5.0 out of 5 stars Common Sense Security
Bruce Schneier hits the jackpot with this common sense book on security. It is a good read for just about anyone with an interest in the field of Information Security. You will come away with a big picture understanding and will develop an intelligent approach to this expansive and facinating subject.
Published on Dec 13 2007 by Horace McPherson
1.0 out of 5 stars I WANT MY MONEY BACK
I thought this book would tell me something I didn't know. It didn't. I thought it would be interesting enough to keep me awake and wanting to read it. It wasn't. I thought Bruce Schnier was a big thinker and agressive. He isn't; he's overly cautious and careful with his words out of his own "fear" of insulting somebody. I thought he would take a stand on the...
Published on Dec 11 2003
Most Helpful First | Newest First
5.0 out of 5 stars Common Sense Security,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)Bruce Schneier hits the jackpot with this common sense book on security. It is a good read for just about anyone with an interest in the field of Information Security. You will come away with a big picture understanding and will develop an intelligent approach to this expansive and facinating subject.
5.0 out of 5 stars Reading it improves the reader security intelligence,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)The content of this book slightly overlap the content of the author previous book (Secrets and Lies: Digital Security in a Networked World) but presents the material with a different angle. An angle with the perspective of a security expert that witness security measures taken by governments in reaction of the 9/11 terrorism attack and wants people to understand the absurdity of some of these measures.
It is not technical at all and does not necessitate any particular background to understand and enjoy. The author explains clearly how to make a risk assessment of something that you want to make more secure and then evaluate the cost of the security measures. Only when you have that data, you can evaluate if the added security is worth it.
These explanations are backed up with concrete examples such as evaluating the risk to make purchase with a credit card over the internet. Other examples include the absurdity of securing a lunch in a company refrigerator because the potential loss if having a lunch stolen does not justify securing it. The author also explains that even with technologies that looks very accurate such as facial recognition with an error rate of, let's say, 0.0001 % are totally ineffective when they have to control a huge number of persons like a stadium crowd because even with this accuracy, they would create an unmanageable amount of false positive alerts.
The author also elaborate about why you should question the motivation of a security provider when it is a third party and link this with how people fears can be exploited to introduce invasive, excessively expensive and inefficient security measures. I think that the goal of the author was to make people more critics about security questions and my opinion is that his goal has been successfully achieved.
4.0 out of 5 stars Great book, but needs editing,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)Bruce Schneier is a well known security expert and author of one of my favorite technical books of all time, Applied Cryptography. This latest book, Beyond Fear, is written for a popular audience and mostly discusses security measures taken by the US since 9/11.
While Bruce is thoughtful, clear, and provides excellent examples to back up his points, this book really could have used better editing. To me, it feels like a three chapters were spun out into an entire book by repeating the same points and same examples over and over again.
I still think this book is worth buying. The first 3-4 chapters alone are worthwhile. Spending some time thinking about the security the way Bruce thinks about it -- always from a cost/benefit standpoint -- is worthwhile. But, as I was, you might get a little frustrated by the poor editing.
4.0 out of 5 stars Lots of very useful practical advice � and don't panic,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)Not quite what I'd expected. I'd read & enjoyed 'Secrets & Lies', and I thought this would be more of the same. This book is really a discussion about what actions have been taken post 9/11, and in parts it's a criticism of the overreaction that there has been.
However, its not overtly political, and gives dozens (perhaps a 100) practical worked examples of good & bad, effective & ineffective, responses to security issues, whether it be physical, electronic etc.
There is a 5-step process which I found useful to apply to everyday situations; and (in highly abbreviated form) these are : what are you trying to protect; what are the risks; risk mitigation; risks caused by the solution; trade-offs
The core message is : "as both individuals and a society, we can make choices about our security", and this book helps you understand how to make those informed decisions.
5.0 out of 5 stars The Title is The Theme,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)I have read a number of the Pro and Con reviews. I think it is important to take a good look at the title of the book, and use that as a guide to a buying decision. This book is not an in-depth cookbook of technical approaches to combat hackers, but rather a sensible way of looking at the issues that contribute to an aura of security, the appearance of security, and actually being secure. I really liked the whole premise, because we are such an image conscience, and sound-bite oriented society that it can become quite difficult to deliver a thought-provoking treatise on a topic that many think they know so much about.
My only negative comment would be that it got a little slow at the end, for me. Maybe I was just tired that night or something.
He cites a few excellent examples of places or instances where someone did something that they honestly felt would contribute to increased security, when the actual effect turned out to be the opposite. If I may draw a crude comparison: if you appreciated some of the observations, and perhaps even the writing style and presentation in Hammer and Champy's "Reengineering the Corporation", then you will like and appreciate this volume. The way Mr. Schneier presents information, and the way he introduces you to perceived vs. actual may strike you as being similar. (No offense meant to either author - I enjoyed both)
5.0 out of 5 stars Security or Liberty? Both!,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.
Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.
These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.
4.0 out of 5 stars Comment to Richard Bejtlich,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)Hello Richard,
in your review you wrote:
"A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset"
"All of these terms were defined years ago by military intel and law enforcement types" and
" It's the digital security community that's obscuring the definitions"
I disagree. Information security just has slightly different jargon. That's not an uncommon source of confusion in different, but related, professional fields, and there's a particular reason why we're really not interested in the military definition of "threat".
