Beyond Fear

Schneier introduces the term "threat" on p. 20 with this example: "Most people don't give any thought to securing their lunch in the company refrigerator. Even though there's a threat of theft, its not a significant risk because attacks are rare and the potential loss just isn't a big deal. A rampant lunch thief in the company changes the equation; the threat remains the same, but the risk of theft increases." That's wrong; let's start with definitions (mine, based on intel experience -- not the author's).

A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset which could lead to exploitation. Risk is the possibility of suffering harm or loss. It's a measure of danger. All of these terms were defined years ago by military intel and law enforcement types, especially those doing counter-terrorism.

In the lunchroom example, nobody initially "secures" their lunch, even though their "assets" are held in a "vulnerable" (unlocked, unguarded) refrigerator. Why? There's no "threat" -- people have the capability to steal lunches but nobody has evil intentions. "Risk" of losing one's lunch is close to zero. Now, add the "rampant lunch thief." The threat is NOT "the same"; a threat now exists for the first time. The risk equation changes -- risk of loss is much higher. (Countermeasures like a guard can reduce the vulnerability and bring risk of loss closer to the original low level.)

Another example of fuzzy thinking appears on p. 50. "Just because your home hasn't been broken into in decades doesn't mean that it's secure." Says who? If the threat the entire time was zero, the house was always perfectly secure. Vulnerabilities are but one part of the risk equation, which is Risk = Threat X Vulnerability X Cost of Asset. If any factor is zero, risk is zero.

One quick final example appears on p. 238: "The problem lies in the fact that the threat -- the potential damage -- is enormous." Wrong! A threat is an agent, or party, who wants to and can inflict damage. "Threat" in this sentence should be "cost," meaning the replacement value of the assets at risk.

A hint to the source of these errors appears on p. 82: "examining an asset and trying to imagine all the possible threats against that asset is sometimes called 'threat analysis' or 'risk analysis.' (The terms are not well defined in the security business, and they tend to be used interchangeably.)" Which security business? Counter-terrorism and intel folks know threat analysis is performed against groups with capabilities and intentions to harm American assets. Risk analysis calculates the potential for loss given a certain threat, an asset's vulnerabilities, and the value of that asset. It's the digital security community that's obscuring the definitions.

I loved "Secrets and Lies," and every time I see the author speak I learn something new. Am I off base with this review? You be the judge. I still gave it 4 stars, since the book's vignettes are informative and its scope impressive. Given the large number of reviewers I expected someone to challenge the author's terminology. Yes, this is semantics, but shouldn't a book by an expert set the record straight? I don't think my expectations are unrealistic, either; Schneier is a previously published "thought leader," and he deserves to be held to the highest possible standards.

Rating:
Summary: No Free Lunches in Security
Review: "I am reminded of stories of farmers from the countryside coming to the big city for the first time. We are all rubes from the past, trying to cope with the present day." (Page 29.)

"Beyond Fear" explains how experts think about security and the new challenges posed both by modern technology and the medieval mindset of suicide bombers. Everyone knows that security has costs: money, time, and perhaps restrictions on civil liberties. But experts know that security measures, even if well thought-out, often create entirely new problems. Amatuerish attempts to increase security often decrease security instead.

In "Beyond Fear," Schneier introduces five simple questions to ask about any security measure to determine if the measure is useful or useless. He uses examples ranging from satelllite technology to antics of deep-sea squids to illustrate his points. And, as anyone in the sciences knows, "There Ain't No Such Thing As A Free Lunch." Any real-life situation will require a complex series of tradeoffs between conflicting requirements and costs.

Written for the intelligent layperson, this book is required reading for any person who wants to understand how to approach security on a personal, national, and international level.

Rating:
Summary: An encyclopedia of knowledge, written for non-tech people
Review: "Anyone who tries to entice you with promises of absolute security or safety is pandering to your fears" (pg 277).

This whole book is filled with common-sense and not-so-common-sense thinking. I had the opportunity to see Schneier speak at Toorcon 2003 in San Diego and I can tell you this guy not only knows as much as anyone about security, he also talks *like a normal person*. He's not arrogant, he doesn't throw in gratuitous latin terms, he just makes a very clear point with extremely strong logic to back it up.

That's what this book is: a handbook on how to logically sift through all the garbage that's trickling down to us via the US media and our govt. Does the FBI need expanded snooping powers? Not according to Schneier, who backs that up with facts regarding 9-11 that tell us the right govt agencies *had* the info, they just couldn't analyze it all. So giving up a bunch of our privacy for the FBI to get more info doesn't make much sense in combating terrorism.

