While doing my usual browsing of Amazon I came across Secrets and Lies by Bruce Schneier. I of course added this to my wish list and decided I would take another look at a later date. Some time later I decided to do a cull of my wish list. Unlike most people thou when I do a cull I tend to buy the item to remove it from my wish list.
When I bought the book I though that it was a bit of a gamble but looked ok so worth the risk. How more wrong could I be, this was certainly not a gamble at all.
Bruce starts the book by requesting that you read it numerous times so that the information sinks in and so that information obtained later in the book can be better understood.
The main part and bulk of the book explains many security concerns and explains why traditional thinking of security is incorrect (such as using a 256 bit encryption key is pointless and contains little security if the key was generated from for example the word password). Many aspects of security are covered within this ranging from network security to standard O/S security. At this point the book appears very negative and seems to suggest that there is little you can do to actually stop the impending security breaches.
Luckily as the book goes on the mood changes slightly and prepares you for methods to help combat the security implications that any system will have. These methods range from creating attack tree’s and how you can best decide on the viability of any attack vector and how to start bringing things into your favor instead of the intruders.
Since this book was written there have been many security breaches that have cost the companies involved large amounts of money both from lost revenue and the cost of picking up the pieces. For example this year Sony had a succession of attacks and the cost of the clean up was estimated to be around $140,000,000, this estimate could quite easily increase substantially as Sony’s insurer is also seeking methods for removing their own liability over the issue meaning that any law suits will come out of Sony’s pocket instead of the insurer.
A short while after this Lockheed Martin were found to have been compromised. On investigation it became clear that RSA had been compromised allowing someone to obtain information on the systems which aided in the Lockheed Martin compromise. As a result of this RSA were essentially forced to replace 40,000,000 secure ID devices.
It is not only the financial cost that these companies have suffered there is also the untold damages to their company profile with which the cost can never really be calculated.
Now you may be wondering my point at this stage, well the point is that if only the security of these companies read this book they may have been better prepared. The frightening thing however is that too many companies take security as an after thought. If the price is too high they decide to disregard the advice or not bother.
Although this is a 10 year old book this is certainly worth a read. You can learn so much from this book and it will completely change your perception of security. This book is highly recommended.