Customer Reviews

Secrets and Lies: Digital Security in a Networked World

5 star:		(86)
4 star:		(27)
3 star:		(7)
2 star:		(7)
1 star:		(5)

 

 

I am an Air Force officer and technical resource for a 50-person military intrusion detection operation. I've seen Bruce speak twice and he never fails to impress. "Secrets and Lies" is no different. This book is not designed to teach readers about the latest security technologies. It was not written to promote specific products, although Bruce explains how the book's themes caused him to revamp his Counterpane firm. What the book does is teach security professionals how to think about their craft. I would recommend it to everyone in the field from day one, but its deeper meanings would probably not be evident until a year's work on the front lines.

Some of the ideas aren't new. For example, I've heard members of the L0pht petition for a software Underwriter's Lab for years, and others have encouraged liability laws for software vendors. Bruce builds on these ideas and weaves them into his own prescription for dealing with complex and inherently insecure systems. This is the type of book that gives a professional the vocabulary and framework to organize his understanding of the security process. "Secrets and Lies" creates the "little voice" that warns against a vendor's promises to solve all your problems with a $30,000 box-of-wonders.

Of particular interest to me, after training in economics, is Bruce's insistence that "the buying public has no way to differentiate real security from bad security." It logicially follows that the market cannot address this problem, since "perfect information" does not exist. Therefore, outside organizations (perhaps an FDA for software?) should get involved, but not by outlawing reverse engineering and security tools.

I give five stars to books that make the complex simple, that reveal and enhance technical details, or that change the way I look at the world. This book fits two, and possibly three of those categories. Bravo, Bruce.

Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences:

· Beginning security specialists

· IS and other business managers who make decisions about systems deployment

· Experienced security practitioners who want to improve their thinking and analysis skills

· Those studying for security certification, such as the CISSP

· Software and Internet product planning and marketing staff (and not just security software)

Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in "Information Security" magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don't approach it linearly, you run the risk of missing the subtleties of the author's message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.

The chapters that I found most significant included:

· (6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms.

· (9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems.

· (12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys.

· (13) Software Reliability: Best description of stack overflow that I've ever seen for a lay audience.

· (22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier's other specialty, and he's written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.

I'm often asked to recommend introductory texts on information security, and unfortunately there really aren't that many good books for a newbie. If more books existed, I would probably give Schneier's book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his `epiphany' occurred only 12 months before completing the text-this isn't much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters:

· (4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of `spy' or `hacker'.

· (5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don't characterize audit as a requirement, but as a control.

· (15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn't discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature.

· (16) Security Tricks: His vehement attack on key recovery is politically extreme. The government's ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn't used an encryption product and lost a key?

· (21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don't believe that putting information security risk in dollar value terms is practical.

Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than "Applied Cryptography"--it isn't a technical book--it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are "The Process of Network Security" by Thomas Wadlow, and "Fighting Computer Crime : A New Framework for Protecting Information" by Donn B. Parker (I've reviewed both here on Amazon).

_Secrets and Lies_ is a necessary book for everyone who wonders about privacy and security on the Internet--that is to say, everyone. Schneier discusses the threats in cyberspace, the technologies to combat them, and (most importantly) the strategies that make those technologies work. It's not surprising that the technical information is solid. What might be surprising to some, though, is how lucid and funny Schneier's writing is. He doesn't talk down to readers, but you don't have to be a complete techie to understand what he's saying.

Schneier's discussion of where things are and where they're going is fascinating and informative. I was especially interested by the legal stuff--many of the laws designed to enhance security and privacy actually damage it. Read this book, make your boss read it, make your IT manager read it, and send a copy to your congresscritter. It might just help make the Net safer.

If you're a fan of Bruce Schneier, whether it be his live presentations, his books, or Crypto-Gram, then you'll love this book. Bruce has shifted his focus away somewhat from the deep technical details that he has in "Applied Cryptography." In this book, he delves more into the hows and whys of security, and focuses heavily on the trade-offs that reality forces security people to make. This book is a must-read for anyone responsible for making security decisions.

Bruce has rightfully earned his reputation by explaining the technology of security. In this book he goes past that by explaining that security is a system, a process, and does it in his typical style that makes it completely understandable and actually a fun read. If you're responsible for security matters, you may not like seeing various 'social engineering' hacks exposed, but it's information that you and everyone using a computer these days needs to be aware of. Once again, Bruce brings a straightforward style to bear and makes sometimes difficult subject matter clear to the reader.

This book provides a first-rate overview of security issues and problems that is well-written for its intended audience: from technical managers to senior executives. (And, although it is clearly not intended as a technical manual, it is nonetheless accurate from a technical perspective, as one would expect from an author of Schneier's stature.)

I've worked as a corporate security manager and IT director for 20+ years, and I have often wished for a book that would bridge the gap between the typical high-level board presentation and the technical nitty-gritty. Unfortunately, too, the point that many technical folks fail to grasp is that security is NOT primarily a technical problem -- it involves decisions that are fundamental to the working of the organization. _Secrets and Lies_ is, IMHO, just what the doctor ordered.

Yes, Bruce Schneier is human, and puts in a plug for what he's doing at the end of the book. But there is lots of value in this book.

Highly recommended.

Bruce Schneier has the ability to keep his readers eyes "clued" towards the pages. Although the book is based on pure facts, it reads like a fiction bestseller. Behind the easy way to communicate with his readers lies a detailed research with mathematical accuracy. Certainly a mile-marker within the publications dealing with the digital- and networked world.

Bruce Schneier covers the entire landscape of information security with this book. He balances technical and psychological aspects of security, and does so in clear prose that does not talk down to security professionals, while explaining the details to lay persons.

As a competitive intelligence specialist who is only peripherally concerned with the technical underpinnings of security I gained much from this book. Among the valuable insights are: a thorough look inside the minds of attackers and spies (state- and corporate-sponsored), an array of threats that I had not previously considered, and the motives behind attacks that are as likely to be oblique as that are to be frontal assaults. Further, I learned a lot about my own profession, especially since my job is "white-ops" (obtaining publicly available information on competitors using strictly legal means).

What I really like about this book is the clear explanations of cryptography and security infrastructure. Mr. Schneier has a talent for clearly explaining complex topics so that people like myself who have no technical background can easily understand them. Because my job is closely related to mainstream information security this alone made the book worthwhile.

I recommend this book highly to technical practitioners as well as fellow competitive intelligence specialists. Both groups will gain a broader understanding of information security from this informative, easy-to-read book.

I really enjoyed Bruce's "Applied Cryptography", so I looked forward to reading what Bruce has learned from his computer security consulting company. Bruce explains that when he wrote Applied Cryptography he thought all that was necessary for foolproof computer security was great technology. But as he tried to help companies implement network security, he learned first-hand that a system is composed of people and computers, and it is only as strong as its weakest link.

With many (often colorful) examples of security failings, he illustrates very clearly the need for a three part strategy. You must first protect your system from obvious/easy attacks, then you must provide a means to defect incursions into your system, and finally you must have response mechanisms to deal with incursions.

A must-read for anyone working in software today.

In Secrets and Lies Mr. Schneier weaves an exquisite tapestry that depicts every facet of digital security in detail and depth. The thread from which this tapestry is woven is excellent writing that is informative, entertaining and sardonic.

This book is a holistic view of security from every angle. His cogent analysis of threats, attacks and adversaries and their motivations goes deep into social and pyschological aspects of those who would breach our systems. Both blantant and subtle threats are examined in a straightforward and informative manner. Types of attacks are given the same thorough treatment. Everyone from pimple-faced hackers and wannabes, to criminals, infowarriors and government organs are profiled in a consistent manner.

Mr. Schneier's treatment of threats, attacks and adversaries shows an aspect of security that is often overlooked by the technical practitioner. This set of subjects could have been a book in itself - and a best seller at that. The main value, though, is this section of the book will enlighten the "in-the-weeds" technical specialists about a much wider set of issues associated with digital security.

The treatment of technology shows that the author not only deeply understands risks and the human side of security, but is also a master of the technical underpinnings. Every major technical facet of the security business is explained in a clear manner. One of the book's strengths is that it delivers clear explainations of complex techical topics in such a way that non-technical people can easily understand. As such it gives an understanding of security to those who most need it - key decision makers and executive management.

As someone who works in the field of e-commerce security I strongly recommend that my technical peers, clients and executive management read this book. Read it twice, in fact - read it the first time to gain an appreciation for just how complex the practice of digital security really is, and the second time to catch the plethora of sage advice and subtle hints that the author has sprinkled through this excellent book.