This is just one example in dozens. You may not even agree (I've met a few FBI people and they ALWAYS say they need more power/info), but reading this book allows you to pull the emotion out of security-based decisions, whether they are about home alarm systems or airport security lines.

For people who aren't familiar with Schneier, he is basically a semi-legend in the information security field for his cryptography, writing and speaking. His last book, "Secrets & Lies", broadened the scope of his writing from crypto to general infosec. Now he has broadened his focus even further to include the physical world (beyond the server room). To be honest he doesn't really even bring up computers directly that often, and when he does he usually tells us that they aren't nearly as good at making security decisions as people. Seasoned infosec people won't be surprised by any of the logic or conclusions in this book, but it's still worth a read because Schneier has obviously spent a lot of his brain's cycles thinking about security in general and we can all benefit from his conclusions.

Schneier has won my respect with this book. It proves that not only does he get the security details (the crypto), he gets the "big picture", even when the big picture has nothing to do with computing (eg muggings). It is rare to find this in one company, let alone one person.

Rating:
Summary: Making Sense
Review: A lot of the security discussion now uses fear, uncertainty, and doubt to sell its point of view. Schneier's book is a refreshing change: while it can be scary, because these are scary times, it doesn't depend on scaring you to convince you. Instead, he depends on clear (and sometimes funny) explanation, good sense ("common" sense isn't, at least not in the security field), and reason. The best part is the solid reasoning behind why civil liberties are important to security, not a detriment.

Rating:
Summary: The Theory and Practice of Security
Review: After discussing various security problems and proposed solutions, this book gives examples of how those methods have worked in the real world. Or how and why they failed to achieve the desired result.
Informative and entertaining.

Rating:
Summary: What will really make us safe?
Review: An eye-opening and thought-provoking read. Schneier gives us the analytical tools we all need to think both calmly and wisely about what really makes us safe. He also helps his readers understand what effective security really looks like. (And it's not always what you think it might be.) Highly recommended.

Rating:
Summary: Helpful for Healthcare Fraud Control
Review: As a healthcare fraud consultant, I found this book very helpful. Healthcare insurers and plans are often at a loss when it comes to securing their systems. Here are three of the things I thought were particularly helpful:

1) Security is only as strong as the weakest link. If a crook can enroll as a provider without providing any credentials and can bill using a list of patients stolen from another provider, then all the computer network security in the world is not going to help you.

2) Class breaks allow a perpetrator to attack several systems with the same ease as he can attack one system. The standardization required under HIPAA is going to make it easier for us to use fraud fighting algorithms developed for one plan to find fraud in another plan, but it will also make it easier for criminals to use the same exact scam in multiple places.

3) Automation allows attackers to make a huge number of attacks with about the same effort as one attack. The payoff for each attack can be very low, since the cost is low. If I set up a booth at the mall offering free chiropractic exams, I can collect insurance information for hundreds of patients in a weekend. I can bill weekly services for each of those people, while I move to a new location to collect more insurance data. Automation also means that only one attacker has to be smart, while the rest can just use his software or methods to carry out the fraud.

Rating:
Summary: A Must Read
Review: Beyond Fear is a must read for anyone who wants to figure out what's really going on when security issues hit the news. Reading Schneier's clear explanation about how security decisions usually get made helped me understand why so few of the ones we hear about seem to make any sense! In addition to his insightful analysis and handy five-step rule for making security decisions, the book is filled with fascinating anecdotes and stories that make for an entertaining and interesting read. Every member of our government needs to read this book - and you should too.

Rating:
Summary: The Genius returns
Review: Bruce Schneier is a genius at making complex ideas sound sane and simple.

There is no melodrama in this book, just good old fashion wisdom.

Bruce is a much welcome voice in a crazy world.

Rating:
Summary: Great book, but needs editing
Review: Bruce Schneier is a well known security expert and author of one of my favorite technical books of all time, Applied Cryptography. This latest book, Beyond Fear, is written for a popular audience and mostly discusses security measures taken by the US since 9/11.

While Bruce is thoughtful, clear, and provides excellent examples to back up his points, this book really could have used better editing. To me, it feels like a three chapters were spun out into an entire book by repeating the same points and same examples over and over again.

I still think this book is worth buying. The first 3-4 chapters alone are worthwhile. Spending some time thinking about the security the way Bruce thinks about it -- always from a cost/benefit standpoint -- is worthwhile. But, as I was, you might get a little frustrated by the poor editing.