Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Secrets and Lies: Digital Security in a Networked World", Bruce Schneier

Expand Messages
  • Rob Slade grandpa of Ryan Trevor Pride &
    BKSECLIE.RVW 20001022 Secrets and Lies: Digital Security in a Networked World , Bruce Schneier, 2000, 0-471-25311-1, U$29.99/C$41.95 %A Bruce Schneier
    Message 1 of 1 , Jul 30, 2001
    • 0 Attachment
      BKSECLIE.RVW 20001022

      "Secrets and Lies: Digital Security in a Networked World", Bruce
      Schneier, 2000, 0-471-25311-1, U$29.99/C$41.95
      %A Bruce Schneier schneier@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2000
      %G 0-471-25311-1
      %I John Wiley & Sons, Inc.
      %O U$29.99/C$41.95 416-236-4433 fax: 416-236-4448 pfurlong@...
      %P 412 p.
      %T "Secrets and Lies: Digital Security in a Networked World"

      "Secrets and Lies" has generated a great deal of interest in the
      security community this year. Much of this interest probably stems
      from the simple fact that it isn't every day (or every year) that you
      get a general security book, written for the non-specialist, produced
      by a major name in the field. But one point seems to have been
      glossed over in the praise for this work. Schneier's writing is
      lively, entertaining, and even playful throughout the entire book.
      Not only is this volume a realistic and useful view of the security
      enterprise, but it's a lot of fun.

      As the author of "Applied Cryptography," the leading text in the
      field; the founder of Counterpane Systems, with its major influence in
      encryption consulting; and the publisher of the Crypto-Gram
      newsletter, regular and thoughtful analyses of major encryption
      related issues; Bruce Schneier is, among the technically and
      cryptographically knowledgeable, arguably more influential than many
      academics whose names might be more widely known in relation to
      specific algorithms. So when Schneier states, in the preface, that
      cryptography is not "The Answer(TM)" to security, you have to take him
      seriously. He goes on, in the introductory chapter, to point out that
      "The Answer(TM)" does not exist: securing complex systems is a hard
      job purely because the systems are complex, and any easy answer is
      bound to be wrong. The price of digital reliability is constant
      vigilance. As such, don't come looking to this work for easy answers
      or cookbook solutions. What you will find is a solid introduction,
      and more, to the problems you have to overcome to keep your
      information safe, and some guidelines on how to go about the task.

      Part one is an overview of the field of network operations with a view
      to restricting some ideal definition of "secure" to a more achievable
      goal. Chapter two describes a number of digital threats (aside from
      the mention of salami attacks, quite realistically) and points out
      that none of the crimes are new, although the extreme of accessibility
      is. Various attacks, and various motivations, are reviewed in chapter
      three. The discussion of different types of adversaries, in chapter
      four, provides a reasonable assessment of the whole range from script
      kiddies to infowarriors, and compares relative levels of competency
      and risk tolerance. Chapter five outlines security needs and, again,
      points out that all computer security measures have their origins in
      physical security practices we all take for granted.

      Part two looks at the various technology components of security and
      security systems. The writing in this section is a little more
      mundane and less sparkling than other parts of the book, but the
      material is reliable and convincing. Chapter six is, of course, an
      excellent primer on the basic concepts and applications of
      cryptography. The analysis is extended to "real world" limitations
      and faults with encryption in chapter seven, including an intriguing
      comparison of proprietary protocols and alternative medicine. Chapter
      eight discusses computer security in broad terms, but concisely
      expresses concepts and models that many other books waste pages on
      without ever making the fundamentals clear. (It also provides some
      amazing, and occasionally amusing, glimpses into the lack of security
      in Microsoft's Windows.) Authentication is described well in chapter
      nine. Chapter ten is oddly unstructured. Entitled "Networked-
      Computer Security" it starts off with viruses and malware, talks a bit
      about operating system architecture, and ends up with some Web
      insecurities. While there are errors (particularly in the virus
      section) most of the material is not really bad: it just seems strange
      in comparison to the earlier chapters. Network Security, in chapter
      eleven, returns to the original level of focus, and explains various
      concepts using TCP/IP as an example. Chapter twelve takes a
      depressing, but accurate, look at the major network security tools, as
      well as making the important, though counterintuitive, point that
      false alarms can be worse than no security at all. Software
      reliability gets a fairly standard treatment in chapter thirteen, and
      much the same is true of hardware security in chapter fourteen. As
      might be expected, the coverage of certificates and the public key
      infrastructure, in chapter fifteen, clearly sets forth all necessary
      considerations and weak points to examine. Technical books usually
      have some catch-all chapters, but not all of them admit it up front.
      Chapter sixteen touches on a number of tricks that people have relied
      on to protect data, and uses devastating logic to point out why said
      stunts don't work. Finally, in chapter seventeen, we come to the
      largest source of security problems, and the one we can't do anything
      about: people.

