uncertainty


A number of years ago when writing my masters thesis I had the great pleasure of meeting the author of this book (Dylan Evans) and got some fantastic insights into how he viewed risk. At the time he was in the middle of writing this book but after I finished my thesis and went back to the focusing on the day job, I somehow managed to completely forget that the book was being written.

However, during one of my random walks around the bookshop before Christmas, I accidentally stumbled upon it and picked it up immediately as I knew it was going to be interesting. And I can safely say it didn't disappoint.

Working in information security you're surrounded by the concept of risk. Every day you make judgement calls on the risk of particular scenarios and advise as on controls to help manage these risks.

However, have you ever asked yourself how sure you are of these decisions? How sure are you about the likelihood of this threat occurring and that it will actually have that level of impact? If you haven't then skip the rest of this review and just go out and buy this book!

If you have thought about this, then you'll know that ultimately, when we evaluate risks, we estimate. Yes, we try and use any existing data that we have but ultimately we need to estimate based on our experience and judgement.

Why? Well, there are many reasons for this but here's a few; we don't have enough data, historical data isn't a predictor of future security events and ultimately we can't predict the future with certainty.

By the way, if by chance you can predict the future with absolute certainty, then give me a ring and we'll do the lottery this Saturday!

So if we are providing estimates every day, how good are we are at making those estimations?

That's exactly the topic of the book Risk Intelligence. While there are many interpretations of the term risk intelligence, Evans defines risk intelligence as the ability to estimate probabilities accurately. It's about gaining a better insight into our own inherent over or under confidence, along with gaining an understanding of the natural biases that we all are subject to and then consciously forcing ourselves to try and counteract these in order to improve our ability to estimate risk.

I first came across this concept three years ago when investigating quantitative approaches to optimising information security investment for my master thesis through the books Risk Analysis by David Vose and How to Measure Anything by Doug Hubbard. However, both only touch quickly on the topic and I was always interested in reading a more detailed discussion on the topic. By the way, if you haven't read any of Doug Hubbard's books, put them on your reading list too!

This book is an effortlessly easy read and covers the many challenges to making more accurate estimates along with examples of how to identify these challenges and reduce their influence.

These challenges cover topics such as over and under confidence, accuracy vs. precision, biases such as availability, source credibility and confirmation, organisational culture, interpretation of statistics, black swans and many more.

What I particularly liked about the book is that each concept is linked back to an easy to understand example or anecdote, making the book far more accessible than your average risk textbook.

Additionally, Evans' company ProjectionPoint has a free online test that allows you to evaluate your own risk intelligence through a quick test and I found this a really practical way to illustrate the point and gain a better insight into your own current state of risk intelligence.The book also contains data on the results of previous exam takers so you can baseline your level against others.

If you work in any kind of risk management, or even if you would just like to better understand how good (or bad) decisions can be made in your everyday life, I'd highly recommend reading this book.

Links:
Amazon http://www.amazon.co.uk/Risk-Intelligence-How-Live-Uncertainty/dp/1451610904

Thursday 3 January 2013

Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (Second Edition)


One of the most startling problems I find when interviewing is that the majority of people don't seem to have a good grasp of basic networking.

Ask someone what happens at a packet level when they type www.google.com into their browser and you are often met with blank response.

If you can't rattle off how DNS, ARP, basic routing, the TCP three way handshake and high level HTTP, I'm going to be disappointed!

What I've found over the years is that a solid, fundamental knowledge of networking is absolutely essential for any kind of hands on information security work. Be it understanding firewall rules, reviewing system design documentation, performing penetration testing or during incident response.

The problem with fully understanding networking is that, as with many things, it's all well and good reading it in a book but what you really need to do is see it in action in a network sniffer.

The problem with that of course is that most people don't have enterprise networks in their house for testing, and I wouldn't recommend digging around on production systems unless you fancy a rather abrupt end to your career!

This is where I think Practical Packet Analysis really comes into its own. The book takes you step by step through the fundamentals of networking, but provides sample packet captures in PCAP format and talks through each capture and how it's displayed and analysed in Wireshark.

The later sections of the book dig more into troubleshooting network problems, which may not be relevant for information security on a day to day basis but always handy to have as a resource in the back pocket.

Does this book explain every single protocol in a deep dive technical approach? No, definitely not. But what it does is give you one better. It gives you the basics, allowing you to better understand new protocols when you come across them. And if you're interested in more packet captures than you can shake your tcpdump at, check out Open Packet (https://www.openpacket.org/).

Taking this book, along with a good TCP/IP reference, such as TCP/IP Illustrated Vol 1, will get you up to speed in networking in short time and will dramatically increase your confidence in reviewing packet captures.

And it should also answer my interview questions if we ever cross paths!


Links:
NoStrach Press http://nostarch.com/packet2.htm
Amazon http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669