Monday, May 5, 2014

Book Review: Secrets and Lies: Digital Security in a Networked World (2000) by Bruce Schneier

Executive Summary

Secrets and Lies: Digital Security in a Networked World is the perfect book to hand to new bosses or new employees coming in the door who have not been exposed to cyber security in their past lives. It is also the perfect book for seasoned security practitioners who want an overview of the key issues facing our community today. Schneier wrote it more than a decade ago, but its ideas still resonate. He talks about the idea that “security is a process, not a product.” With that one line, Schneier captures the essence of what our cyber security community should be about. He explains that even though we have advanced technology designed to specifically find cyber break-ins, people are the still the weakest link. He describes how cyber risk is not a special category. It is just another risk to the business. He highlights the ludicrous idea that software vendors have no liability or selling buggy code, and he was one of the first thought leaders to characterize the adversary as something more than just a hacker. He makes the case for things that the cyber security community still needs in order to make the Internet more secure, things like strengthening confidentiality, integrity, and availability (CIA); improving Internet privacy and Internet anonymity; and challenging the idea that security practitioners must make the Sophie’s Choice between better security or more privacy in terms of government surveillance. Finally, he anticipates the need for a Bitcoin-like capability long before Bitcoin became popular. The content within Secrets and Lies is a good introduction to the cyber security community, and Schneier tells the story well. Because of that, Secrets and Lies is candidate for the cyber security canon, and you should have read it by now.

Introduction

Full disclosure: The first civilian job I took after I retired from the US Army was with the company that Bruce Schneier founded called Counterpane. I may be a little biased. One of the main reasons I took that job was his book Secrets and Lies.[1] When I read it (2003), it was a revelation to me. His quote “security is a process, not a product” was like manna from the gods. At that point in my security career, I had not considered that. And from what I have seen in the cyber security community, many of us have not yet leaned that point. 

When I started putting the cyber security canon series[2] together this past year, I always intended to include Schneier’s book, but as the year progressed, I did not have time to reread it in time for the presentation I gave at the RSA conference in February.[3] The first question I got after giving the presentation was, why isn’t Secrets and Lies in the candidate list? Sheepishly, I admitted that it should be and resolved to get it on the list as soon as possible.

The Story

Secrets and Lies demonstrates Schneier’s evolution as an early thought leader in the cyber security community and outlines some key concepts that are still valid today.

Security Is A Process

In the preface, Schneier freely admits to thinking in his earlier life that cryptology would solve all of our Internet security problems.[1] He even wrote a book about it in 1995 called Applied Cryptography: Protocols, Algorithms, and Source Code in C.[4] In Secrets and Lies, however, he is forced to acknowledge upfront that technology by itself does not even come close to solving these problems.[1] You do not get security out of a box. You get security by applying people, process, and technology to a problem set,[1] and the more complex we make things, the more likely it is that we are going to screw up the process.[1] 

People Are the Weakest Link

The weak link in all of this is the people.[1] You can have the best tools on the planet configured to defend your enterprise, but if you do not have the qualified people to maintain them and to understand what the tools are telling you, you have probably wasted your money. This goes hand in hand with the user community too. It does not matter that I spent a gazillion dollars on Internet security this year if the least-security-savvy people on your staff take their laptops home and unwittingly install malcode on their machines.

Risk

Cyber security is not special in terms of the overall business need. You do not have cyber risk. You have risk.[1] What I have noticed in my career is that many security -practitioners and senior-level company leaders do not understand this concept. Many organizations treat “cyber risk” as a thing unto itself and throw the responsibility for it over to the “IT guys” or to the “security dorks.” Company leaders tend not to consider “cyber risk” like other risks to the business, or if they do, they do not give it a lot of thought. In my mind, this is one of our community’s great failures. It is up to all of us to convey that essential idea to senior leadership in our organizations. 

Software Liability

Every new piece of software deployed has the likely potential to expose additional threats to the enterprise in terms of new vulnerabilities, and vendors have no liability for this.[1] In other industries, if a vendor were to produce a defective product that causes monetary damage to a company, that company would most likely sue that vendor with a high probability of success in court. It is not like that in the commercial software business or even in the open-source movement. Vendors will patch their systems for sure, but they accept no responsibility for, let’s say, hackers stealing 400 million credit cards from the Target retail chain.[5] Schneier is aghast at this development that the user community has let vendors get away with this stance.[1] 

Adversary Motivations

Secrets and Lies was the first time that I had seen an author characterize the adversary as a person or a group with motives and aspirations.

