***** Cyber Attacks: Protecting National Infrastructure. By Edward G. Amoroso; published by Elsevier, www.elsevierdirect.com; 248 pages; $59.95.
As the physical infrastructure of our everyday society becomes more dependent on and inter-connected with our virtual world, the importance of protecting these vital pathways increases. Advice about how to best mitigate vulnerabilities is plentiful. What sets this effort apart is that it offers a comprehensive list of local enterprise-level suggestions and remedies as well as a plan that is scalable to protect national-level infrastructure. What’s more, the material is well-written and concisely presented. The author sets out his plan in sufficient detail but without miring the reader in technical details.
The book addresses 10 principles that can be employed at the national level to secure critical cyber infrastructure from internal, external, and supplier adversaries. The author correctly points out that due to sheer size, scale, and complexity, this infrastructure cannot rely on “antiquated existing small scale enterprises” with the hopes that security will somehow prevail.
Dr. Amoroso, who has more than 30 years of IT experience, masterfully conveys his concepts with easy-to-understand graphics. He lays out the potential adversaries and possible motivations for attacks on our national infrastructure along with a discussion of the potential cascading effects. Two of the high profile types of attacks discussed are DDoS (distributed denial of service) and Botnets.
The 10 principles outlined in detail are titled Deception, Separation, Diversity, Consistency, Depth, Discretion, Collection, Awareness, Response, and National Implementation. Many of these concepts relate to existing best practices in securing physical assets. The author devotes an entire chapter to each of the 10 principles discussed. The discussion of depth and layers of protection runs the gamut from authentication and encryption to intrusion detection.
The concepts and principles outlined in the book speak not only to seasoned IT security professionals but to non-IT physical security specialists and generalists as well. Security generalists who work primarily with physical protection systems might sometimes shy away from virtual security topics for fear of venturing out of their knowledge comfort zone. This book sets an “easy to digest” tone that leaves the reader feeling informed and unintimidated by the material presented. I highly recommend this book for all intermediate-level and above security practitioners in IT and non-IT positions.