Secrets and Lies: Digital Security in a Networked World

Amazon.com
Whom can you trust? Try Bruce Schneier, whose rare gift for common sense makes his book Secrets and Lies: Digital Security in a Networked World both enlightening and practical. He's worked in cryptography and electronic security for years, and has reached the depressing conclusion that even the loveliest code and toughest hardware still will yield to attackers who exploit human weaknesses in the users. The book is neatly divided into three parts, covering the turn-of-the-century landscape of systems and threats, the technologies used to protect and intercept data, and strategies for proper implementation of security systems. Moving away from blind faith in prevention, Schneier advocates swift detection and response to an attack, while maintaining firewalls and other gateways to keep out the amateurs.

Newcomers to the world of Schneier will be surprised at how funny he can be, especially given a subject commonly perceived as quiet and dull. Whether he's analyzing the security issues of the rebels and the Death Star in Star Wars or poking fun at the giant software and e-commerce companies that consistently sacrifice security for sexier features, he's one of the few tech writers who can provoke laughter consistently. While moderately pessimistic on the future of systems vulnerability, he goes on to relieve the reader's tension by comparing our electronic world to the equally insecure paper world we've endured for centuries--a little smart-card fraud doesn't seem so bad after all. Despite his unfortunate (but brief) shill for his consulting company in the book's afterword, you can trust Schneier to dish the dirt in Secrets and Lies. --Rob Lightner


From The Industry Standard
In April 1999, Bruce Schneier, mathematician, digital security expert and unlikely hacker-scene hero, had an epiphany. It prodded him to reorganize his company, Counterpane Internet Security, and altered his view of securing computer systems. The fruits of that thinking also make up the bulk of his engaging and exhaustive new book, Secrets and Lies: Digital Security in a Networked World.Schneier, the creator of two widely used data-scrambling formulas and author of the definitive Applied Cryptography, realized that he and his colleagues were trained to view security as a hopeless prophylactic, a passive approach that relies too heavily on complex technologies to keep hackers and criminals out. "Too many system designers think about security design as a cookbook thing," writes Schneier. Add a firewall and a pinch of encryption, and eventually you'll have a secure system.He concluded that technology, no matter how complex, can't solve all our problems. "Security is rooted in the physical world. The physical world is not logical. It is not orderly," he explains. "People don't play along. They do the unexpected; they break the rules."In a land of rule-breakers, rules-based systems are not especially useful. Instead of building the digital equivalent of a Maginot Line, Schneier argues, it is far more effective to think of security as an ongoing process of "risk management" that includes not just protection, but also detection and reaction mechanisms.Secrets and Lies, then, isn't so much a "how-to" as a "how-to-think" - a philosophical road map in which Schneier guides the reader along the same path that brought about his new thinking. With the single-minded discipline of a programmer, Schneier spends almost two-thirds of the 400-page book getting to know the mind of the enemy; surveying the methods hackers employ to break into systems, from automated programs to the person-to-person con games known as "social engineering."The aim in mastering such arcana, according to Schneier, is "threat modeling," which is his way of teaching readers to think like the most methodic of thieves. Schneier provides a series of cognitive exercises designed to get crime-inspiring synapses firing. How might one rig an election or hack a stored-value smartcard without getting caught, for instance?In one exhaustive deconstruction, Schneier walks readers through the process of getting free pancakes: "We can eat and run. We can pay with a fake credit card, a fake check or counterfeit cash. We can persuade another patron to leave the restaurant without eating and eat his food. We can impersonate (or actually become) a cook, a waiter or the restaurant owner ..." Schneier goes so far as to diagram these threat models - to near-comic effect - with what he calls "attack trees." With such deep knowledge of one's potential security flaws in hand, managers can far more effectively secure their systems.Schneier is the right person to popularize these views. His prose is lively and his work is informed by current headlines about the I Love You virus, obscure historical facts about Germany's World War II "Enigma" data-scrambling device and ancient myth. (How did Zeus sneak into Danae's supposedly impenetrable bronze chamber? He turned himself into gold dust and showered down into Danae's lap through a hole in the roof.)In the wake of this year's denial-of-service attacks on major Web sites, Schneier's book joins a host of other popular works on digital security - most notably Winn Schwartau's Cybershock. Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational - two common pitfalls of writers who take on cybercrime and security. All this helps to explain Schneier's long-standing cult-hero status, even - indeed especially - among his esteemed hacker adversaries.John Simons is a Markle Fellow at the New America Foundation in Washington.


