***** Cyber Attacks: Protecting National Infrastructure, Student Edition. By Edward Amoroso. Butterworth-Heinemann, www.store.elsevier.com; 336 pages; $69.95; also available as e-book.
All countries’ infrastructures are vulnerable to cyberattacks. Author Edward Amoroso proposes ideas for the implementation of a National Infrastructure Protection Criteria. The proposed framework defines 10 criteria, and then identifies functions associated with each. The 10 criteria are deception, separation, diversity, commonality, depth, discretion, collection, correlation, awareness, and response.
Many of the ideas will work and some are already in use. But the author ignores other existing security methodologies that would equally meet the framework requirement.
The author recommends enticing a hacker to attack a honeypot, for example, but that is not as fundamentally important as ensuring access controls or patching vulnerabilities. Similarly, the author trivializes formal research in security concepts such as defense-in-depth with statements such as: “Academics formally model the effectiveness of a collection of defensive layers using mathematical probability…. Unfortunately…these estimates are unlikely to be more than just an educated guess.”
As the quote illustrates, standard procedure within the book is to dismiss best practices without citing examples. This pattern is repeated throughout, detracting from the validity of some reasonably well-considered arguments.
The book also makes regular use of diagrams that are difficult to digest and do not add significant value. The diagrams generally detract from the quality of the work, rather than helping to illustrate difficult concepts. A prime example is the “spectrum of organizational culture of security options.” While the text is reasonably clear, the diagram not only fails to illustrate the main point, but also reduces the effectiveness of the argument by distracting from it.
Dr. Amoroso must be commended for his effort in trying to build a national strategy document; however, the lack of citations and the opinionated tone don’t fit with the presentation of the material in textbook form. The material is worthy of being debated in public policy circles, however.
Reviewer: A. Spencer Wilcox, CPP, CISSP (Certified Information Systems Security Professional), SSCP (Systems Security Certified Practitioner), is a security professional with Exelon. He serves on the ASIS Information Technology Security Council.