Secrets and Lies : Digital Security in a Networked World

With its mantra that security is a process, not a product, Secrets and Lies is one of the most important security books to come out in the last ten years. It forces information security managers to focus on security at the macro level--the processes--rather than at the micro level, as in the installation of a firewall or intrusion detection system. And since so many managers do equate security with firewalls, it is easy to understand why corporate networks are at risk.

Anyone looking for a quick fix to their security problems will not find it here. As each day passes, more and more security vulnerabilities, network breaches, and digital disasters are occurring. Without processes in place to manage these incidents, all of the security products in the world will be for naught.

Readers looking for a matter-of-fact, no-nonsense initiation into the world of information systems security should consider Secrets and Lies required reading.

Rating:
Summary: This is no "Applied Cryptography".
Review: Devoid of useful information. Most of the book is devoted to a pathetic angst-ridden grappling with the idea that there is no perfect security. Well, duh. Get over it Bruce. Tell us something we don't know. The only points of light are the antedotes and the idea that risk can be a business opportunity, by managing it well.

Rating:
Summary: Great first book on the perils of computer security
Review: This is NOT a how-to hacker book. Rather, Schneier tells about some of the general faults and faulty assumptions of network security. He has some great examples of denial of service attacks or other break-ins, and after reading this book, you'll probably be more careful choosing your passwords (or ensuring that other people are more careful on YOUR network). This is a great book to start you off in getting a realistic view of computer and internet security, and making you realize that there is no "unbreakable" security or cryptography, only degrees of safety which you or others on a network might unwittingly be compromising.

Rating:
Summary: The only holistic view of digital security in print
Review: In Secrets and Lies Mr. Schneier weaves an exquisite tapestry that depicts every facet of digital security in detail and depth. The thread from which this tapestry is woven is excellent writing that is informative, entertaining and sardonic.

This book is a holistic view of security from every angle. His cogent analysis of threats, attacks and adversaries and their motivations goes deep into social and pyschological aspects of those who would breach our systems. Both blantant and subtle threats are examined in a straightforward and informative manner. Types of attacks are given the same thorough treatment. Everyone from pimple-faced hackers and wannabes, to criminals, infowarriors and government organs are profiled in a consistent manner.

Mr. Schneier's treatment of threats, attacks and adversaries shows an aspect of security that is often overlooked by the technical practitioner. This set of subjects could have been a book in itself - and a best seller at that. The main value, though, is this section of the book will enlighten the "in-the-weeds" technical specialists about a much wider set of issues associated with digital security.

The treatment of technology shows that the author not only deeply understands risks and the human side of security, but is also a master of the technical underpinnings. Every major technical facet of the security business is explained in a clear manner. One of the book's strengths is that it delivers clear explainations of complex techical topics in such a way that non-technical people can easily understand. As such it gives an understanding of security to those who most need it - key decision makers and executive management.

As someone who works in the field of e-commerce security I strongly recommend that my technical peers, clients and executive management read this book. Read it twice, in fact - read it the first time to gain an appreciation for just how complex the practice of digital security really is, and the second time to catch the plethora of sage advice and subtle hints that the author has sprinkled through this excellent book.

Rating:
Summary: The "Security" myth by Bruce Schneier
Review: Let me first start off by saying in no way will you waste your money by buying this book if you are interested even the tinniest bit in security. It's really that simple. The story telling power that Schneier puts into this novel as well as the earth shattering revelations that he makes is more than enough to buy this one and read it over and over again. His stated dry wit is really there and some of the stories he tells are just hilarious. It really makes you step back and take a second look at all this marketing hype around us and see what is actually happening behind the scenes. Schneier's report on PKI is particularly scathing and well...true. He really brings a more strategic approach to security and this book is well suited for executives in the security industry who want to get a really really good perspective of the information security world around them.

Overall this is a really good book, and should be read by really anybody in the IT industry. Security is very important and as Schneier states in the end, it is the overall process and methodical attention to detail that give you security, not some $5,000 firewall alone.