From Book News, Inc.
Information security expert Schneier tells businesses what they need to know to protect themselves from the risks of the wired world. He examines many aspects of networked society, from the reasons for technical insecurities to what's in the minds of hackers who engineer viruses and other malicious attacks. He provides practical advice about the capabilities and limitations of security technologies and products as well as how to recognize and manage vulnerabilities and protect data. Schneier is also the author of Applied Cryptography.Book News, Inc.®, Portland, OR


Review
“…The security technologies available are described in a user-friendly way without going into depth...” (Computer Bulletin, January 2005)

“…peppered with lively anecdotes and aphorisms, making it a really accessible read...” (The ISSG Magazine, Autumn, 2004)

“…fascinating read…peppered with lively anecdotes…” (The ISSG Magazine, October 2004)

"...make yourself better informed. Read this book." (CVu, The Journal of the ACCU, Vol 16(3), June 2004)


Review
“…The security technologies available are described in a user-friendly way without going into depth...” (Computer Bulletin, January 2005)

“…peppered with lively anecdotes and aphorisms, making it a really accessible read...” (The ISSG Magazine, Autumn, 2004)

“…fascinating read…peppered with lively anecdotes…” (The ISSG Magazine, October 2004)

FROM OUR EDITORS

The Barnes & Noble Review
Finally in paperback: what may be the world￯﾿ﾽs most thoughtful guide to computer and network security. Bruce Schneier￯﾿ﾽs Secrets and Lies is for anyone who needs to address security: businesspeople and technical people alike.

Schneier begins with a paradox: ￯﾿ﾽEven as we learn more about security... we build things with less security.￯﾿ﾽ This book explains why -- and what can (and can￯﾿ﾽt) be done about it.

The problem starts with systems. They￯﾿ﾽre complex. They interact. They￯﾿ﾽre buggy. And they have ￯﾿ﾽemergent￯﾿ﾽ properties their creators never anticipated. The best (if imperfect) response: prevention, detection, and reaction. (Most networks rely primarily on prevention. Not enough.)

Schneier then explains why attacks are becoming more frequent, widespread, automated, and difficult to track. What to do? Working from the premise that technology isn￯﾿ﾽt nearly everything, he carefully explains today￯﾿ﾽs key security technologies. Never expected to understand public-key encryption or digital signatures? You finally will.

Today￯﾿ﾽs most common attacks are covered; so are the best available responses (often far from foolproof). There￯﾿ﾽs also a brutally realistic chapter on the human side of computer security: how people perceive risks, the futility of asking them to make intelligent security decisions, and the dangers of ￯﾿ﾽsocial engineering.￯﾿ﾽ

Part III is dedicated to high-level response strategies -- including Schneier￯﾿ﾽs own ￯﾿ﾽattack trees￯﾿ﾽ technique, the first systematic way to describe threats, countermeasures, and overall security.

Schneier￯﾿ﾽs updated this edition with a new introduction: ￯﾿ﾽWhat Has Changed Since 9-11.￯﾿ﾽ Like the rest of this book -- and his many public writings on homeland security -- it￯﾿ﾽs very much worth reading. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.

FROM THE PUBLISHER

Viruses. Identity theft. Corporate espionage. National secrets compromised. Can anyone promise security in our digital world? The man who introduced cryptography to the boardroom says no. But in this fascinating read, he shows us how to come closer by developing security measures in terms of context, tools, and strategy. Security is a process, not a product -- one that system administrators and corporate executives alike must understand to survive.

SYNOPSIS

"A primer in practical computer security aimed at those shopping, communicating, or doing business online — almost everyone, in other words." —The Economist

Viruses. Identity theft. Corporate espionage. National secrets compromised. Can anyone promise security in our digital world?

The man who introduced cryptography to the boardroom says no. But in this fascinating read, he shows us how to come closer by developing security measures in terms of context, tools, and strategy. Security is a process, not a product — one that system administrators and corporate executives alike must understand to survive.

"This book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that’s not yet everybody, it soon will be." —Stephen H. Wildstrom, BusinessWeek

"It’s not often that a truly outstanding book is written for both technical users and management. Fortunately, Secrets and Lies pulls off this feat rather well." —Dustin Puryear, Linux.com

"Schneier . . . peppers the book with lively anecdotes and aphorisms, making it unusually accessible." —Los Angeles Times

FROM THE CRITICS

Danny Yee - Electronic Review of Computer Books

Bruce Schneier begins Secrets and Lies by saying "I have written this book partly to correct a mistake" -- that being the utopian vision of cryptography in his earlier Applied Cryptography. Of the wonders he predicted in that work, he now writes: "Cryptography can't do any of that.
"... Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers."

Secrets and Lies, then, is a non-technical introduction to the full, messy complexity of digital security. Cryptography is covered, but only as part of the broader picture and without any mathematics at all. The result is broadly accessible, but many of the ideas it explains are misunderstood even by the technically trained, so it is a work that offers something to techs and managers as well as lay readers.

