BKTMBSSC.RVW 990212 "Time Based Security", Winn Schwartau, 1999, 0-9628700-4-8, U$25.00/C$37.00 %A Winn Schwartau winnschwartau@infowar.com %C 11511 Pine St. N., Seminole, FL 34642 %D 1999 %G 0-9628700-4-8 %I Inter.Pact Press %O U$25.00/C$37.00 813-393-6600 fax: 813-393-6361 %P 174 p. %T "Time Based Security" The idea is simple, and even elegant. Given enough time and resources, somebody is going to be able to crack whatever security you put in place. Therefore, instead of building ever bigger and more imposing (and expensive) walls, balance how long it will take someone to get through the wall against how long it will take you to figure out that digging is going on and how long it will take you to stick a fire hose down a putative gopher hole. The idea isn't, of course, radically new. Community policing officers have been saying the same thing in public security seminars for years. Make the bad guy take longer to get in, and you'll have more time for someone to notice, or for us to get there. Implementation, though, is not quite so simple. Especially when you are dealing with something as complex as a publicly accessible and networked computer system. Chapter one is a general promotion for the Time Based Security (TBS) model, which hasn't been presented yet. The introduction's cry that we never have enough time and have to move ever faster is reiterated in chapter two, along with another assurance that Time Based Security is what we need. The demise of the big, limited, simple to protect computer is bemoaned in chapter three. Chapter four says that the fortress mentality never did work, and besides, we want people (some people) to access our systems for some purposes. (Were it not for the fact that the chapters are so short, and the vague idea that we are getting closer to TBS, I would be getting a little impatient about now.) Sorry, but chapter five goes into the shortest history of computer security I think I've ever seen, six says it didn't work, and seven runs us right back to Jesse James. But by the end of chapter seven, we are at least pointed in the right direction: the security of a container is a comparison between the time the bad guys need to get in, and the time the good guys need to get there. This is repeated in a different form in chapter eight. Chapters nine to eleven repeatedly formularize this, pointing out that you need to measure your protection in terms of time to fail, and that the time taken to detect a problem, plus the time taken to effectively respond to it, must be less than the time the protection provides. Schwartau gets into a lot more detail, though for only one situation, with a questionnaire in chapter twelve. Chapter thirteen starts to get into the complexity of things, looking at the variable amounts of damage that can be done in a given amount of time. Fourteen looks at costs of attacks while fifteen talks about the value of data. The title of chapter sixteen seems to indicate that some things don't need protecting, while the content looks more like some things cannot be exposed to any level of risk. Recursion of detection is promoted in seventeen. I think that chapter eighteen is suggesting that you use multiple barriers to stop intruders. But I'm not very sure of that. Nineteen and twenty seem to be saying that you should protect vital points with greater security, and try to avoid "single points of failure." Chapter twenty one looks at improving the reaction time. Twenty two stresses the importance of taking a long time to look at all the options in order to assess your security. (This is in rather stark contradiction to the promises on the cover and in the introduction that TBS was going to provide a shortcut.) A few options to increase protection get some detail in twenty three while increased detection is looked at in twenty four. A metric is achievable with TBS, but chapter twenty five does rather gloss over the work you will have to go to in order to accomplish it. Chapter twenty six talks about denial of service, but does not really integrate it with the TBS concept. Some infowar classes are used to repeat the adjuration to put protection where it is most needed in chapter twenty seven. Twenty eight suggests that deception is a good protective tool. (Sounds just a tad like security by obscurity, but we'll let it go, shall we?) The final chapter again promises that TBS will give you measurable security. The concept is sound. The implementation is left as an exercise to the reader. copyright Robert M. Slade, 1999 BKTMBSSC.RVW 990212