Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences:
· Beginning security specialists
· IS and other business managers who make decisions about systems deployment
· Experienced security practitioners who want to improve their thinking and analysis skills
· Those studying for security certification, such as the CISSP
· Software and Internet product planning and marketing staff (and not just security software)
Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in "Information Security" magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don't approach it linearly, you run the risk of missing the subtleties of the author's message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.
The chapters that I found most significant included:
· (6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms.
· (9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems.
· (12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys.
· (13) Software Reliability: Best description of stack overflow that I've ever seen for a lay audience.
· (22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier's other specialty, and he's written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.
I'm often asked to recommend introductory texts on information security, and unfortunately there really aren't that many good books for a newbie. If more books existed, I would probably give Schneier's book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his `epiphany' occurred only 12 months before completing the text-this isn't much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters:
· (4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of `spy' or `hacker'.
· (5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don't characterize audit as a requirement, but as a control.
· (15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn't discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature.
· (16) Security Tricks: His vehement attack on key recovery is politically extreme. The government's ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn't used an encryption product and lost a key?
· (21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don't believe that putting information security risk in dollar value terms is practical.
Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than "Applied Cryptography"--it isn't a technical book--it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are "The Process of Network Security" by Thomas Wadlow, and "Fighting Computer Crime : A New Framework for Protecting Information" by Donn B. Parker (I've reviewed both here on Amazon).