In the information security field, "risk" and "vulnerability" have roughly the same meanings that you use. However, "threat" means something more like "a method of exploiting a vulnerability or combination of vulnerabilities to cause a loss", while what you call a "threat" is an abstraction called an opponent or adversary. When we talk about "threat analysis", we mean examining ways vulnerabilities can be combined and exploited and what kinds of losses they can cause; these analyses may then be used as inputs to a risk analysis model. In the lunch room example you cited, the threat is "casually saunter up to the fridge, glance around, take a lunch, scurry away", and would be characterised as "low cost, low skill, low risk of discovery". The threat is indeed the same whether or not there is an opponent to exploit it. Opponents, in turn, are fairly abstractly characterised, something like:
What your intel and law enforcement types call a "threat analysis" simply isn't terribly relevant in the IT security field; we are mostly civilian corporate employees, with neither the right nor capability to compile dossiers on *specific* "opponents". We do compile information about what kind of attacks have actually been occuring; we call that the "CERT Summary"!
It is true, as Schneier says, that "threat analysis" and "risk analysis" are often confused in IT security - due in large part to the non-IT security world merging both concepts into their risk analyses. But in our field it is much better to keep them separate. A threat analysis is a more abstract (and hence generally applicable) study, while a risk analysis depends on a particular business model. For example, if we store Almas caviar in the fridge instead of salami, the threat analysis is the same, but the risk analysis will be considerably different; all the wierdo threats that were low risk before (e.g. masked men with shotguns storming the fridge) become realistic. This separation is useful when identical reusable software components may be employed by thousands of very different businesses.
So, I while I found your comments very interesting, I think the semantic difference is just a difference, not an error.
1.0 out of 5 stars I WANT MY MONEY BACK,
By A Customer
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)I thought this book would tell me something I didn't know. It didn't. I thought it would be interesting enough to keep me awake and wanting to read it. It wasn't. I thought Bruce Schnier was a big thinker and agressive. He isn't; he's overly cautious and careful with his words out of his own "fear" of insulting somebody. I thought he would take a stand on the issues. He didn't. I thought he understood security in the post-9/11 world. He doesn't. In fact, this book was written like 9/11 never happened and as if our terrorist enemies are mindless idiots.
If you want a good overview of the strategic issues facing cyber security and homeland security, read Dan Verton's Black Ice. That offers a far better understanding and overview of what's going right and what's going wrong in homeland security and cyber security, because Verton isn't afraid. Scnhier hasn't found a way to go beyond his own fear.
1.0 out of 5 stars Just like Texas: a whole lot of nothing,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)Some pedants may decry Bruce's many semantic flaws, but these same people have neglected to realize that their biggest mistake was to buy the book to begin with.
BZZZT. Thank you for playing.
The basic lessons of this book are so painfully obvious that I have no idea why anyone in their right mind would buy it, especially in this economy. I kid you not, I literally stood in an airport gift shop, in my civies, and read this book while waiting for a flight back to base. The book is riddled with filler material, which was probably necessary to pad the book to 250+ pages. You could easily summarize the book in ten pages (but that would prevent the publisher from charging you $17.50).
If you already have one of Schneier's books, then there is no reason to buy this one. Pogie bait is cheaper and more satisfying.
4.0 out of 5 stars good book for the layman; entertaining but w/some flaws,
This review is from: Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Hardcover)_Beyond Fear_ is a good book, and I'd put it into the "should read" but not "must read" category for people working in security (as opposed to _Secrets and Lies_, which I put into the "must read" category). There's little new or profound in the book, which is essentially an elaboration with examples on the five-step process of analyzing and evaluating security systems given on pp. 14-15 of the book:
1. What assets are you trying to protect?
In the process, Schneier provides many interesting examples. This is an excellent book on security for the layman. But it is definitely a book targeted at a popular audience. There are no footnotes or references, and Schneier occasionally tosses off remarks or asides that are questionable, if not false.
There are two significant flaws in the book:
1. It exaggerates the subjectivity of a security evaluation. On p. 17, chapter two is titled "Security Trade-offs are Subjective." But it's not the trade-off itself that is subjective. It's not the risk assessment that is subjective. It is people's non-instrumental desires (basic desires) or
Schneier writes (p. 17) that "Different people have different senses of what constitutes a threat"--but some are right and some are wrong. His distinction between perceived and actual risk shows that the important one is actual risk, not perceived risk. Actual risk is objective, not subjective. Schneier continues "or what level of risk is acceptable." That can certainly have a subjective component, but even subjective components can conflict with each other and be internally inconsistent, indicating a problem in the evaluation.
The final sentence of the chapter contradicts the chapter title: "Because we do not understand the risks, we make bad security trade-offs." (p. 31) If the trade-offs were subjective, there would be no such thing as a bad trade-off, only a trade-off perceived to be bad by someone.
Later in the book Schneier contradicts the strong subjectivity claim (e.g., p. 249: "Massive surveillance systems are *never* worth it." (emphasis added)) I don't think he seriously meant to make the strong claim--I think it's just careless/imprecise writing. p. 259 seems to get it pretty much right, but he should really have found a philosopher to review this book--that a problem is intractable doesn't mean that the answer is subjective, nor does the fact that subjective interests enter into the picture mean that the answer, given those interests, is subjective.
2. The book argues for an exaggerated egalitarianism--that anybody, regardless of background, training, or intelligence, can do security analysis. At the same time, the book touches on some of the evidence that ordinary judgments are inaccurate, and that people are notoriously bad at estimating and comparing risks due to the natural use of heuristics like vividness, recency, etc. (the classic Kahnemann and Tversy book, _Judgment Under Uncertainty_, summarizes some of this evidence).
Most Helpful First | Newest First
Beyond Fear: Thinking Sensibly About Security in an Uncertain World by Bruce Schneier (Hardcover - July 28 2003)
CDN$ 25.46 CDN$ 15.82
Usually ships in 1 to 2 months