Feeds

Beyond Fear A security primer for troubled minds

Bruce Schneier raises awareness without resorting to hype

  • alert
  • submit to reddit

SANS - Survey on application security programs

Book review It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.

The book clearly defines the essential concepts and basic practices behind security in all areas of life. Indeed, computers and networks hardly come up. It's the universal principles that Schneier is concerned with here, and he illustrates them with numerous everyday examples from the airport to the ATM to the local supermarket.

The author writes a good deal about the limitations of security protocols, and the trade-offs between good security and other desirable things. It is not unusual for security practices to cause more trouble than they're worth, he frequently points out. He talks about how security systems fail, and why, and how to anticipate and mitigate failure, though again, in general terms with plenty of everyday illustrations.

He does a particularly good job of helping readers assess risks, and shows how we all tend to exaggerate them, especially when we don't fully understand them. And he brings the media to task for exaggerating odd events. The media love the unusual, and always give sensational stories a great deal of play. Unfortunately, the man in the street ends up with a lopsided understanding of risk, as he naturally associates the amount of media attention with a story's significance.

Schneier also does a good job of separating and defining concepts and jargonish phrases that are often used interchangeably. He breaks things down so that, for example, the popular trio identification, authentication, and authorization are explained distinctly. Not only do they need to be understood separately, they also need to be implemented separately, he points out.

Occasionally, the author forgets that his reader may be a novice, and uses jargon without enough care. For example, after correctly defining the difference between threat and risk on page 20 (i.e., a threat is a bad thing that can happen; a risk is the relative likelihood that a bad thing will happen), he later uses them interchangeably.

For example, on page 130 he writes about the trade offs in allowing government to keep security information from the public: "What are the risks to those assets? Terrorism: specifically, the risk is that terrorists will use information to launch terrorist attacks more easily, or more effectively," he says. I do think he meant threat, not risk.

Later on page 130 he writes about vulnerability disclosure: "The risk, of course, is that attackers learn about the vulnerabilities and exploit them." Again, it looks to me like he's talking about the thing that can happen, not the likelihood that it might. Of course he could really mean risk, but his phrasing gives false scent to the reader. I don't think the author is confused about this, but some readers might be.

In chapter 9 he talks about the concepts fail safe and fail secure. I've read the section several times, and I'm still not sure what he thinks the difference actually is.

So, occasionally, Schneier forgets his novice reader and uses jargon without as much care and consistency as he could. And there is an irritating mannerism, in which he uses the feminine personal pronoun in place of the indefinite pronoun, that gradually wore on my nerves. But on balance, Beyond Fear is a well-written volume that will explain the black art of security to anyone who finds the subject intriguing. It's easy enough reading for the novice, yet it contains plenty of smart observations for the advanced reader and even the security professional. I recommend it strongly. ®

ISBN 0-387-02620-7
Copernicus Books
Hardcover - 296 pages
Sep 2003 - $25.00

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.