Student Affairs
On-Line
The on-line magazine about
technology and Student Affairs
Gary D. Malaney - Univ. of Massachusetts Amherst
Editor
Stuart Brown - StudentAffairs.com
Executive Editor
|
Student Affairs Gary D. Malaney - Univ. of Massachusetts Amherst Editor Stuart Brown - StudentAffairs.com |
|
|
|
||
Join our mailing list!
|
BOOK REVIEW Secrets & Lies: Digital Security in a Networked World
Schneier, Bruce. (2000). New York: John Wiley & Sons, Inc.
Review by Christopher J. Matheny After reading Bruce
Schneier’s Secrets and Lies: Digital
Security in a Networked World, I did two things. First, I bought a paper shredder. That may
not sound like a ringing endorsement, but the shredder was intended for
sensitive documents, not the book itself.
I also ordered a copy of my credit report (I can’t tell you how many
times I have purchased something online without even the slightest question as
to the site’s security). I did these things
because after reading his book, I am convinced that he is right on target in
terms of digital security. Systems are
complex, there is no software, hardware, or technical solution that provides
“the answer” in terms of security, and, perhaps most importantly, the system is
only as strong as its most vulnerable point. For many systems that “attack
point” is the users it is supposed to protect.
After all, what good is 128-bit encryption if the users post their passwords
on their monitors? Schneier’s follow up
to his book Applied Cryptography
addresses the Landscape, Technologies, and Strategies related to digital
security. In this work he provides the
reader with a contextual framework and tools for security analysis rather than
the Utopian mathematical solution (cryptography) he proposes in his first
book. He guides the reader through this
often-confusing world using language and examples easily understood by the
technical and non-technical alike. This
is not a “how to” manual of network security and those with advanced technical
knowledge may find some of the examples a bit basic and somewhat
repetitious. For those with basic
understanding, Schneier lays the groundwork by comparing the unseen
technologies to the universally understood security issues in our everyday
lives. He compares cryptographic keys to
front door locks, secured e-mail to sealed envelopes, and denial of services
attacks to picket lines and protesters - all the while educating the reader until,
by the end of the book, you find yourself actually understanding the acronyms
and jargon. Of course, in the
digital world, things are not always cut and dried. Security involves not only keeping the
unwanted out, but allowing those with legitimate access in. Couple this with the ever-increasing
computing power available to any wannabe-hacker, the anonymity of the internet,
and the “trust” of those using the system, and there is great potential for
security failure. If there is a way in, someone is going to find it. Find it before the bad guys do - maybe your
system works or maybe you’re just lucky.
Find it after they do and you may be in big trouble. Thankfully,
Schneier’s final chapters provide a very detailed framework for analyzing
security threats and developing a comprehensive strategy. His three basic pillars are Protection,
Detection, and Reaction. He is quick to
point out that most security (both physical and digital) is focused on
Protection. This, according to the
author, is the cardinal sin of digital security. If you put up a wall, someone will come in
through the window. Lock the windows,
and they will tunnel under the wall.
Protection is based on logic and hackers don’t always follow the rules. To mitigate this risk Schneier proposes using
a graphical attack tree to identify and evaluate risk. Secure the weakest nodes of the tree and your
system security increases. He also
underscores the need for detection systems.
His paradigm shift from mathematical security and utopian cryptography
to risk management and detection resulted in a complete restructuring of his
security company. He has moved from “building walls” to “designing
systems.” His practice now focuses
exclusively on detection and response for digital networks. Detailed
information on attack trees and system security can be found on Schneier’s
company’s website (http://www.counterpane.com/). Higher education
professionals can benefit greatly from the information and strategies present
in Secrets & Lies. Given the
amount of information that is disseminated via e-mail and the web, I think is
particularly important that student affairs administrators in every department
begin considering the security issues associated with a digital culture. This is no longer an issue germane only to
the IT department. At my institution,
faculty submit grades online (think grade changing), students pay their bills
online (think credit card fraud), and I often counsel students via e-mail. Each of these has potential to cause the
student and the institution a number of problems. These issues are just the tip of the
iceberg. In our attempt to provide
cutting edge service we may be placing financial aid data, social security
numbers, academic records, and disciplinary records at risk. In the current culture, each is more likely
to be stored on someone’s network or hard-drive than in a paper file. If you are wired to a network or a modem, you
are vulnerable to attack. Overall, Bruce
Schneier’s Secrets & Lies: Digital Security in a Networked World is
well worth its 412 pages. Student
affairs personnel will appreciate the way Schneier infuses a potentially dry
topic with humor and provides examples that keep the reader’s attention. Take a look before planning your next big
website change, rolling out your campus smart card, or clicking “send” on that
next e-mail.
|
|