Secrets and Lies : Digital Security in a Networked World

This is a very good introduction and primer on security. It is written for the person with some computer and technology knowledge, but not necessarily a CS major or an engineer. I highly recommend this if you are interested in getting your bearings and your feet wet in the issue of digital security. You can go onto "Hacking Exposed" to see some of these attacks in action, or any one of the more technical security guides.

Security is really up to all of us. Read this.

Rating:
Summary: Good and Bad
Review: This is basically a good book. Very readable, usually very clear, very broad scope. I think every issue that a security manager needs to know about is at least mentioned, with the really important issues discussed at length. Schneier tries (and usually succeeds) in writing for a general audience without dumbing down the important stuff. Mandatory reading if you have any interest in security.

That being said, there are some nits I have to pick. The material is very ad hoc, backed up by mainly by personal (though extensive) experience and casual reading. A useful knowledge base, but limited as a source of primary information.

This is aggravated by Schneier's use of non-technical examples and analogies in many of his arguments. The arguments themselves are very strong, but when he cites this historical example or that financial practice, he often gets his facts wrong. I don't suppose this has a big effect on his credibility, but it must have some.

It's also a little disappointing that Schneier didn't bother to get into the general history of the Engima/Ultra business -- a prime example of his basic theme, that the smallest failure of the security process is vulnerable to machines with infinite patience.

Finally, I'm very, very disappointed that Scheier fails to challenge -- and sometimes even supports -- the social conservative attitude towards hacking and reverse engineering. He points out the futility of trying to encrypt DVDs -- but barely touches on the DMCA. He speaks of general software hacking as a basically benign activity -- but he strongly supports criminal punishment even for the most non-invasive electronic "trespass". This is a point of view utterly at odds with his ideas of security considered in a complete social context.

Rating:
Summary: Good---but long
Review: Schneier is a security god, but sometimes he displays a little *too* much knowledge. If you're an amateur security buff, buy this book, learn a lot by enjoying the first three quarters of it, and then put it aside. It drags toward the end, and unless security is your business, you'll go crazy trying to get through the whole thing.

Rating:
Summary: Security is not a product, it is a process.
Review: Schneier has really outdone himself here. He has graduated from crypto expert to a real life security expert. He asks the hard questions, the really hard questions that no one but a security consultant even has the knowledge to ask. A notable reworded quote from the book: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

His preface starts with an apology of sorts for intimating in an earlier work that the whizbang wunderkind of strong cryptography could keep our private papers and financial dealings safe and secure.... "It's just not true. Cryptography can't do any of that. It's not that cryptography has gotten weaker since 1994, or that the things I described in that book are no longer true; it's that cryptography doesn't exist in a vacuum"

Individuals have one very big problem with security, they want it to be free. Businesses know the importance of not having their dirty laundry spread all over the newspapers-- and are even willing to pay for it: with locks, alarms, firewalls, and corporate security policies. "But when push comes to shove and work needs to get done, security is the first thing that gets thrown out the window." Governments are better, they know they need it, are willing to pay dearly for it, but can get mixed up in the details.

To start his view of risk assessment he asks "Secure from whom?" and "Secure against what?" Who are the attackers? What do they want? What tools are at their disposal? This launches us into a really substantial survey of the landscape. Attackers are hackers, criminals, malicious insiders, industrial espionage, press, mafia, police, terrorists, ABC agencies, infowarriors. He talks in detail about each and more importantly about how important motives are in establishing a realistic risk assessment in relation to each group.

To try summarize Schneiers book does not do it justice, so I will toss out some tantalizing tidbits and move on.

He talks a lot about the systems view and especially about bugs. "Estimates from Carnegie Mellon University show that a thousand lines of code typically has five to fifteen bugs. Most of these bugs are minor and do not affect performance, and are never noticed. All have the potential of compromising security [this is code that has been thoroughly tested and released as commercial software] Windows 2000 has somewhere between 35 and 60 million lines of code, and no one outside the programming team has ever seen them." The defender has to defend against all possible attacks, the attacker only has to find one exploitable bug to be successful.

Also 86% of passwords are susceptible to simple dictionary attacks and 99% of hacked systems could be avoided if the admin was up to full patch level.

"In the US, individuals don't own the data about themselves. Customers belong to the businesses that collect them. Personal databases belong to the database owner. Only in rare instances do individuals have any rights or protections about the data that are collected about them."

"In any case, the future does not look, good. Privacy is the first thing jettisoned in a crisis, and already the FBI is trying to manufacture crises in an attempt to seize more powers to invade privacy."

"Digital certificates provide no actual security for electronic commerce; it's a complete sham."

"In a perverse twist on the full-disclosure and open source movements, some companies have attempted to defend themselves by making it illegal to reverse engineer their software... The laws... allow product vendors to hide behind lousy security, blaming others for their own ineptitude...[and] reduce security in the long run.