      The first two parts looked at problems. Part three tries to present
      some solutions, or at least approaches to solutions. Chapter eighteen
      describes the vulnerability landscape, and suggests following the
      process of attacking a system, in order to identify how much security
      is needed at certain points, and weak areas that may need to be
      reinforced somehow. (This is a far cry from the "how to hack" tools
      lists of some of the more sensational "security" books, and much more
      useful.) Risk assessment, in chapter nineteen, is reasonable and
      balanced, but not great. Chapter twenty is disappointing, in that it
      is entitled "Security Policies and Countermeasures" but concentrates
      on a series of specific examples of good and bad security systems.
      Elsewhere the book promotes the fact that without a policy you have no
      security. It therefore seems a bit of an abdication of the topic to
      leave it without much discussion of the actual production of a policy.
      Attack trees might be seen as yet another example of a tool more
      useful to the security breaker than the sysadmin, but chapter twenty
      one's explanation shows how it can structure the task of analyzing
      protective measures. This process is far more likely to succeed than
      a vague injunction to secure everything, and this chapter alone
      probably makes this work a "must have" for every security library.
      Product testing, in chapter twenty two, deals mostly with how *not* to
      evaluate software, and includes a good discussion of full disclosure
      and the open source movement. However, I can definitely sympathize
      with the position of the latter part of the chapter: potential
      security is pointless, what really counts is how secure a system is
      when set up by the typical harried administrator. The future is
      usually left for last, but Schneier takes a solid look at likely
      trends and paints an alarming, if not completely apocalyptic, picture.
      Chapter twenty four supports one of the major theses of the book:
      security is a process, not a product. Therefore, the chapter provides
      a set of guidelines, attitudes, points, and general principles to be
      used in looking at security as a process. The conclusion, in chapter
      twenty five, seems to be that lots of people are trying to avoid their
      proper responsibility for security, but the task is achievable.

      Quite apart from the general readability of the text, Schneier has
      ensured that the content and explanations are accessible to any
      intelligent reader. You do not need specialist training to understand
      the concepts presented herein. And the concepts encompass pretty much
      everything to consider about security in a networked world. This is
      one of the very few books that I feel I can recommend without
      reservation to a newcomer concerned about computer or communications
      security. It presents the situation clearly, with real explanations
      of the dangers, but no overpromoted sensationalism. If the volume
      seems a bit long all I can say, with Schneier, is that security is
      complex. The book has very little wasted space.

      I can also say that security professionals will not regret time spent
      with it. We tend to need more frequent reminding than teaching, and
      the comprehensive coverage touches on many issues that are important,
      but may be ignored as not always being urgent. However, the book also
      does an excellent job of explaining some specialty and esoteric
      topics. Hopefully "Secrets and Lies" will have a prominent position
      on many security library shelves.

      copyright Robert M. Slade, 2000 BKSECLIE.RVW 20001022

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      A computer, to print out a fact,
      Will divide, multiply, and subtract.
      But this output can be
      No more than debris,
      If the input was short of exact.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.