The Security Processes
I have been reading Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World for some time now. Why it took me so long to finally read it, I don’t know – any security geek worth his salt needs the background this book provides. Granted, technology has changed and advanced since this book was first published in 2000, making some of the examples irrelevant in today’s environment, but the basics of security that they illustrate have not.
In Chapter 24, Mr. Schneier outlines and explains security processes in depth and states the obvious that most of us either never think about or take for granted:
Computer insecurity is inevitable. Technology can foil most of the casual attackers. Laws can deter, or at least prosecute, most criminals. But attacks will fall through the cracks. Networks will be hacked. Fraud will be committed. Money will be lost. People will die.
Technology alone cannot save us.
The only thing reasonable to do is to create processes that accept this reality, and allow us to go about our lives the best we can.
The following are the process principles Mr. Schneier outlines. I’ve printed this list and posted it as a reminder to look at my network with these points in mind when making changes or upgrading things.
- Secure the Weakest Link
- Use Choke Points
- Provide Defense in Depth
- Fail Securely
- Leverage Unpredictability
- Embrace Simplicity
- Enlist the Users
If you haven’t read the book, I highly recommend you do so now to get the in-depth take on each of these principles.