“Adversaries have varying objectives: raw damage, financial gain, information, and so on. This is important. The objectives of an industrial spy are different from the objectives of an organized-crime syndicate, and the countermeasures that stop the former might not even faze the latter. Understanding the objectives of likely attackers is the first step toward figuring out what countermeasures are going to be effective.”[1]

This was another revelation to me. At this point in my career when I first read the book, I did not put much thought into the adversaries at all except that they were “hackers” and were trying to steal my stuff. This is Schneier’s first cut of a complete adversary list:
  • Hackers
  • Lone Criminals
  • Malicious Insiders
  • Industrial Espionage Actors
  • Press
  • Organized Criminals
  • Police
  • Terrorists
  • National Intelligence Organizations
  • Info warriors

In my work, I have found it useful to refine Schneier’s list of people into the following adversary motivations:
  • Cyber Crime
  • Cyber Espionage
  • Cyber Warfare
  • Cyber Hactivism
  • Cyber Terrorism
  • Cyber Mischief

The bottom line is that these adversaries have a purpose, and it helps network defenders if they understand what kind of adversaries are likely to attack the defender’s assets.

Things Stay the Same

Sadly, even though Schneier published Secrets and Lies in 2000, all of these things are still true, and there is no real solution is sight. Many organizations still think that installing the latest shiny security toy to hit the market will make their networks more secure. They don’t stop to think that they might be better off if they just made sure that the toys they already have installed on their network worked correctly. 

People are still the weak link both in the security operations center (SOC) and in the general user community. As I have written elsewhere, talented SOC people are hard to come by,[6] and many organizations still spend resources on robust employee-training programs, but the results are mixed at best.[7][8][9] 

CISOs are still struggling to convey the security risk message to the C-Suite.[10][11] Most of us came up through the technical ranks and think colorful bar charts about the numbers of systems that have been patched are pretty cool. The CEO couldn’t care less about those charts and instead wants to know what the charts mean in terms of material risk to the business. 

Finally, software vendors still have no liability when it comes to deploying faulty software that results in monetary loss to a customer. This just seems to be something we have all accepted, that it is much better to build a working piece of code first and then worry how to secure it later. I know the entrepreneurs in the crowd prefer this method because the alternative slows the economic engine down if developers spend time adding security features to a new product that derives no immediate revenue opportunities. But this is the great embarrassment to the computer science field: we have not eradicated bugs like buffer overflows in modern code. How is it possible that we can send people to the moon but we cannot eliminate buffer overflows in code development? Don’t get me wrong; the industry has made great strides in developing tools and techniques in these areas—just look at the Building Security in Maturity Model (BSIMM) project to see for yourself[12]— but the fact that, as a cyber security community, we have not made it mandatory to use these techniques is one of the reasons we are just a field of study and not a profession like, say, civil engineering. 

What We Need

In the end, Schneier makes the case for things that the cyber security community needs in order to make the Internet more secure. Long before the acronym became a staple on Certified Information Systems Security Professional (CISSP) exams, he advocated the need to strengthen confidentiality, integrity, and availability (CIA). He does not call it CIA in the book, but he talks at length about the concepts. He was prescient in his emphasis on the need for Internet privacy and Internet anonymity and was one of the first thought leaders to start asking the question about security versus privacy in terms of government surveillance. He also anticipated the need for a Bitcoin-like capability[13] long before Bitcoin became popular.[1] 

The Tech

Unfortunately, when you begin to write a technology book about the current state of the art surrounding cyber security, much of what you write about is already outdated as you go to press. As I was rereading Schneier’s book, I chuckled to myself when he referenced his blindingly fast Pentium III machines[14] running Windows NT.[15] Today, the Pentium III S 1400MHz scores a whopping .311 on the PassMark CPU benchmark scale compared to 13.304 for the latest Intel-Core I-7 4930K @ 3.40 GHz. That is MHz compared to GHz.[16] The world has indeed changed.

Firewalls Are Not Enough

Schneier wrote Secrets and Lies at the time when the industry had just accepted that a stateful inspection firewall was not sufficient to secure the enterprise. 