Rating:
Summary: Excellent Foundation Piece for Security Practitioners
Review: Excellent read! Serves as a reasonable security primer for new practitioners and refreshing/stimulating content for the seasoned professionals. I loved the Attack Trees analysis concept and I am utilizing them to try to create more analytical, founded and measurable security policies and implementations.

Mr. Schneier is a little heavy on the Hell and Damnation we are all headed for and the shear futility of our security charge--I have been doing this for a while and although paranoid as hell I am a bit more optimistic.

Finally, I must commend the capitalist, self-serving conclusion he arrives at...the only way out of most of the security quandries he highlights is by outsourcing the organization's security services! God Bless America, where you can write a book to promote the re-invention of your own personal business...Where do I send my resume for Counterpane Internet Security, Inc.

Cheers and Kudos to Mr. Schneier

Rating:
Summary: A little too much, much too little.
Review: I try to avoid writing reviews on books that deal with PC issues. I find that they are generally very well written or not at all. This book kind of falls into the middle. I bought this book with the intention of showing this to my boss about security issues. (My company requires passwords for both entering and exiting the networked system, and yet all the passwords are clearly posted on every single PC). Unfortunately, this kind of book is a tad too much for a person who has no basic understanding of encryption and security in general, like the boss. Yet on the flip side, this book isn't technical enough to keep our MIS department interested in the book. I showed them this book three months before our geeks installed a useless local network within our local network with firewalls. Very similar to the example given in the book with a firewall splitting a local network into two halves.

Read the first paragraph and you get the general idea about the entire book, "No matter how secure you try to make something. Someone is always going to break the security." However, it's very sad how many people just don't understand this crucial bit of information. I recommend this book to everyone since it discusses current security policies and issues, including the music industry $10,000 "contest" to strip their "secret" watermark from music files. The failure of the DVD encryption/decryption, PGP keys leaks, government access, etc., etc. But, I'm chagrined to say that very few people will actually take what the book says to heart.

Buy the book. Show the book to everyone you meet. Just don't expect results.

Rating:
Summary: a great book for understanding security
Review: although i come from a computer science background and skimmed through the book in a couple of days, i realized how clear and well-organized the material is.

i would suggest this book for anyone interested in understanding the implications of network security, integrity, authentication etc.

the end of the book presents a great starting point for commencing a security review of your systems, in order to apply various levels of security/authentication...

this book is also ideal for any computer scientist planning to study the field of network security.

Rating:
Summary: An amazing read
Review: Interesting, entertaining, fascinating. I never would have believed anyone could write a page-turner on this topic. Recommended even for non geeks.

Rating:
Summary: How to Protect Intellectual Property
Review: Schneier answers questions such as these:

1. In the networked world, what are the most serious digital security problems?

2. How can these problems be most effectively prevented?

3. How can these problems be most effectively detected?

4. Once detected, then what?

Here in a single volume is probably about all you need to know inorder to answer these and other critically important questions about digital security in the networked world.

According to Schneier, security systems have "several interesting properties" relevant to his book: They are complex; they interact with each other, forming even larger systems; they have emergent properties (ie they do what is not anticipated by designers or users); and they have bugs. In other words, security systems are (like those who design them and those who use them) imperfect. Schneier explains why security must be thought of as a system within larger systems. He examines the relationship between security theory and security practice. Also, he examines the relationships between and among prevention, detection, and reaction. Here is how the material is organized: Part I: The Landscape, Part 2: Technologies, and Part 3: Strategies, followed by an Afterword and Resources.

In the Afterword, Schneier suggests that "the fundamental problems in security are no longer about technology; they're about how to use the technology...Both [this] book and [Schneier's] company grew from the same epiphany, that expert human detection and response provides the best possible security." Who will derive the greatest benefit from this book? Decision-makers in any organization (regardless of its size or nature) who have intellectual property to secure and need to know how to protect it. Once you have read his book and if you still have any questions, Schneier invites you to contact him directly at www.counterpane.com.