REVIEW: Bruce Schneier, Secrets and Lies: Digital Security in a Networked World
Secrets and Lies has generated a great deal of interest in the security community this year. Much of this interest probably stems from the simple fact that it isn’t every day (or every year) that you get a general security book, written for the non-specialist, produced by a major name in the field. But one point seems to have been glossed over in the praise for this work. Schneier’s writing is lively, entertaining, and even playful throughout the entire book. Not only is this volume a realistic and useful view of the security enterprise, but it’s a lot of fun.
As the author of Applied Cryptography, the leading text in the field; the founder of Counterpane Systems, with its major influence in encryption consulting; and the publisher of the Crypto-Gram newsletter, regular and thoughtful analyses of major encryption related issues; Bruce Schneier is, among the technically and cryptographically knowledgeable, arguably more influential than many academics whose names might be more widely known in relation to specific algorithms. So when Schneier states, in the preface, that cryptography is not “The Answer(TM)” to security, you have to take him seriously. He goes on, in the introductory chapter, to point out that “The Answer(TM)” does not exist: securing complex systems is a hard job purely because the systems are complex, and any easy answer is bound to be wrong. The price of digital reliability is constant vigilance. As such, don’t come looking to this work for easy answers or cookbook solutions. What you will find is a solid introduction, and more, to the problems you have to overcome to keep your information safe, and some guidelines on how to go about the task.
Part one is an overview of the field of network operations with a view to restricting some ideal definition of “secure” to a more achievable goal. Chapter two describes a number of digital threats (aside from the mention of salami attacks, quite realistically) and points out that none of the crimes are new, although the extreme of accessibility is. Various attacks, and various motivations, are reviewed in chapter three. The discussion of different types of adversaries, in chapter four, provides a reasonable assessment of the whole range from script kiddies to infowarriors, and compares relative levels of competency and risk tolerance. Chapter five outlines security needs and, again, points out that all computer security measures have their origins in physical security practices we all take for granted.
Part two looks at the various technology components of security and security systems. The writing in this section is a little more mundane and less sparkling than other parts of the book, but the material is reliable and convincing. Chapter six is, of course, an excellent primer on the basic concepts and applications of cryptography. The analysis is extended to “real world” limitations and faults with encryption in chapter seven, including an intriguing comparison of proprietary protocols and alternative medicine. Chapter eight discusses computer security in broad terms, but concisely expresses concepts and models that many other books waste pages on without ever making the fundamentals clear. (It also provides some amazing, and occasionally amusing, glimpses into the lack of security in Microsoft’s Windows.) Authentication is described well in chapter nine. Chapter ten is oddly unstructured. Entitled “Networked- Computer Security” it starts off with viruses and malware, talks a bit about operating system architecture, and ends up with some Web insecurities. While there are errors (particularly in the virus section) most of the material is not really bad: it just seems strange in comparison to the earlier chapters. Network Security, in chapter eleven, returns to the original level of focus, and explains various concepts using TCP/IP as an example. Chapter twelve takes a depressing, but accurate, look at the major network security tools, as well as making the important, though counterintuitive, point that false alarms can be worse than no security at all. Software reliability gets a fairly standard treatment in chapter thirteen, and much the same is true of hardware security in chapter fourteen. As might be expected, the coverage of certificates and the public key infrastructure, in chapter fifteen, clearly sets forth all necessary considerations and weak points to examine. Technical books usually have some catch-all chapters, but not all of them admit it up front. Chapter sixteen touches on a number of tricks that people have relied on to protect data, and uses devastating logic to point out why said stunts don’t work. Finally, in chapter seventeen, we come to the largest source of security problems, and the one we can’t do anything about: people.
The first two parts look at problems. Part three tries to present some solutions, or at least approaches to solutions. Chapter eighteen describes the vulnerability landscape, and suggests following the process of attacking a system, in order to identify how much security is needed at certain points, and weak areas that may need to be reinforced somehow. (This is a far cry from the “how to hack” tools lists of some of the more sensational “security” books, and much more useful.) Risk assessment, in chapter nineteen, is reasonable and balanced, but not great. Chapter twenty is disappointing, in that it is entitled “Security Policies and Countermeasures” but concentrates on a series of specific examples of good and bad security systems. Elsewhere the book promotes the fact that without a policy you have no security. It therefore seems a bit of an abdication of the topic to leave it without much discussion of the actual production of a policy. Attack trees might be seen as yet another example of a tool more useful to the security breaker than the sysadmin, but chapter twenty one’s explanation shows how it can structure the task of analyzing protective measures. This process is far more likely to succeed than a vague injunction to secure everything, and this chapter alone probably makes this work a “must have” for every security library. Product testing, in chapter twenty two, deals mostly with how *not* to evaluate software, and includes a good discussion of full disclosure and the open source movement. However, I can definitely sympathize with the position of the latter part of the chapter: potential security is pointless, what really counts is how secure a system is when set up by the typical harried administrator. The future is usually left for last, but Schneier takes a solid look at likely trends and paints an alarming, if not completely apocalyptic, picture. Chapter twenty four supports one of the major theses of the book: security is a process, not a product. Therefore, the chapter provides a set of guidelines, attitudes, points, and general principles to be used in looking at security as a process. The conclusion, in chapter twenty five, seems to be that lots of people are trying to avoid their proper responsibility for security, but the task is achievable.
Quite apart from the general readability of the text, Schneier has ensured that the content and explanations are accessible to any intelligent reader. You do not need specialist training to understand the concepts presented herein. And the concepts encompass pretty much everything to consider about security in a networked world. This is one of the very few books that I feel I can recommend without reservation to a newcomer concerned about computer or communications security. It presents the situation clearly, with real explanations of the dangers, but no overpromoted sensationalism. If the volume seems a bit long all I can say, with Schneier, is that security is complex. The book has very little wasted space.
I can also say that security professionals will not regret time spent with it. We tend to need more frequent reminding than teaching, and the comprehensive coverage touches on many issues that are important, but may be ignored as not always being urgent. However, the book also does an excellent job of explaining some specialty and esoteric topics. Hopefully