Originally Published: Tuesday, 10 July 2001 Author: Dustin Puryear
Published to: enchance_articles_security/Basic Security Articles Page: 1/1 - [Printable]

Book Review: "Secrets and Lies" by Bruce Schneier

We take a look at a modern classic. Although published just within the last year Bruce Schneier's "Secrets and Lies", by Wiley Computer Publishing, is already assured a place in every security consultants bookshelf. We asked Dustin Puryear to show us why.

   Page 1 of 1  

Security is a fundamental component of doing business in this world. Transactions between businesses, consumers, and governmental organizations--they all depend on ensured data privacy, integrity, and availability to some degree. The common mantra regarding security in the online world seems to be: use encryption. But is that really all there is to it? Is encryption the panacea that it is so often proposed to be?

Bruce Schneier emphatically informs us that it is not. Instead, for Schneier, security is a much larger animal that must be applied at every level of a system. In his book, "Secrets and Lies," published by Wiley Computer Publishing, Schneier attempts to bring information regarding security and the implications of that security to the masses. Schneier presents this information in a truly engaging manner, and takes care to cover a wide range of security topics.

Most readers will already be familiar with Bruce Schneier from his earlier work, "Applied Cryptography," which is one of the definitive works on cryptography in the information systems industry. Schneier is also author of the monthly Crypto-gram newsletter, which is a mixture of the SANS and SecurityFocus advisory newsletters but with considerably more editorial content.


"Secrets and Lies" is not the second edition of "Applied Cryptography." In "Applied Cryptography" Schneier opened much of the world's eyes to cryptography as a way to protect data. However, Schneier takes pains to admit in the preface of "Secrets and Lies" that some of his basic assumptions presented in that earlier text were flawed at a fundamental level. That is not to say that the book contained technical errors, but that his devotion to cryptography as a security solution was na´ve-cryptography isn't the solution he initially believed it to be. Rather, it is only a small part, a cog, in a much bigger machine that involves business processes, physical interactions, and all of the other wonderful components of the business world.

In "Secrets and Lies" Schneier has assigned himself the task of presenting a more robust method for approaching and solving security issues in this information-centric digital world in which we find ourselves. He does this by breaking security into separate tasks that must be addressed: determine whom your enemies are, analyze how they can attack you, and develop methods to prevent or handle those attacks. This approach isn't new. In fact, it's difficult to consider a different way to approach security. What makes "Secrets and Lies" stand out is the wealth of information given, Schneier's attention to detail, and his ability to discuss advanced topics in a way that is readable to both technical and management staff alike.

The book is broken into three sections, each composed of several chapters: "The Landscape," "Technologies," and "Strategies." In "The Landscape" Schneier defines the enemy, her methods of attack, and common targets. Specific techniques and technologies are only glossed over in this chapter as the focus is on understanding what exactly it is you are trying to protect and how and why it will be attacked. This section is excellent reading, and should serve as a wonderful resource for better understanding the requirements and need for security at both the design and implementation level.

Next, in "Technologies," Schneier walks the reader through various technologies that can be used within a security solution. Important topics include cryptography, user authentication systems, single-purpose secure hardware, and digital certificates. And don't worry if you aren't interested in learning the specifics of how to implement these technologies. Rather, Schneier discusses specific security issues, such as ensuring the data you are reading is the data you just saved over the network, and then presents various ways in which to attack the problem.

Finally, in "Strategies," Schneier delves into how management and security administrators should approach security. In other words, he points out how to examine systems that need protection, how to access security, and to determine your "vulnerability landscape." This is certainly the most informative section for technical users that actually have the job of determining requirements and implementing solutions. Yet, it's also an excellent primer to be read by management so that they have a better understanding of the process. Topics include security policies, developing attack trees to further investigate security, and product testing.


It's not often that a truly outstanding book is written for both technical users and management. Fortunately, "Secrets and Lies" pulls off this feat rather well. Bruce Schneier does an excellent job of presenting a wide-range of topics in a clear, understandable format. Rather than grinding away at details and minutia Schneier elevates us so that we have a better perspective of what is involved in designing and implementing security into our products, processes, and interactions. I highly suggest this book to anyone involved in software development, administration, or management.

Dustin Puryear is a professional working in the Information Technology industry. He is author of "Integrate Linux Solutions into Your Windows Network," as well as numerous articles for both print and online publications. He may be reached at dpuryear@usa.net.

   Page 1 of 1