BookReview: Beyond Fear: Thinking sensibly About Security in an Uncertain World
by Bruce Schneier, Coernicus Books, 2003, 0-387-02620-7

Schneier explains security in the most general sense through a variety of scenarios. He shows that people are better than systems, when there is flexibility required. Attackers haven't change through the ages, but their methods have. They have he uses his 5 step process to analyze problems for their security characteristics.

[p228] The more people who are trained, the more likely it is that someone will be able to do whatever needs to be done. And during practice, you can develop new and better procedures. Procedures aren't very useful without training and constant practice. When security events are rare, people don't expect them and often don't even notice them. Training is a way to deal with that aspect of human nature. When security events are rare, people don't gain experience dealing with them. Any system that is rarely used will fail when used. Practice solves that problem. One goal of training and practice is for people to react reflexively and instinctively ina crisis situation instead of having to ponder what to do next.

[p257] Chapter 16 - Negotiating for Security

The five-step process is useful for evaluating personal security decisions, but many security decisions involve a variety of players--each with his own agenda. Your ability to take control of important security decisions is often severely limited, but you do have some control. As a citizen, you can effect some changes in security practices with your vote. As a consumer, you effect others with your wallet. As a technologist, you can invent something that changes security. And, if you have some measure of money and freedom, you can change your environment even if that means relocating yourself. Making changes in security arrangements is also achieved through negotiation. Using mechanisms like insurance and laws that enforce liability, individuals can secure some measure of power in determining what kind of security will be available to them.

I started this book saying that people make security trade-offs based on their individual agendas, both for security and non-security decisions. When faced with a security countermeasure, you have to evaluate its effectiveness in mitigating your personal risk in your personal situation, and then you have to determine what the trade-offs are and if they're worth it to you. The five-step process is designed to focus on the specific aspects of security you need to understand in order to make one basic decision: Is the security countermeasure worth the trade-offs? Again, here are the steps:

Step 1: What assets are you trying to protect? Answering this question is essential because it defines the system under consideration. So much of the bad security surrounding us is a result of not understanding exacdy what is being protected and of implementing countermeasures that move the risk around but don't actually mitigate it. And remember, often it's not simply a set of physical assets that are important, but particular functionalities of those assets. The assets that need securing are really a system, and you won't be able to protect them unless you understand what they are, how they work, and what aspects of them the attackers are after and why. (See Chapter 4.)

[p258] Step 2: What are the risks against these assets? Answering this question means understanding the possible threats against the assets. Understanding this, in turn, involves analyzing the attackers and their goals and, finally, the attacks they might launch to achieve those goals. A full understanding of the risks requires determining how likely the various threats are, as well as their ramifications. Answering this question also requires evaluating how technological advances might affect potential attacks and attackers, and how that in turn might affect the risks. (See Chapters 5-7.)

Step 3: How well does the security solution mitigate the risks? Answering this question requires an understanding of how the security countermeasure protects the assets against the risks and, more important, what happens when the security solution fails. As we've seen, answering this question can be very complicated. A countermeasure can mitigate the risk completely, partially, or not at all. A countermeasure can be more effective against one particular attack (or one particular type of attacker) and less effective against another. A countermeasure can fail both passively, by allowing an attack, and actively, by blocking legitimate access to the assets being defended. Being able to answer this question well means you're getting at the heart of security. (See Chapters 8-15.)

Steps 4: What other risks does the security solution cause? Answering this question requires you to understand how the countermeasure interacts with other countermeasures, and how the security countermeasure works within the context of the overall system in which it is embedded. Almost all security countermeasures cause additional security risks, and it is vital to understand what they are. (See Chapters 8-15.)

Step 5: What trade-offs does the security solution require? Answering this question requires you to understand how the countermeasure interacts with everything else: with all of the non-security components of the system. All countermeasures affect the functionality of the assets being protected. All countermeasures affect other systems. All countermeasures have a cost: not necessarily financial, but in terms of convenience, usability, freedoms, and so on. These trade-offs may have nothing to do with security, but often they are more important than security. (See Chapters 2, 3, and this chapter.)

[260] Of course, that result won't remain optimal forever; you'll revisit it again and again over the years. You may modifY your answer over time, based on new information about risks, or new realizations about what trade-offs you're willing to accept, or new technology that becomes available, or changed financial circumstances or ... the list goes on. The point is, security is never done; it's a never-ending process.

[p267] When negotiating for security, keep in mind that the best player to mitigate a risk is the player--the person, business, or government--who is accountable for it. Security follows the money, and a good security system is one where the security requirements are aligned with the financial motivations of the players. I believe that this should be a consideration in any attempt to change the agendas of players by changing the environment: Make the player in charge of mitigating the risk accountable for that risk.

[p271] Chapter 17 - Security Demystified

Security is more than important; it's an essential and inevitable part of who we are. Because it can never be absolute and static end rigid, it's helpful to think of security as a game--but one !hat never ends, and one with the most serious consequences. We have to be resourceful, agile, alert pleyers, We have to think imaginatively about our opponents. And we have to move beyond fear and realize that we live in a world in which risk is inherent and failures are inevitable. Thinking sensibly about security requires that we develop a rational sense of the numbers underlying risks, a healthy skepticism about expertise and secrecy, and a realization that a good deal of security is peddled and imposed and embraced for non-security reasons.

Security is a tax on the honest.

If it weren't for attackers, our lives would be a whole lot easier. In a world where everyone was completely honorable and law-abiding all of the time, everything we bought and did would be cheaper. We wouldn't have to pay for door locks, police departments, or militaries.

[p279] Schneier Risk Demystification: Numbers matter, and they're not even that difficult to understand. Make sure you understand the threats. Make sure you understand the risks. Make sure you understand the effectiveness of a security countermeasure and all of the trade-offs. Try to think of unintended consequences. Don't accept anyone saying something like: "It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it." That's patent nonsense, and what someone living in fear says; you need to move beyond fear and start thinking about sensible trade-offs.

Schneier Secrecy Demystification: Secrecy is anathema to security for three reasons: It's brittle, it causes additional security problems because it conceals abuse, and it prevents you from having the information you need to make sensible security trade-offs. Don't accept anyone telling you that security requires keeping details of a security system secret. I've evaluated hundreds of security systems in my career, and I've learned that if someone doesn't want to disclose the details of a security system, it's usually because he's embarrassed to do so. Secrecy contributes to the "trust us and we'll make the trade-offs for you" mentality that ensures sloppy security systems. Openness demystifies; secrecy obscures.

[p280] Fear is the barrier between ignorance and understanding. It's paralyzing. It makes us fatalistic. It makes us do dumb things. Moving beyond fear means freeing up our intelligence, our practical common sense, and our imagination. In terms of understanding and implementing sensible security, moving beyond fear means making trade-offs openly, intelligently, and honestly. Security is a state of mind, but a mind focused on problem-solving and problem-anticipating and problem-imagining. Security is flexible. Fear is also a state of mind, but it's brittle. It results in paranoia, paralysis, and bad security trade-offs.

Via Rob 2005