“Today’s firewalls have to deal with multimedia traffic, downloadable programs, Java Applets, and all sorts of weird things. A Firewall has to make decisions with only partial information: It might have to decide whether or not to let a packet through before seeing all the packets in transmission.”[1]

Besides firewalls, he describes other controls that the cyber security community has decided are necessary to secure the perimeter, such as demilitarized zones (DMZs),[17] virtual private networks (VPNs),[18] application gateways,[19] intrusion detection systems,[20] honeypots,[21] vulnerability scanners,[22] and email security.[23][1] Since the book’s publication, security vendors have added even more tools to this conga line, tools like URL filters,[24] Domain Name System (DNS) monitoring,[25] sandboxing technology,[26] security incident and event management systems (SIEMS),[27] and protocol capture and analysis tools.[28]

As of right now, May 2014, the cyber security community is mounting a bit of a backlash against the vendor community’s conga line strategy. Practitioners simply can’t manage it all. The best and most recent example of this is the Target data breach.[5] Like the rest of us, the Target security team installed the conga line of security products and even had a dedicated SOC to monitor them. The controls dutifully alerted the SOC that a breach was in progress but there was so much noise in the system (and perhaps Target’s process was not as efficient as it could be) that nobody in the organization reacted to the breach until it was too late.[5] Because of this kind of situation, many organizations are looking for simpler solutions rather than continuing to add new tools to the security stack.

Cryptology

According to Schneier, underlying everything is cryptology. As you would expect from a cryptologist, Schneier believes that his field of study is the linchpin of the entire idea of Internet security.

“Cryptography is pretty amazing. On one level, it’s a bunch of complicated mathematics. On another level, cryptography is a core technology of cyberspace. In order to understand security in cyberspace, you need to understand cryptography. You don’t have to understand the math, but you have to understand its ramifications. You need to know what cryptography can do, and more importantly, what cryptography cannot do.”[1] 

I agree. (Note: The difference between the terms cryptography, cryptanalysis, cryptology, and cryptologist is left as an exercise for the reader.[29]) I would say that the cyber security community has failed in this regard since Schneier published Secrets and Lies. While it is true that cryptography is the underlying technology that makes it possible to secure the Internet, it is still too complicated for the general user to leverage. In light of the Edward Snowden revelations[30]—that we not only have to worry about foreign governments spying on our electronic transmissions, but we also have to worry about our own government doing it—the fact that most people do not know how to encrypt their own email messages as a matter of course is a testament to our industry’s failure.

Kill Chain

Schneier makes a distinction between computer and network security,[1] that the conga line of security tools that make up the security stack at the network perimeter is not the same as the set of tools you need to secure the endpoint. While this is still true today, the cyber security community has merged these two ideas together since Schneier’s book was published. The thought is that it does not make sense to consider network and endpoint security separately; it makes more sense to think of everything as a system. As organizations develop indicators of compromise at both the network layer and the endpoint layer, essentially the Kill Chain model,[31] the cyber security community can develop advanced adversary profiles about the attacker’s campaign plan.

Conclusion

I have always considered Secrets and Lies the perfect book to hand to new bosses or new employees coming in the door who have not been exposed to cyber security in their past lives. However, when I decided to reread this book for possible inclusion in the candidate list for the cyber security canon, I was worried that it would be dated, that the ideas I was so enamored with more than a decade ago would look a little long in the tooth today. That could not be further from the truth. Schneier explains, in easy-to-understand language, just exactly what the cyber security landscape looked like more than 10 years ago. Remarkably, the landscape is still consistent with this view, and we are still struggling with many of the same issues today. The subtitle to his book should be, “Security is a process, not a product.” With that one line, Schneier captures the essence of what our cyber security community should be about. The content within Secrets and Lies is a good introduction to the cyber security community, and Schneier tells the story well. It is a candidate for the cybersecurity canon, and you should have read it by now.

Note: 


Secrets and Lies: Digital Security in a Networked World is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.



Sources

[1] “Secrets and Lies: Digital Security in a Networked World,” by Bruce Schneier, John Wiley & Sons, 2000, last visited 7 April 2014,

[2] “Books You Should Have Read by Now,” by Rick Howard, Terebrate, 16 February 2014, last visited 7 April 2014, 

[3] “Cyber Security Canon: You Should Have Read These Books by Now,” by Rick Howard, RSA Conference, 24 February 2014, last visited 26 April 2014, 

[4] “Applied Cryptography: Protocols, Algorithms, and Source Code in C,” by Bruce Schneier, John Wiley & Sons, 1993, last visited 24 April 2014,

[5] “A First Look at the Target Intrusion, Malware,” by Brian Krebs, KrebsOnSecurity, 14 January 2014, last visited 25 April 2014,

[6] “Top 5 skills needed for a SOC analyst,” by Rick Howard, CSO Online, 10 March 2014, last visited 25 April 2014,

[7] “Why you shouldn't train employees for security awareness,” by Dave Aitel, CSO Online, 18 July 2012, last visited 25 April 2014,

[8] “Is Data Security Awareness Training Effective?” by Daniel Solove, LinkedIn, 18 February 2014, last visited 25 April 2014,

