Secrets and Lies: Digital Security in a Networked World

Review by Richard Bejtlich for Secrets and Lies: Digital Security in a Networked World
Rating:
I am an Air Force officer and technical resource for a 50-person military intrusion detection operation. I’ve seen Bruce speak twice and he never fails to impress. “Secrets and Lies” is no different. This book is not designed to teach readers about the latest security technologies. It was not written to promote specific products, although Bruce explains how the book’s themes caused him to revamp his Counterpane firm. What the book does is teach security professionals how to think about their craft. I would recommend it to everyone in the field from day one, but its deeper meanings would probably not be evident until a year’s work on the front lines.Some of the ideas aren’t new. For example, I’ve heard members of the L0pht petition for a software Underwriter’s Lab for years, and others have encouraged liability laws for software vendors. Bruce builds on these ideas and weaves them into his own prescription for dealing with complex and inherently insecure systems. This is the type of book that gives a professional the vocabulary and framework to organize his understanding of the security process. “Secrets and Lies” creates the “little voice” that warns against a vendor’s promises to solve all your problems with a $30,000 box-of-wonders. Of particular interest to me, after training in economics, is Bruce’s insistence that “the buying public has no way to differentiate real security from bad security.” It logicially follows that the market cannot address this problem, since “perfect information” does not exist. Therefore, outside organizations (perhaps an FDA for software?) should get involved, but not by outlawing reverse engineering and security tools. I give five stars to books that make the complex simple, that reveal and enhance technical details, or that change the way I look at the world. This book fits two, and possibly three of those categories. Bravo, Bruce.

Review by J. G. Heiser for Secrets and Lies: Digital Security in a Networked World
Rating:
Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences: · Beginning security specialists · IS and other business managers who make decisions about systems deployment · Experienced security practitioners who want to improve their thinking and analysis skills · Those studying for security certification, such as the CISSP · Software and Internet product planning and marketing staff (and not just security software)Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in “Information Security” magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don’t approach it linearly, you run the risk of missing the subtleties of the author’s message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.The chapters that I found most significant included: · (6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms. · (9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems. · (12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys. · (13) Software Reliability: Best description of stack overflow that I’ve ever seen for a lay audience. · (22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier’s other specialty, and he’s written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.I’m often asked to recommend introductory texts on information security, and unfortunately there really aren’t that many good books for a newbie. If more books existed, I would probably give Schneier’s book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his `epiphany’ occurred only 12 months before completing the text-this isn’t much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters: · (4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of `spy’ or `hacker’. · (5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don’t characterize audit as a requirement, but as a control. · (15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn’t discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature. · (16) Security Tricks: His vehement attack on key recovery is politically extreme. The government’s ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn’t used an encryption product and lost a key? · (21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don’t believe that putting information security risk in dollar value terms is practical.Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than “Applied Cryptography”–it isn’t a technical book–it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are “The Process of Network Security” by Thomas Wadlow, and “Fighting Computer Crime : A New Framework for Protecting Information” by Donn B. Parker (I’ve reviewed both here on Amazon).

Review by for Secrets and Lies: Digital Security in a Networked World
Rating:
Bruce Schneier covers the entire landscape of information security with this book. He balances technical and psychological aspects of security, and does so in clear prose that does not talk down to security professionals, while explaining the details to lay persons.As a competitive intelligence specialist who is only peripherally concerned with the technical underpinnings of security I gained much from this book. Among the valuable insights are: a thorough look inside the minds of attackers and spies (state- and corporate-sponsored), an array of threats that I had not previously considered, and the motives behind attacks that are as likely to be oblique as that are to be frontal assaults. Further, I learned a lot about my own profession, especially since my job is “white-ops” (obtaining publicly available information on competitors using strictly legal means). What I really like about this book is the clear explanations of cryptography and security infrastructure. Mr. Schneier has a talent for clearly explaining complex topics so that people like myself who have no technical background can easily understand them. Because my job is closely related to mainstream information security this alone made the book worthwhile.I recommend this book highly to technical practitioners as well as fellow competitive intelligence specialists. Both groups will gain a broader understanding of information security from this informative, easy-to-read book.