Book: Secrets & Lies
Everyone knows Bruce Schneier (at least everyone reading my blog); to begin with, this is not a technical book about cryptography, it’s a book that wants to give almost the exact opposite message, that is that cryptography by itself cannot do much since security is comprised by numerous factors. This book was a present of a friend of mine and just for your information, this review/overview was written by reading it just once despite B. Schneier’s suggestion of reading it at least twice in order to understand the message “between the lines”. In any case, here it is…
Title: Secrets & Lies: Digital Security in a Networked World
Author: Bruce Schneier
Chapter 1: Introduction
Here B. Schneier describes a series of events to demonstrate the lack of real-world security. He then discusses the concept of the security system and explains why it should not be treated as a stand alone subject depending on the point of view of each “security expert”. Finally, it ends up with some definitions and a quick introduction to the rest of the book.
Part 1: The Landscape
He starts up this part of the book with two excellent questions which are “Secure from whom?” and “Secure against what?” which are usually forgotten by many people in the security industry. This small section introduces us to the second chapter of the book by simply making people realize the whole concept that one should have in mind when talking about security.
Chapter 2: Digital Threats
Bruce Schneier provides an introduction to the nature of digital threats giving some generic characteristics that apply to more or less all of the digital threats. As always, he uses real world facts to reason his writings.
Chapter 3: Attacks
This chapter is a classification of the attack types we see and which are given in a generic way so that they can apply to both real and the digital world. Those attack types are common criminal and privacy attacks.
Chapter 4: Adversaries
The adversaries of this world are identified in this chapter. A quick overview of almost everyone involved, from hackers to infowarriors is given using B. Schneier’s unique way.
Chapter 5: Security Needs
Once again, using facts Schneier goes through the security needs for our digital landscape. Although these are already known to most people in the security world, it’s a nice writing that describes everything such as privacy, integrity, auditing etc.
Part 2: Technologies
This next part of the book is dealing with the used technologies to overcome the previously identified issues. Each of the subjects is explained in a separate chapter which are the following…
Chapter 6: Cryptography
This is clearly the first technology that Bruce Schneier would choose to discuss. It’s a non-technical chapter explaining Message Authentication Codes, Symmetric Encryption, One-Way Hash Functions, Digital Signatures etc.
Chapter 7: Cryptography in Context
After the previous introduction to cryptography, there is a chapter that discusses the advantages and disadvantages of cryptography and its usage in the digital world. Here apart from the security concepts there is a neat section regarding the selection between the numerous algorithms and protocols.
Chapter 8: Computer Security
The 8th chapter of this book includes an overview of the definitions given to this chapter and then continues with computer security subjects like Access Control Lists, Security Models, Covert Channels etc.
Chapter 9: Identification and Authentication
In this chapter the reader can find information of the identification and authentication phase from a theoretical security point of view. That is, Passwords, Access Tokens, Biometrics etc.
Chapter 10: Networked-Computer Security
In my opinion, this chapter is more compact than it should. However, it contains definitions and a quick overview of a variety of subjects in network-computer security; Some of those are Worms, Trojan Horses, Web security and privacy etc.
Chapter 12: Network Defenses
Since the previous chapter identifies the threats in network security, this one brings up some well known technologies used to limit the number of successful attacks. Some of them are Firewalls, VPNs, IDSs etc.
Chapter 13: Software Reliability
In this chapter Bruce Schneier goes through one of the most important security issues, the software vulnerabilities. Once again, using a non-technical approach he discusses briefly the subject.
Chapter 15: Certificates and Credentials
Begining with identifying the disadvantages of digital signatures in this chapter, Bruce Schneier introduces some security risks against credentials, PKI, as well as trusted third parties in both real and digital world scenarios.
Chapter 16: Security Tricks
As the author states in the beginning of this chapter, this is only a collection of computer security tricks ranging from government key escrow or steganography to copy protection issues etc. It’s a pretty neat chapter.
Chapter 17: The Human Factor
Clearly anyone who has ever involved with security knows that people are always the weakest link. In this chapter Bruce Schneier deals with the human factor in the security field. It starts off with people’s perception of risk and its consequences. He then moves to other equally interesting subjects such as exception handling, human-computer transference as well as the classic risks of insiders and social engineering.
Part 3: Strategies
Up to this point most parts of the book were dedicated to identifying the various pieces that make up the security threats. The third one attempts to provide strategies to mitigate those problems as you’ll see in the chapters below.
Chapter 18: Vulnerabilities and the Vulnerability Landscape
Starting with this chapter, Bruce Schneier moves from the theory to practice by discussing the vulnerability landscape from attack methodologies and countermeasures to concepts like physical security, trust models, security lifecycle etc.
Chapter 19: Threat Modeling and Risk Assessment
This chapter begins using an example of “fair elections”. This example is used to demonstrate the steps required to have a successful risk assessment and threat modeling and it continues with more real world scenarios such as secure telephone systems, secure e-mail etc. and it ends with a discussion on aims of threat modeling.
Chapter 20: Security Policies and Countermeasures
Another important subject of security is the security policies and the various countermeasures used against most attacks. Here B. Schneier goes through security policies, third party trusted software, ATMs, lottery terminals etc. to demonstrate the need of completely different security policies as well as countermeasures against the identified attacks.
Chapter 21: Attack Trees
Chapter 21 is in my opinion an extension to the threat modeling one since it describes a way of creating “attack trees” that can help in the threat modeling process. It’s a small but informative chapter that contains examples of attack trees for both real-world and digital world cases.
Chapter 22: Product Testing and Verification
One of the most classic concepts of security is the subject of this chapter. First of all, Schneier makes a distinction between functionality beta testing and security testing and he then introduces the creation and goal of CERT and moves to one really crucial issue which is the software complexity and its effect on security flaws. Another important topic covered here is the open versus closed source software from a security testing point of view. This leads to subjects like reverse engineering and the DMCA, cracking and hacking contests etc.
Chapter 23: The Future of Products
Like a pre-conculsion of the previous chapters, this chapter attempts to identify the future of software products. Of course, as the author states one of the biggest problems is definitely the growing complexity that makes security harder and harder. He also discusses security issues that will almost certainly remain the same in the future such as peoples’ weakness to social engineering, companies’ reactions to security flaws etc.
Chapter 24: Security Processes
This semifinal chapter of the book is my personally favourite since it talks about some security principles that are usually omitted by similar books. The best thing in my opinion is that Bruce Schneier always uses both real-world and digital world examples to demonstrate his writings.
Chapter 25: Conclusion
The final chapter of the book puts together the knowledge acquired from all the previous ones and also gives us a preliminary history of how this book was written. It’s an excellent conclusion that lets the reader think what’s the point of security and how it can be applied.
As Dustin Puryear said in his review in the back-cover of the book, “is written for both technical users and management” and I think it’s quiet right. Although technical user won’t gain any new knowledge regarding technical issues, it’s a really nice writing which is very well written and easy to read. It’s separated in small chapters and sections and it includes numerous real world facts to demonstrate each subject. On the other hand, because of the manner it is written, it’s an excellent book for management users that aren’t keen to technical concepts. B. Schneier discusses well known technical security concepts using very little technical terms and in my opinion this is why “Secrets & Lies” is ideal for management users to get introduced with digital security.