Secrets and Lies : Digital Security in a Networked World

These are real world attacks. Secrets and Lies is about real world attacks, and how to approach them. The focus in the security industry is almost entirely on prevention, which is not a real world approach. Prevention will fail, because of an unpatched bug, poor implementation, or successful social engineering. The more complex the network that is to be protected, more points of failure get created, and vulnerability increases. As we grow increasingly dependent on a global WAN that was not designed to be secure, we are more and more limited in our ability to secure systems through prevention alone.

Schneier makes the case for looking beyond the corporate firewall to focus on policies and procedures for detecting intruders and developing countermeasures. Using security analogies from the real world, he makes a compelling case for wholesale changes in how security devices are marketed, implemented and used to defend networks from intrusion.

Rating:
Summary: Excellent intro infosec book that everyone should read
Review: Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences:

· Beginning security specialists

· IS and other business managers who make decisions about systems deployment

· Experienced security practitioners who want to improve their thinking and analysis skills

· Those studying for security certification, such as the CISSP

· Software and Internet product planning and marketing staff (and not just security software)

Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in "Information Security" magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don't approach it linearly, you run the risk of missing the subtleties of the author's message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.

The chapters that I found most significant included:

· (6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms.

· (9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems.

· (12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys.

· (13) Software Reliability: Best description of stack overflow that I've ever seen for a lay audience.

· (22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier's other specialty, and he's written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.

I'm often asked to recommend introductory texts on information security, and unfortunately there really aren't that many good books for a newbie. If more books existed, I would probably give Schneier's book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his 'epiphany' occurred only 12 months before completing the text-this isn't much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters:

· (4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of 'spy' or 'hacker'.

· (5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don't characterize audit as a requirement, but as a control.

· (15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn't discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature.

· (16) Security Tricks: His vehement attack on key recovery is politically extreme. The government's ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn't used an encryption product and lost a key?

· (21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don't believe that putting information security risk in dollar value terms is practical.

Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than "Applied Cryptography"--it isn't a technical book--it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are "The Process of Network Security" by Thomas Wadlow, and "Fighting Computer Crime : A New Framework for Protecting Information" by Donn B. Parker (I've reviewed both here on Amazon).

Rating:
Summary: Required reading for everyone in the computer/network field.
Review: This is the kind of book I wish I had for summer reading in HS. This is not a 'click here, here and here...and you're done' book. It explains the theory and logic of security. Don't know what else to say, but the book is a must read! If the 5 star rating still leaves you skeptical, just go into a bookstore and read the first 5 and a 1/2 pages - not chapters, pages - after that, you won't want to stop reading. Reading this book WILL make you more 'security' smart. Disclaimer on that last sentence: "Remember, you can't polish a brick".

Rating:
Summary: good where he knows what he's talking about, which is seldom
Review: When an author gets famous, he sooner or later makes a fool of himself by writing about material that is way over his head. Schneier has now reached that point. He is indeed a master cryptographer. However, he is woefully ignorant of nearly every other aspect of computer security. His discussions of multi-level security, of UNIX security issues, of access control lists, of firewalls, of what-have-you (whether mechanistic or policy-related) were remarkable for their vagueness, terminological inaccuracy, and just plain wretchedness. Whether from a product marketplace viewpoint or a purely conceptual viewpoint, when he ventures beyond crypto algorithms, Schneier hasn't a clue what he's talking about: he seems to be regurgitating an uneasy mixture of "UNIX Review" and "2600" articles. I'm sure that readers in the intelligence community will get a good chuckle over Schneier's stunning revelation that TALENT and KEYHOLE are two classifications--they've been only one for the last several decades. His discussion thereof also betrays total ignorance of the distinction among codewords, compartments, warning notices, collateral access categories, and special access programs--and, although it's entitled "Muti-level security," the "explanation" says not word one about the raison d'etre of multi-level secure computer systems. Please, sir, confine your future rants to material that you actually understand so that you don't become a laughingstock.

