Book Review: Secrets & Lies: Digital Security in a Networked World
Secrets & Lies provides interested readers with a guide for understanding the environment in which computer security must reside, the technical tools for implementing security, and a strategic approach for that security. Although the book was published in 2000, most of what Schneier presents is relevant today. The paperback edition includes a preface by the author addressing the time withstanding themes of security in light of the attacks of 9/11. The author breaks the text into three sections: The Landscape, Technologies, and Strategies.
The first section of the book provides the context in which security is discussed. In the introductory chapter, Schneier sets the scene by listing security events, software vulnerabilities, and website defacements that made the news in March 2000. In this chapter, the author argues, “…the reason that it is so hard to secure a complex system like the Internet is, basically, because it’s a complex system.” In the following four chapters, the author describes digital threats, attacks, adversaries, and security needs. Schneier articulates the ways in which digital security is different from other types of security. He then gives attack scenarios ranging from denial of service attacks, to surveillance, to legal attacks. Adversaries are categorized as lone criminals, the press, organized crime, the police, terrorists, national intelligence organizations and info-warriors. Finally, in this section, Schneier describes security needs in terms of privacy, anonymity, authenticity, and integrity.
The second section of the book, Technologies, gives the reader insight to issues related to cryptography. The two chapters on cryptography are very well-written as would be expected given the author’s previous book, Applied Cryptography. Included in this section are chapters on secure hardware, networked-computer security, network security, network defenses, and software reliability. A chapter on identification and authentication, “who you are, and can you prove it,” provides background on access control. While the Certificates and Credentials chapter does a nice job of bringing these often complicated technologies to a level any executive could understand. Schneier devotes a chapter to “The Human Factor” and suggests that user interaction “is the biggest security risk of all.”
The final section, Strategies, provides an overview of the process of security. In order to help the reader develop appropriate defense strategies, Schneier goes into some detail about how real world attacks are conducted. This section describes vulnerabilities, risk assessment and threat modeling, security policies and countermeasures, product testing and verification, and security processes. One chapter, Attack Trees, gives practical guidance on how to develop attack trees in order to determine vulnerabilities and identify risks. Without articulating this information, it is difficult to manage that risk. Schneier also discusses technologies that may become available in the future that will impact security. Although written in1999, this list is still relevant today (e.g. program checkers, quantum computing, cryptographic breakthroughs and factoring breakthroughs).
This book is a practical overview of computer security. The writing is accessible to security professionals, corporate executives, and novices alike. If your work touches on the field of security, this text provides a useful guide.