You Believe in Computer Security? Then There’s a Bridge in Brooklyn You Should Buy
You have to respect an author who begins a book by confessing that he wrote it “partly to correct a mistake,” especially when that author is one of the most respected authorities in a highly technical field. That’s exactly how Bruce Schneier begins his new book on computer security, Secrets and Lies: Digital Security in a Networked World (John Wiley & Sons, Inc. New York. 2000). What he is actually confessing is a kind of naiveté shared by altogether too many people regarding computer security: that technology is the answer. That was the implied thesis of his earlier book on applied cryptography, still an excellent guide to the guts of cryptographic systems.
Today, several years more experienced and wiser, Schneier has penned a magisterial book on computer security grounded in his work as a security consultant and the first thing he tells readers is that “security is a process, not a product.” That deserves to be graven in stone somewhere; perhaps on the tombstones of failed security companies and of the companies that relied on them.
Secrets and Lies is not a highly technical book; that is, you won’t find detailed descriptions of the innards of security technology. The information it supplies is far more useful than that: a detailed look at the landscape, technologies, and strategies of computer security. Although a review can, of course, do no more than suggest the richness of the book, a brief look at the topics covered, and some of the author’s conclusions, if it motivates you to buy the book, it will have served its purpose. Schneier organizes the book into three parts: the security landscape, the technologies of security, and strategies for coping with security attacks and vulnerabilities.
In the first part, The Landscape, the author establishes a context for talking about computer security, a task usually overlooked by security product vendors. What does it mean to be secure? Against what kind of attack? For instance, as Schneier points out, a secure operating system is probably not a proof against a hand grenade dropped on the computer or against a video camera pointed at the screen and keyboard. The design assumptions and decisions that go into making a secure system have as much or more to do with its security than its technology: What kinds of attacks does the system designer consider likely and which unlikely? If these assumptions are not the same as yours, you may be disappointed.
In this first section, the author reviews the kinds of attacks that a secured system is likely to encounter, making the point that they are all analogs of criminal behavior in the non-virtual world: fraud, scams, destructive attacks, types of theft (intellectual property, identity, and brand), and various kinds of privacy infringements. He also characterizes a variety of attackers, from hackers and lone criminals to industrial spies, national security agencies, and infowarriors.
This first section ends with a look at what kinds of security are needed to counter the threats and attackers discussed—not in the sense of technologies, but in conceptual terms. This is an excellent review of topics such as privacy, multilevel security, anonymity, authentication, integrity, audit, and so forth. Throughout, Schneier uses homely examples from everyday life (authenticating oneself to the deli man to buy a bratwurst) to bring these concepts into focus.
In part two, Technologies, having set the stage, the author discusses the technologies of security. This is, perhaps, the meatiest part of the book. Each technology is discussed using the context established in part one, so its capabilities and, more important, its limitations, are immediately apparent. Among the topics covered are cryptography—where we learn that key length is actually a minor part of the strength of a given cryptographic scheme, access control, various kinds of identification technologies (biometrics, access tokens, etc.), networked security and defenses, secure hardware, and much more.
There are some surprises in this section. For instance, Schneier points out that the true security in e-commerce arises not from digital certificates, but from the fundamental transactional protocol of credit cards: the simple fact that you’re not liable for more than $50 in fraudulent claims. In fact, he states baldly that “Digital certificates provide no actual security; it’s a complete sham.” There are several sit-up-and-take-notice statements like this scattered throughout the book, all of them backed up by solid explication and example.
This section concludes with an excellent discussion of the human factors that, all too often, compromise computer security. He points out that people don’t understand risk and don’t know how to estimate it. (A good example is that people fear airplane travel more than car travel, even though the chances of accidental death in a car are much higher than in a commercial airliner.) His summation of the problem with computer security is, as he himself admits, quite cynical: “…the mathematics are impeccable, the computers are vincible, the networks are lousy, and the people are abysmal.”
In fact, anyone reading the last section of part two might be tempted to give up the quest for computer security; and, indeed, this book reveals that securing a computer system is a far harder task than the marketing literature that vendors imply or promise. However, Schneier moderates his dark view of the security world in part three, Strategies, by laying out in some detail a variety of techniques and processes (countermeasures) that can be used to assess and control security vulnerabilities. This is probably the most valuable part of his book, for it teaches the reader how to think about the process of security: as attacks, defenses, and the relationship between them. It also covers the present (rather parlous) state of security products and the prospects for improvement in the future.
Schneier is careful to point out that “there are three parts to an effective set of countermeasures: protection, detection, and reaction.” The present-day reliance, in virtually all security products or systems, on protection is, in the author’s opinion, not only wrongheaded, but also the primary reason why we see so many attacks. He compares digital security to a safe and points out something that most people don’t know: That safes are rated in terms of how long they can withstand an attacker armed with a given set of tools. The safe manufacturer assumes that the safe will be backed up with an alarm (detection) and reaction (armed guards or police). By contrast, too many computer security systems rely on protection alone, which requires that the devices involved be perfect—and they neither are nor can be.
This is an important point—laid out in great detail earlier in the book and reviewed here—that the nature of product development and testing is such that, while bugs (improper operation) can be detected by large number of eyeballs (thus, the value of beta testing), security vulnerabilities and holes cannot because security has nothing to do with functionality! No amount of beta testing will reveal security problems.
That might seem to obviate one of the open source movement’s greatest strengths—and Schneier is indeed somewhat doubtful about the ability of open source to deliver industrial strength security, for other reasons—but in reality, it merely underscores the need for openness, however obtained. The only assurance of security in a device lies in lots of expert testing and review and the only way to get that is to make every detail of the device public. Security through obscurity does not work.
In part three, the author also lays out a method that he developed while working as a security consultant, called an “attack tree,” which is a simple way of laying out all of the vulnerabilities (that one can think of) of a system, assigning a cost in terms of the loss expected if each vulnerability is breached and then finding a least cost, most cost-effective way to assure the level of security that one desires. I don’t have room to go through this, but it is a technique that any VAR or integrator should be familiar with, even if only as a starting point for thinking about security systematically.
There’s much more to Secrets and Lies than can be discussed here. In fact, I have to agree with the author, who, in the introduction, recommends, without much hope he will be listened to, that you read the book twice: first to get a cursory knowledge of the overall topic, then again for in-depth understanding. I think he’s right and I expect that this book will soon become one of the most dog-eared, Post-It noted, and battered tomes in the library of many an integrator concerned with the security of his or her systems and customers.