Rating:
Summary: Highly Recommended.
Review: This is not a "how-to" book, it's an idea book. Good width and depth of security concepts, encryption, etc. It can be used to gain ideas on what things you need to consider when thinking about digital security, etc. A really good read, it kept my interest, and had me marking many pages to review later.

Rating:
Summary: This book should be required reading...
Review: I imagine Bruce will be getting this quite a bit, but I just wanted to pass on my compliments for Secrets & Lies. I got about 40 pages into it over dinner and decided it was ready for the mandatory reading list here. If only it was required reading for everyone who does business online...

Rating:
Summary: Secrets and Lies and Schneier, oh my
Review: _Secrets and Lies_ is a necessary book for everyone who wonders about privacy and security on the Internet--that is to say, everyone. Schneier discusses the threats in cyberspace, the technologies to combat them, and (most importantly) the strategies that make those technologies work. It's not surprising that the technical information is solid. What might be surprising to some, though, is how lucid and funny Schneier's writing is. He doesn't talk down to readers, but you don't have to be a complete techie to understand what he's saying.

Schneier's discussion of where things are and where they're going is fascinating and informative. I was especially interested by the legal stuff--many of the laws designed to enhance security and privacy actually damage it. Read this book, make your boss read it, make your IT manager read it, and send a copy to your congresscritter. It might just help make the Net safer.

Rating:
Summary: Very Compelling reading
Review: I have just finished reading Schneier's most recent book - what an excellent piece of writing. I read it cover to cover and enjoyed almost every page. A very different approach than you took with Applied Cryptography which I also enjoyed.

Rating:
Summary: last of the anecdotal security surveys?
Review: Don't we wish! Schneier has written what is likely to become a classic survey of information security for the second Internet generation. In the first generation, the Internet was a small club where everyone knew everybody, and it was possible to have major systems such as ITS with no security at all. The second generation launched eCommerce, and security became important but people didn't know how to deal with it. The third generation Internet will be the infrastructure for pervasive computing and communication, and perhaps a mature security perspective.

The second generation began with the myth of airtight security, provided by strong cryptographic algorithms implemented in provably correct programs and secure operating systems. The myth is shattered in this book, which organizes case after case of bugs, errors, slipups, threat mischaracterizations, and awesomely creative hacks, which coupled with users' inability to manage more than the simplest of secrets, have turned the myth into a Pandora's box of horrors.

But like Pandora's box, the book ends with a glimmer of hope, that the notion of risk managment, which balances value against rational threat assessment to determine countermeasure effort, will keep the potential losses within acceptable limits at reasonable expense. Identifying the balance point is a difficult task that should be performed by specialized arms of those traditional risk managment organizations, the insurance companies. Implementing the countermeasures that move the balance point towards greater security should be performed by specialized organizations, just like physical security is often managed by specialized organizations like ADT or Pinkerton's.

Today, computer security is so immature that some famous consultants (not Schneier!) tell their clients to ignore the FBI's computer crime statistics. The third generation of computer security should see a movement from the anecdotal analysis of speculative threats to the systematic, actuarial analysis of real threats that is required for stable, competitive pricing of insurance policies. Monitoring companies like Schneier's new startup and others will make it possible to collect the comprehensive, yet anonymous data that is needed. "Secrets and Lies" is already dated -- it misses the impact of MP3s and the war to enforce digital copyrights, and it misses the upcoming wireless revolution. But its coverage of potential threats to existing technologies is comprehensive, providing enough scary stories to keep any security professional awake at night. I'm looking forward in a few years to a followup book full of statistical data about actual threats and threat trends, with instructions on how to use that data to compute security return on investment. When that investment reduces insurance costs, security will have a positive contribution to the bottom line that can't be dismissed.

Rating:
Summary: Outstanding work on security
Review: Typically, security books focus on isolated tools. Schneier illuminates the entire problem of network security in a way that both tecnical and non-techincal folks can benefit from--and makes it interesting, too. This book is a must read for anyone involved in security.