"The blend of no liabilities/no reverse engineering is particularly damaging. If researchers are prohibited from analyzing product security, how does it make sense to shield product vendors from liability? And if vendors have no liability for producing lousy products, how can it be illegal to point the flaws out.

"Most products are ineffective because security can frequently be circumvented. The products themselves are never really attacked, the attacker looks for a bypass."

There's no such thing as perfect security, just risk management The credit card industry loses 10 billion per year, but it's in the business model so no one is surprised, it's just part of the cost of doing business.

"Security is not a product, it is a process."

Rating:
Summary: Infosec in perspective - a holistic view
Review: Coming from the perspective of a recently completed PhD which solely fell within the domain of information security I find the reviewers who grilled this book because it not technical either funny or sad (can't quite decide). I have a strong interest in technical matters, much more so than in non-technical matters anyway and can agree that I may not have found anything technical in there - but value does not only exist with technical works.

If you are looking for something technical then this IS NOT IT. However, I still urge you to read through the book. My reasons for this is as follows:

- if more reasearchers and practitioners had a holistic view of the field it would allow you to think bigger and realize that solving problems in isolation is not going to help much.
- if you still think everything can be solved technically, think again and let the book help you to think that way.
- it is written in an entertaining, easy to read way, so it won't take up so much of your time and in the process it may just help in putting things that you possible already know together
- when non-techies hear you're a techie they are prone to ask question you find difficult to explain - this book will provide you with worthwhile and interesting anecdotes which could make your explanations in future better.

If you are BUSINESS / MANAGEMENT ORIENTED then you need to know something about information security. From that perspective this book is excellent - easy to read and more importantly easy to understand. It provides a truely comprehensive coverage of the basic principle and problems. If you pay any attention while reading you would certainly be able to ahve a meaningful conversation about information security afterwards.

Unfortunately (and this almost caused me to give only 4 stars) the author does a bit too much self-promotion. Maybe the positive perspective would be to argue that he does not necessarily suggest hiring his firm, but that he also suggest that it may be a viable business opportunity for others.

All in all, if your expectations is not technical, you should find this book an excellent buy and worthwhile to keep.

Rating:
Summary: Multi-disciplinary look at security
Review: Bruce Schneier covers the entire landscape of information security with this book. He balances technical and psychological aspects of security, and does so in clear prose that does not talk down to security professionals, while explaining the details to lay persons.

As a competitive intelligence specialist who is only peripherally concerned with the technical underpinnings of security I gained much from this book. Among the valuable insights are: a thorough look inside the minds of attackers and spies (state- and corporate-sponsored), an array of threats that I had not previously considered, and the motives behind attacks that are as likely to be oblique as that are to be frontal assaults. Further, I learned a lot about my own profession, especially since my job is "white-ops" (obtaining publicly available information on competitors using strictly legal means).

What I really like about this book is the clear explanations of cryptography and security infrastructure. Mr. Schneier has a talent for clearly explaining complex topics so that people like myself who have no technical background can easily understand them. Because my job is closely related to mainstream information security this alone made the book worthwhile.

I recommend this book highly to technical practitioners as well as fellow competitive intelligence specialists. Both groups will gain a broader understanding of information security from this informative, easy-to-read book.

Rating:
Summary: Protect, Detect, Respond
Review: I really enjoyed Bruce's "Applied Cryptography", so I looked forward to reading what Bruce has learned from his computer security consulting company. Bruce explains that when he wrote Applied Cryptography he thought all that was necessary for foolproof computer security was great technology. But as he tried to help companies implement network security, he learned first-hand that a system is composed of people and computers, and it is only as strong as its weakest link.

With many (often colorful) examples of security failings, he illustrates very clearly the need for a three part strategy. You must first protect your system from obvious/easy attacks, then you must provide a means to defect incursions into your system, and finally you must have response mechanisms to deal with incursions.

A must-read for anyone working in software today.

Rating:
Summary: An Excellent Security Overview
Review: This book provides a first-rate overview of security issues and problems that is well-written for its intended audience: from technical managers to senior executives. (And, although it is clearly not intended as a technical manual, it is nonetheless accurate from a technical perspective, as one would expect from an author of Schneier's stature.)

I've worked as a corporate security manager and IT director for 20+ years, and I have often wished for a book that would bridge the gap between the typical high-level board presentation and the technical nitty-gritty. Unfortunately, too, the point that many technical folks fail to grasp is that security is NOT primarily a technical problem -- it involves decisions that are fundamental to the working of the organization. _Secrets and Lies_ is, IMHO, just what the doctor ordered.

Yes, Bruce Schneier is human, and puts in a plug for what he's doing at the end of the book. But there is lots of value in this book.

Highly recommended.