Part 1 is a 70-page overview of digital security which could (and perhaps should) be read by anyone who uses the Net. Schneier surveys the threats, covering not just the full range of criminal attacks but also publicity attacks and attacks using the legal system. He categorizes the attackers, who can include national intelligence organizations and the press as well as terrorists, insiders, lone criminals, and corporate spies. And he looks as the various kinds of security we need, among them privacy, anonymity, integrity, authenticity, and audit.

Part 2 looks at a broad range of security technologies (cryptography and its context, software reliability, secure hardware, identification and authentication, and certificates and credentials) and security domains (computer, networked-computer, and network security), with a final chapter on "the human factor." Schneier provides clear, non-technical explanations of everything from the problems with mobile code to the uses of secure hardware to the limitations of digital certificates. In the process he corrects many common misconceptions about security, including some of the rather misleading statements used in product marketing.

Part 3, on security strategies, covers the management of digital security. Schneier looks at vulnerabilities, attack methodologies, and countermeasures (protection, detection, and response), stressing the importance of threat modelling and risk assessment (including an approach of his own called "attack trees"). He also covers product testing and verification and the future of products. In the final analysis, however, digital security is about risk management: "security is not a product; it's a process."

Fortune

...a jewel box of little surprises you can actually use...a startlingly lively treatise...

Journal

...worth a read...

Business Week

A computer virus shuts down your corporate e-mail for a day. Hackers deface your Web site with pornography. The need to share data with customers and vendors exposes critical corporate information to online theft. With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing or finance. Such savvy, however, has been hard for non-techie executives to acquire. Books and articles on security generally came in two equally useless varieties: incomprehensible or sensationalized. Remember all those books on how the Y2K bug would end civilization as we knew it? Now, Bruce Schneier, a highly respected security expert, has stepped into the breach with Secrets Lies: Digital Security in a Networked World. The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be. Schneier brings strong credentials to the job. His book Applied Cryptography is a classic in the field, and he is one of the creators of the Twofish algorithm, a finalist in the U.S. government's competition for the Advanced Encryption Standard. Schneier serves as chief technology officer of Counterpane Internet Security, which manages computer security for corporations. Although this is a book for the general reader, it's not always easy going. But Secrets Lies requires no prior knowledge of computer or security technology and should be accessible to anyone who is willing to put in a little effort. For example, Schneier explains encryption, essentially a mathematical process, without resorting to a single equation. While Schneier is not an elegantwriter, he has a nice ability to use analogies to make the obscure understandable. The book has two main thrusts. First is Schneier's mantra: "Security is a process, not a product." Anyone who promises you a hacker-proof system or offers to provide "unbreakable" encryption is selling you snake oil. There is simply no way to wave a magic wand over a system to make it -and keep it- secure. Second, Schneier says, getting security right is hard, and small mistakes can be deadly.

Risk Management. Schneier backs his opinions with real-world examples. For instance, Hollywood was terrified of piracy and worked hard on a scheme to encrypt digital videodisks so that only authorized players could read the disks. The encryption would have been hard to break, but hackers didn't have to do it. A design flaw made it easy to steal the decryption keys from the software players supplied with PC's. Similarly, most e-commerce sites use a technology called SSL to protect transaction data from online snoopers. SSL works fine, but some e-tailers left customers' credit card information in files where hackers could swipe it. The last third of the book is most valuable to managers. In it, Schneier discusses the process by which people should assess security vulnerabilities and decide what to do about them. His central point: Computer security is basically risk management. Banks and credit-card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate losses and price their services accordingly. That's good, since zero tolerance would put them out of business. Similarly, seeking perfect security would make a system useless because anything worth doing carries some risk. Unfortunately, the art of computer security has not progressed to the point where Underwriters Labs can certify that a firewall can protect you against attack for two hours, as can be done for safes and fire doors. But with the crude tools that are available, managers have to decide what they are trying to protect and how much they are willing to spend, both in cost and convenience, to defend it. This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library.

Charles Piller

Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks—such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers—made headlines. Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages.

A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats." "Script kiddies"—wannabes who use turnkey hacking tools they find posted on the Web—may be emerging as the biggest threat. Schneier explains the reasons for this grim scenario in simple truths: * In the hacking wars, technology favors offense over defense. * Complexity is the enemy of security, and the Internet is the mother of all complex systems. * Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities. * People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data that itsaid would take more than 149 trillion years to crack. Then again, if you use your name or the word "password" as a decoding key—typical among lazy computer users—a neophyte hacker would need about five minutes.

Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised. It's not hard to imagine why security software developers would be short on confidence—their products are nearly always developed in a vacuum.

"A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"—probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough."

"If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day. —'Lies' Propagates One Truth: No One Can Get a Lock on Net Security Los Angeles Times by Charles Piller individuals,A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users—as individuals or employees—must understand their role in protecting information—instead of naively relying on software tools to work without human vigilance.

So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign. So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks.