Having been a long time reader of the Crypto-Gram column, and well aware of Schneier’s knowledge and expertise in the information security field, it was with some eagerness that I received a copy of his latest book, . Needless to say, I was not let down by this entertaining and insightful tome.
Schneier provides an interesting view of the notion of security, outlining a simple five-step process that can be applied to deliver effective and sensible security decisions. These steps are addressed in detail throughout the book, and applied to various scenarios to show how simple, yet effective they can be.
The book is divided into three parts, with the first section discussing the notion of sensible security. Schneier begins by explaining that the fundamental principles of security can be applied to all facets of life. Through an examination of the tradeoffs that are taken in security, Schneier takes task with many of the security decisions that have been made, especially following the events since September 11. Although struggling a little with the difference between threat and risk--an issue the security industry struggles with, as Schneier points out in chapter 6--the examples and discussions he provides clearly highlight the ongoing problem of perceived risk versus actual risk. Part 1 finishes by considering how people’s agendas affect the security process, and how some security measures are cosmetic, providing only the feeling of security, rather than the reality.
Part 2 looks at security in action, or more often, inaction. Schneier examines the growing complexities of security and the need to treat it like a system, as well as considering the associated and related interactions. He discusses why we need to realize that failures (passive or active) can occur, and that no system is infallible. By understanding the attacker--their motivations, objectives, and abilities--we can better develop an effective security solution. He goes on to discuss how attacks and attackers have not changed much over time, but that the tools and technologies used have developed significantly.
As he does throughout the book, Schneier blends numerous analogies and anecdotes, both current and historical, into his discussion, which adds a refreshing view of security issues. In looking at the advancement of technology and the complexity of systems and how they create security imbalances and subtle vulnerabilities, he ranges from discussing the invention of dynamite to Iranian counterfeiting to cell phone technology, all in one chapter!
The second part of the book also deals with various other security issues, including how the weakest link can change depending on the ability and motive of the attacker, why systems need to be resilient and not brittle, the human factor, and the benefit of detection, especially prediction techniques, and associated response mechanisms. Schneier points out that, whilst security is important, it must also ensure that those with the right credentials can have access to those systems and processes. He then finishes this section with an entertaining look at countermeasures, followed by how his five-step process can also apply to the fight against terrorism.
The final part of the book looks at security in the wider social-political context, particularly in negotiating the tradeoffs in security implementations. Airline security and the restrictions imposed are again examined. Schneier wraps up the book with a summary of what sensible security can be, how people have roles to play in it, and how sometimes we can get it wrong.
Overall, this book is an entertaining read, written in layman’s terms, with a diverse range of examples and anecdotes that reinforce the notion of security as a process. The five-step process Schneier presents is an effective, if simple one that would certainly be an excellent starting point for anyone faced with security responsibilities.