Feeds

Beyond Fear A security primer for troubled minds

Bruce Schneier raises awareness without resorting to hype

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Book review It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.

The book clearly defines the essential concepts and basic practices behind security in all areas of life. Indeed, computers and networks hardly come up. It's the universal principles that Schneier is concerned with here, and he illustrates them with numerous everyday examples from the airport to the ATM to the local supermarket.

The author writes a good deal about the limitations of security protocols, and the trade-offs between good security and other desirable things. It is not unusual for security practices to cause more trouble than they're worth, he frequently points out. He talks about how security systems fail, and why, and how to anticipate and mitigate failure, though again, in general terms with plenty of everyday illustrations.

He does a particularly good job of helping readers assess risks, and shows how we all tend to exaggerate them, especially when we don't fully understand them. And he brings the media to task for exaggerating odd events. The media love the unusual, and always give sensational stories a great deal of play. Unfortunately, the man in the street ends up with a lopsided understanding of risk, as he naturally associates the amount of media attention with a story's significance.

Schneier also does a good job of separating and defining concepts and jargonish phrases that are often used interchangeably. He breaks things down so that, for example, the popular trio identification, authentication, and authorization are explained distinctly. Not only do they need to be understood separately, they also need to be implemented separately, he points out.

Occasionally, the author forgets that his reader may be a novice, and uses jargon without enough care. For example, after correctly defining the difference between threat and risk on page 20 (i.e., a threat is a bad thing that can happen; a risk is the relative likelihood that a bad thing will happen), he later uses them interchangeably.

For example, on page 130 he writes about the trade offs in allowing government to keep security information from the public: "What are the risks to those assets? Terrorism: specifically, the risk is that terrorists will use information to launch terrorist attacks more easily, or more effectively," he says. I do think he meant threat, not risk.

Later on page 130 he writes about vulnerability disclosure: "The risk, of course, is that attackers learn about the vulnerabilities and exploit them." Again, it looks to me like he's talking about the thing that can happen, not the likelihood that it might. Of course he could really mean risk, but his phrasing gives false scent to the reader. I don't think the author is confused about this, but some readers might be.

In chapter 9 he talks about the concepts fail safe and fail secure. I've read the section several times, and I'm still not sure what he thinks the difference actually is.

So, occasionally, Schneier forgets his novice reader and uses jargon without as much care and consistency as he could. And there is an irritating mannerism, in which he uses the feminine personal pronoun in place of the indefinite pronoun, that gradually wore on my nerves. But on balance, Beyond Fear is a well-written volume that will explain the black art of security to anyone who finds the subject intriguing. It's easy enough reading for the novice, yet it contains plenty of smart observations for the advanced reader and even the security professional. I recommend it strongly. ®

ISBN 0-387-02620-7
Copernicus Books
Hardcover - 296 pages
Sep 2003 - $25.00

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.