Book review It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.
The book clearly defines the essential concepts and basic practices behind security in all areas of life. Indeed, computers and networks hardly come up. It's the universal principles that Schneier is concerned with here, and he illustrates them with numerous everyday examples from the airport to the ATM to the local supermarket.
The author writes a good deal about the limitations of security protocols, and the trade-offs between good security and other desirable things. It is not unusual for security practices to cause more trouble than they're worth, he frequently points out. He talks about how security systems fail, and why, and how to anticipate and mitigate failure, though again, in general terms with plenty of everyday illustrations.
He does a particularly good job of helping readers assess risks, and shows how we all tend to exaggerate them, especially when we don't fully understand them. And he brings the media to task for exaggerating odd events. The media love the unusual, and always give sensational stories a great deal of play. Unfortunately, the man in the street ends up with a lopsided understanding of risk, as he naturally associates the amount of media attention with a story's significance.
Schneier also does a good job of separating and defining concepts and jargonish phrases that are often used interchangeably. He breaks things down so that, for example, the popular trio identification, authentication, and authorization are explained distinctly. Not only do they need to be understood separately, they also need to be implemented separately, he points out.
Occasionally, the author forgets that his reader may be a novice, and uses jargon without enough care. For example, after correctly defining the difference between threat and risk on page 20 (i.e., a threat is a bad thing that can happen; a risk is the relative likelihood that a bad thing will happen), he later uses them interchangeably.
For example, on page 130 he writes about the trade offs in allowing government to keep security information from the public: "What are the risks to those assets? Terrorism: specifically, the risk is that terrorists will use information to launch terrorist attacks more easily, or more effectively," he says. I do think he meant threat, not risk.
Later on page 130 he writes about vulnerability disclosure: "The risk, of course, is that attackers learn about the vulnerabilities and exploit them." Again, it looks to me like he's talking about the thing that can happen, not the likelihood that it might. Of course he could really mean risk, but his phrasing gives false scent to the reader. I don't think the author is confused about this, but some readers might be.
In chapter 9 he talks about the concepts fail safe and fail secure. I've read the section several times, and I'm still not sure what he thinks the difference actually is.
So, occasionally, Schneier forgets his novice reader and uses jargon without as much care and consistency as he could. And there is an irritating mannerism, in which he uses the feminine personal pronoun in place of the indefinite pronoun, that gradually wore on my nerves. But on balance, Beyond Fear is a well-written volume that will explain the black art of security to anyone who finds the subject intriguing. It's easy enough reading for the novice, yet it contains plenty of smart observations for the advanced reader and even the security professional. I recommend it strongly. ®
Hardcover - 296 pages
Sep 2003 - $25.00