[9] “Measuring the Effectiveness of Your Security Awareness Program,” by John Schroeter, CIO, 12 February 2014, last visited 25 April 2014,

[10] “Cybersecurity is for the C-suite, 'not just the IT crowd,’” by Clay Dillow, CNNMoney, 6 January 2014, last visited 25 April 2014,

[11] “Using Cyber-Attacks for C-Suite Buy-In,” by Jeffrey Roman, BankInfoSecurity, 29 March 2013, last visited 25 April 2014,

[12] “BSIMM Advancing Software Security,” by Ann All, eSecurityPlanet, 20 October 2013, last visited 25 April 2014, 

[13] “What is Bitcoin?” by Tal Yellin, Dominic Aratari, and Jose Pagliery, CNNMoney, last visited 26 April 2014,

[14] “Intel Pentium III processor families,” by CPU World, 28 March 2014, last visited 10 April 2014,

[15] “Windows NT: Remember Microsoft's almost perfect 20-year-old?” by Andrew Orlowski, The Register, 20 August 2013, last visited 10 April 2014, 

[16] “CPU Benchmarks: Over 600,000 CPUs Benchmarked,” by Passmark Software, 2014, last visited 10 April 2014,

[17] “DMZ - Demilitarized Zone,” by Bradley Mitchell, About.com, last visited 25 April 2014,

[18] “What Is a VPN: VPN Solutions and Key Features?” by Bradley Mitchell About.com, last visited 25 April 2014,

[19] “Application Gateway,” by Cory Janssen, technopedia, last visited 25 April 2014,

[20] “Intrusion Detection System - IDS Technology and Deployment,” by Palo Alto Networks, last visited 25 April 2014,

[21] “Intrusion Detection FAQ: What is a Honeypot: Honey Pot Systems Explained?” by Loras R. Even, SANS, 12 July 2000, last visited 25 April 2014,

[22] “Vulnerability Scanning for Business,” by Brian Robinson, ITSecurity, last visited 25 April 2014,

[23] “Email security – Essential Guide,” by Arif Mohamed, ComputerWeekly.com, last visited 25 April 2014,

[24] “Control Web Activity with URL Filtering,” by Palo Alto Networks, last visited 25 April 2014,

[25] “APT Prevention: WildFire: Protection from targeted and unknown threats,” by Palo Alto Networks, last visited 25 April 2014,

[26] “Malware-detecting 'sandboxing' technology no silver bullet,” by Ellen Messmer, Network World, 26 March 2013, last visited 25 April 2014,

[27] “Security Incident and Event Management (SIEM),” by technopedia, last visited 25 April 2014,

[28] “Hackers Techniques, Tools, and Incident Handling: Lab 4,” by poplynnsho, StudyMode, July 2013, last visited 25 April 2014,

[29] “Cryptography vs Cryptanalysis vs Cryptology…” by Nick Pelling, Cipher Mysteries, 3 February 2009, last visited 26 April 2014,

[30] “Edward Snowden: the whistleblower behind the NSA surveillance revelations,” by Glenn Greenwald, Ewen MacAskill, and Laura Poitras, The Guardian, 9 June 2013, last visited 26 April 2014,

[31] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin, Lockheed Martin Corporation, Presented at the 6th International Conference on Information Warfare and Security, The George Washington University, Washington, DC, 17-18 March 2011. Last visited 26 April 2014,
http://academic-conferences.org/pdfs/ICIW_2011-book.pdf

References

“Book Review - Secrets and Lies: Digital Security in a Networked World,” by Elaine Ah Chin Kow, Xceed, 8 November 2013, last visited 7 April 2014,

“Secrets and Lies: Digital Security in a Networked World Bruce - Schneier - John Wiley 2000 - A book review,” by Danny Yee, Danny Yee's Book Reviews, 2000, last visited 7 April 2014,

“Secrets and Lies: Digital Security in a Networked World by Bruce Schneier - 430 pages, ISBN 0-471-25311-1, Wiley, New York, 2000 - www.wiley.com,” by J. M. Haile, Macatea Productions, 12 October 2006, last visited 7 April 2014,

“Secrets & Lies: Digital Security In A Networked World,” by Jeff "hemos" Bates, Slashdot, 19 September 2000, last visited 7 April 2014

“Title: Secrets and Lies: Digital Security in a Networked World- Author: Bruce Schneier - Publisher: Wiley - Publication Date: August 2000 - Pages: 412,” by Shuang-lin Lee, Information Security (INLS187), last visited 7 April 2014,

No comments:

Post a Comment