BOOK REVIEW
Secrets & Lies: Digital Security in a Networked World

Schneier, Bruce. (2000). New York: John Wiley & Sons, Inc.
List Price $29.99, 432 Pages

Review by Christopher J. Matheny
Asst Dean for Student Services
Chicago-Kent College of Law - Chicago, IL
Cmatheny@kentlaw.edu

Posted: February 10, 2003     Student Affairs Online, vol. 4 no. 1 - Winter 2003

After reading Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World, I did two things.  First, I bought a paper shredder. That may not sound like a ringing endorsement, but the shredder was intended for sensitive documents, not the book itself.  I also ordered a copy of my credit report (I can’t tell you how many times I have purchased something online without even the slightest question as to the site’s security).  I did these things because after reading his book, I am convinced that he is right on target in terms of digital security.  Systems are complex, there is no software, hardware, or technical solution that provides “the answer” in terms of security, and, perhaps most importantly, the system is only as strong as its most vulnerable point. For many systems that “attack point” is the users it is supposed to protect.   After all, what good is 128-bit encryption if the users post their passwords on their monitors?

 

Schneier’s follow up to his book Applied Cryptography addresses the Landscape, Technologies, and Strategies related to digital security.   In this work he provides the reader with a contextual framework and tools for security analysis rather than the Utopian mathematical solution (cryptography) he proposes in his first book.  He guides the reader through this often-confusing world using language and examples easily understood by the technical and non-technical alike.  This is not a “how to” manual of network security and those with advanced technical knowledge may find some of the examples a bit basic and somewhat repetitious. 

 

For those with basic understanding, Schneier lays the groundwork by comparing the unseen technologies to the universally understood security issues in our everyday lives.  He compares cryptographic keys to front door locks, secured e-mail to sealed envelopes, and denial of services attacks to picket lines and protesters - all the while educating the reader until, by the end of the book, you find yourself actually understanding the acronyms and jargon.

 

Of course, in the digital world, things are not always cut and dried.  Security involves not only keeping the unwanted out, but allowing those with legitimate access in.  Couple this with the ever-increasing computing power available to any wannabe-hacker, the anonymity of the internet, and the “trust” of those using the system, and there is great potential for security failure. If there is a way in, someone is going to find it.  Find it before the bad guys do - maybe your system works or maybe you’re just lucky.  Find it after they do and you may be in big trouble.

 

Thankfully, Schneier’s final chapters provide a very detailed framework for analyzing security threats and developing a comprehensive strategy.  His three basic pillars are Protection, Detection, and Reaction.  He is quick to point out that most security (both physical and digital) is focused on Protection.  This, according to the author, is the cardinal sin of digital security.  If you put up a wall, someone will come in through the window.  Lock the windows, and they will tunnel under the wall.  Protection is based on logic and hackers don’t always follow the rules.  To mitigate this risk Schneier proposes using a graphical attack tree to identify and evaluate risk.  Secure the weakest nodes of the tree and your system security increases.  He also underscores the need for detection systems.  His paradigm shift from mathematical security and utopian cryptography to risk management and detection resulted in a complete restructuring of his security company. He has moved from “building walls” to “designing systems.”  His practice now focuses exclusively on detection and response for digital networks. Detailed information on attack trees and system security can be found on Schneier’s company’s website (http://www.counterpane.com/).

 

Higher education professionals can benefit greatly from the information and strategies present in Secrets & Lies.  Given the amount of information that is disseminated via e-mail and the web, I think is particularly important that student affairs administrators in every department begin considering the security issues associated with a digital culture.  This is no longer an issue germane only to the IT department. 

 

At my institution, faculty submit grades online (think grade changing), students pay their bills online (think credit card fraud), and I often counsel students via e-mail.  Each of these has potential to cause the student and the institution a number of problems.  These issues are just the tip of the iceberg.  In our attempt to provide cutting edge service we may be placing financial aid data, social security numbers, academic records, and disciplinary records at risk.  In the current culture, each is more likely to be stored on someone’s network or hard-drive than in a paper file.  If you are wired to a network or a modem, you are vulnerable to attack.

 

Overall, Bruce Schneier’s Secrets & Lies: Digital Security in a Networked World is well worth its 412 pages.  Student affairs personnel will appreciate the way Schneier infuses a potentially dry topic with humor and provides examples that keep the reader’s attention.  Take a look before planning your next big website change, rolling out your campus smart card, or clicking “send” on that next e-mail.