Author/s : Bruce Schneier
Publisher : John Wiley & Sons
Category :Other Review by : Ulf Dittmer
Rating : 8 horseshoes
Although several years old by now, this book about computer and network security is still as relevant today as it was when it was first published. Bruce Schneier is one of the best-known computer security experts, and he imparts his expertise in a very readable and highly informative way.
The core message is that "security is a process, not a product or technology", and it must be designed into any system from the start, instead of trying to bolt it on as an afterthought. The other important point is that defense against an attack should consist of prevention, detection and response; neither of these is likely to work perfectly, so only a combination can make a system secure. And lastly, security is in interactive process between attacker and defender - advances on one side will lead to advances one the other, thus creating an eternal cat and mouse game.
After surveying in depth the various technologies available to secure systems, and analyzing their respective strengths and weaknesses, as well as how they might be circumvented by a different attack, Schneier presents strategies for dealing with them. This involves thread modeling (determining ALL the ways in which a system might be attacked), defining a security policy that defends against those threats, and putting in place the prevention/detection/response mechanisms that implement that policy. This approach can be used for every system (and for non-computer systems as well).
Throughout the book, many examples are used to illustrate the points which help the reader think about security (not just of the computer kind) in a wholly new way. It thus holds applicable lessons that go way beyond the immediate audience of the book.