Issue No.05 - September/October (2008 vol.6)
Published by the IEEE Computer Society
Martin R. Stytz , Institute for Defense Analyses
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2008.130
Martin Stytz reviews Crimeware: Understanding New Attacks and Defenses.
Crimeware: Understanding New Attacks and Defenses is a book comprised of essays by several authors, which is probably why the book is uneven in its technical content and lacks common technical threads and perspectives.
The text runs the gamut in its coverage of cybercrime. It opens with a crimeware overview, and follows with chapters on P2P networks, virtual worlds, politics, online advertising fraud, crimeware business models, and security education. Later chapters address trusted computing, defense techniques, and the future of crimeware. The topics each chapter examines include malware, RFID, gaming, WiFi security and attacks, and malware epidemic modeling. The ideas the authors present are often useful and thought provoking, but the discussion itself lacks sufficient detail to enable the deployment of the defenses that will be needed in the future. The authors introduce concepts but don't illustrate how to employ or capitalize on the information presented, leaving it up to readers to determine how to apply them in the real world. When discussing security taxonomies, for example, the authors identify seven chief concerns of computer security: input validation, API abuse, security features, time and scale, error handling, code quality, and encapsulation. They describe each in detail, but they don't incorporate these concerns into later chapters.
Although the book's survey of cybercrime is truly useful, the unevenness of the technical discussion detracts from its utility. For some topics, the authors delve deeply into technical details whereas for others, even in the same chapter, they treat technical details lightly or present them without a thorough discussion of the topic. For example, the authors present a firmware epidemic model of attacks that's based on medical epidemiological literature. However, the model they present isn't complete because it omits factors such as human population dynamics and variations in use (the authors don't explain why they didn't consider the omitted factors in their model). Another example is the discussion of rootkits and human behavior models. Rootkits in their various forms are covered in depth but the authors' discussion of human factors as they relate to computer security is very brief.
The book is a worthwhile read for those new to the computer security and privacy fields. It's also a valuable tool to aid discussions, or to use as a starting point, or as material for computer security seminars. Nontechnical managers or home users who want a peek at things to come in cybercrime will find this book useful. Because the chapters can stand alone, the book is advantageous to readers interested only in specific topics or to those who need to quickly understand a topic's key elements. Anyone with an interest in malware can read the book without referring to additional resources to understand the content. Because of this, the text is more valuable to computer security novices than to computer security professionals. Its chief value lies in its survey of cybercrime technologies and issues.
Martin R. Stytz is a member of the research staff at the Institute for Defense Analyses. His research interests include cybersecurity, information assurance, and cybersecurity simulation and analyses. Stytz has a PhD in computer science and engineering from the University of Michigan. He is a member of the IEEE, the ACM, and the IEEE Computer Society. Contact him at firstname.lastname@example.org.