Essays Tagged "Information Security"

Page 2 of 4

Does Risk Management Make Sense?

  • Bruce Schneier
  • Information Security
  • October 2008

This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus’s half is here.

We engage in risk management all the time, but it only makes sense if we do it right.

“Risk management” is just a fancy term for the cost-benefit tradeoff associated with any security decision. It’s what we do when we react to fear, or try to make ourselves feel secure. It’s the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It’s instinctual, intuitive and fundamental to life, and one of the brain’s primary functions…

Chinese Cyberattacks: Myth or Menace?

  • Bruce Schneier
  • Information Security
  • July 2008

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus’s half is here.

The popular media narrative is that there is a coordinated attempt by the Chinese government to hack into U.S. computers–military, government, corporate–and steal secrets. The truth is a lot more complicated.

There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. Of course, they can’t prove that it comes out of China. But the majority of servers used in the attacks are located in China, using DNS bouncers that can only be registered by people literate in Chinese. The hacker websites where different hackers and hacker groups brag about their exploits and sell hacker tools and how-to videos are written in Chinese. Technically, it’s possible all the attackers are from, say, Canada and trying to disguise themselves, but it seems pretty unlikely…

The Ethics of Vulnerability Research

  • Bruce Schneier
  • Information Security
  • May 2008

Vietnamese translation

The standard way to take control of someone else’s computer is by exploiting a vulnerability in a software program on it. This was true in the 1960s when buffer overflows were first exploited to attack computers. It was true in 1988 when the Morris worm exploited a Unix vulnerability to attack computers on the Internet, and it’s still how most modern malware works.

Vulnerabilities are software mistakes–mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. These vulnerabilities lie dormant in our software systems, waiting to be discovered. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don’t get patched, so the Internet is filled with known, exploitable vulnerabilities…

Consolidation: Plague or Progress

  • Bruce Schneier
  • Information Security
  • March 2008

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus’s half is here.

We know what we don’t like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don’t like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don’t work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution.

The real problem is that neither solution really works, and we continually fool ourselves into believing whatever we don’t have is better than what we have at the time. And the real solution is to buy results, not products…

Caution: Turbulence Ahead

Bruce Schneier and Marcus Ranum look at the security landscape of the next 10 years.

  • Bruce Schneier
  • Information Security
  • December 2007/January 2008

Bruce Schneier

Predictions are easy and difficult. Roy Amara of the Institute for the Future once said: “We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.”

Moore’s Law is easy: In 10 years, computers will be 100 times more powerful. My desktop will fit into my cell phone, we’ll have gigabit wireless connectivity everywhere, and personal networks will connect our computing devices and the remote services we subscribe to. Other aspects of the future are much more difficult to predict. I don’t think anyone can predict what the emergent properties of 100x computing power will bring: new uses for computing, new paradigms of com- munication. A 100x world will be different, in ways that will be surprising…

Cyberwar: Myth or Reality?

  • Bruce Schneier
  • Information Security
  • November 2007

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus’s half is here.

The biggest problems in discussing cyberwar are the definitions. The things most often described as cyberwar are really cyberterrorism, and the things most often described as cyberterrorism are more like cybercrime, cybervandalism or cyberhooliganism–or maybe cyberespionage.

At first glance there’s nothing new about these terms except the “cyber” prefix. War, terrorism, crime and vandalism are old concepts. What’s new is the domain; it’s the same old stuff occurring in a new arena. But because cyberspace is different, there are differences worth considering…

Home Users: A Public Health Problem?

  • Bruce Schneier
  • Information Security
  • September 2007

To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of their operating system “out of the box,” but there are still a dizzying array of rules, options, and choices that users have to make. How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on and so on and so on.

How is it possible that we in the computer industry have created such a shoddy product? How have we foisted on people a product that is so difficult to use securely, that requires so many add-on products?…

Is Big Brother a Big Deal?

  • Bruce Schneier
  • Information Security
  • May 2007

This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus’s side, to which this is a response, can be found on his website.

Big Brother isn’t what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today’s information society looks nothing like Orwell’s world, and watching and intimidating a population today isn’t anything like what Winston Smith experienced.

Data collection in 1984 was deliberate; today’s is inadvertent. In the information society, we generate data naturally. In Orwell’s world, people were naturally anonymous; today, we leave digital footprints everywhere…

Is Penetration Testing Worth it?

  • Bruce Schneier
  • Information Security
  • March 2007

This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.

There are security experts who insist penetration testing is essential for network security, and you have no hope of being secure unless you do it regularly. And there are contrarian security experts who tell you penetration testing is a waste of time; you might as well throw your money away. Both of these views are wrong. The reality of penetration testing is more complicated and nuanced.

Penetration testing is a broad term. It might mean breaking into a network to demonstrate you can. It might mean trying to break into a network to document vulnerabilities. It might involve a remote attack, physical penetration of a data center or social engineering attacks. It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white-hat hackers. It might just evaluate software version numbers and patch levels, and make inferences about vulnerabilities…

Does Secrecy Help Protect Personal Information?

  • Bruce Schneier
  • Information Security
  • January 2007

This essay appeared as the second half of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.

Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don’t have the capability to protect that information.

There are actually two problems here: Personal information is easy to steal, and it’s valuable once stolen. We can’t solve one problem without solving the other. The solutions aren’t easy, and you’re not going to like them…

Sidebar photo of Bruce Schneier by Joe MacInnis.