Spies Among Us is in many ways similar to Winkler's previous book, Corporate Espionage. It describes threats and vulnerabilities, gives case studies of attacks and penetrations (some malicious by miscreants, some as part of his own testing), and offers countermeasures and lessons learned.
The book is divided into three parts--Part I is on "Espionage Concepts," which describes the intelligence process, forms of information, risk equations, how security's components are confidentiality, integrity, and availability, how to measure asset values, and so on. Part II is "Case Studies" and is the most interesting and original portion of the book. Part III is "Stopping the Spies," about specific vulnerabilities and countermeasures.
As in the previous book, Winkler's advice is sound and the case studies are interesting. Unfortunately, much of the book duplicates the prior book and other books in the field, which is part of why it took me three months to get through this book--I got hung up in Part III, which was mostly old hat.
What I found most disappointing about the book beyond its lack of novelty were two features: first, that there were frequent errors and omissions which seemed a display of either lack of research or carelessness; second, that Winkler takes many opportunities to tell the reader that he's involved in important things, but without showing the evidence for it.
Examples of the first include not only simple things like typos that should have been caught by the editor (p. xv "phased" for "fazed", p. xvi "over" for "cover"), but factual errors. On p. 55 he writes of the 1996 blackout of "nine states of the Pacific Northwest." There aren't nine Pacific Northwest states, and there were two Western U.S. 1996 blackouts caused by power lines sagging to trees, an Idaho/Wyoming line on July 2 affecting 14 Western states and a California line on August 10 affecting states from Oregon to Mexico and Texas.
On p. 78 he gives estimates of the number of people with various hacking skills which appear to have been pulled from a hat; I suspect his estimate of 100,000 people capable of developing hacking tools from knowledge of vulnerabilities is a substantial underestimate.
On p. 81 he claims that, contrary to other countries, the U.S. government intelligence agencies don't pass information back to U.S. companies. While this is official policy, counterexamples may be found (e.g., the book Friends in High Places discusses information flow in both directions between the CIA and the Bechtel corporation in the Middle East).
On p. 143, Winker writes that "There has supposedly been only one day zero attack, which is an attack that exploits a vulnerability that was not previously reported and known." No reference (though I suspect he's referring to a successful 2003 attack on Microsoft IIS against the U.S. Air Force prior to the March 13, 2003 release of MS03-007), and surely false, if by "reported" he means reported to the general public, e.g., via a published security advisory.
Omissions include his discussion on p. 93 of Israeli intelligence actions against U.S. corporations, where he says "an Israeli telecommunications [company, sic] acquired a U.S. domestic carrier" and "now has control and access to the phone lines of many companies," but doesn't name the company. Why not? Isn't this something of importance for U.S. companies to be aware of? (Perhaps he is referring to Verint, formerly Converse Infosys.)
Similarly, on p. 94 he writes that "There are also the recent charges of a Pentagon official who passed classfieid documents to Israel through a political lobbying group," but omits any details, even though these charges against Lawrence Franklin, who worked under Douglas Feith at the Pentagon, were well known (and Franklin has since confessed).
On p. 95 he writes of a German intelligence project, Project Rahab, that "one of [its] major reported successes includes infiltration of the SWIFT system, which is one of the world's major financial networks." Again, no references--in this case, the allegation probably comes from Timothy Haight's article "High Tech Spies" in the July 5, 1993 issue of Time magazine (p. 24), regarding the BND (German intelligence) use of a virus written by Chaos Computer Club member Bernd Fix. According to Fix (search the web for Rahab, SWIFT, and Bernd Fix and you'll find his commentary on this), there have been a lot of wild claims made, and he can't vouch for any of them. Any of these omissions could have been elaborated on and made the book much more interesting.
Winkler's self-aggrandizing can be found at a number of points throughout the book, such as on p. 84 where he writes that a small literary agency can represent people "some of whom (such as myself) have access to sensitive information." My favorite example is on p. 121 under the heading "personal aggrandizement," where Winkler writes that "An individual's desire to impress others has caused some of the biggest security problems in history." In the very next paragraph, he writes, "As I mention in the Introduction, one of my female friends was a CIA operative who posed in Playboy magazine."
Still, the book is worthwhile for a solid collection of vulnerabilities and countermeasures if you don't already have one, and the case studies are enjoyable (some of which are from Winkler's direct experience, others of which are reports of cases which have been reported on elsewhere, such as Alexey Ivanov in chapter 10 and Abraham Abdallah in chapter 11). One weakness of chapter 13 ("Taking Action", about setting up a security program and implementing countermeasures) is that it gives short shrift (p. 304) to measurement of effectiveness and the security life cycle.