***** Zen and the Art of Information Security. By Ira Winkler; published by Syngress Publishing, www.syngress.com (Web); 224 pages; $29.95.
At first glance, one might assume by the title that Zen and the Art of Information Security is another cheesy motivational book. Nothing could be further from the truth. It is a long-overdue addition to the line of compelling, informative works for which data security guru Ira Winkler is known.
As the title implies, Winkler examines the “philosophy” of information security, arguing that it is rooted in the practitioner’s mind-set. How do you perceive your adversary? If you perceive him or her as an “enemy,” then you have introduced emotion, which can cloud your judgment. If you understand your enemy, you can take adequate precautions. If you fear your adversary, he or she has already beaten you. The media, he argues, is no help in the Zen approach. It sensationalizes crime to tap the public’s fears. Truly dangerous adversaries, however, are rare.
The successful information security professional must accept the inevitability of data attacks, Winkler writes. The goal is not to eliminate them but to ensure that they are not fatal to a system. It is impossible to counter a hypothetical threat. Instead, he argues, companies must find their own vulnerabilities and address them.
Winkler does a very good job of using basic examples and relating them to the topic at hand to prove his point. For instance, it is impossible to prevent a tornado. It is possible, however, to build a structure that will stand up to one.
Also adequately addressed are the more tangible aspects of data security, like social engineering, explaining not just who would engage in the practice but also why and how. Winkler also describes how to tell a professional agent from a small-time hacker. He notes that a professional will act like one, while amateurs, despite having some skill, are frequently overconfident or even cocky.
Winkler brings up a variety of important points, often overlooked by other authors. Along the same lines, he notes that many skilled security personnel are not fully trained in what threat information to look for or what to do with it once they’ve found it.
Winkler also touches on the topic of budgeting for security and how to succeed even if security isn’t your core specialty. He defines the different types of pertinent software and addresses the topic of cyberterrorism. He observes that often a threat alone can cause great disruption absent an actual attack, citing the impact of a baseless bomb scare on a mass transit system.
Throughout, Winkler provides a heavy dose of pertinent, easy-to-understand examples and presents even the most basic concepts with a professionalism belying the expert he is. The book is at times funny and thought-provoking. It brings information security down to a level that even the most uninformed novice will understand, yet it presents information on topics that a seasoned veteran would find worthwhile for review.
Reviewer: William Eardley IV is a law enforcement and security professional, holding a master’s degree in liberal studies and a graduate certificate in information security from Eastern Michigan University. He is a member of ASIS International.