SECRETS AND LIES DIGITAL SECURITY IN A NETWORKED WORLD EBOOK
Editorial Reviews. myavr.info Review. Whom can you trust? Try Bruce Schneier, whose rare eBook features: Highlight, take notes, and search in the book; In this edition, page numbers are just like the physical edition; Length: pages; Enhanced. This anniversary edition which has stood the test of time as a runaway best-seller provides a practical, straight-forward guide to achieving security throughout. Secrets and Lies: Digital Security in a Networked World Internationally recognized computer security expert Bruce Schneier offers a practical.
|Language:||English, Spanish, Portuguese|
|Genre:||Academic & Education|
|ePub File Size:||21.89 MB|
|PDF File Size:||11.71 MB|
|Distribution:||Free* [*Regsitration Required]|
Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network Internationally recognized computer security expert Bruce. This is obvious to anyone involved in real-world security. In the real world, security involves processes. It involves preventative technologies, but also detection. Books >. Secrets & Lies. Digital Security in a Networked World. A book by Bruce Schneier. Welcome to the myavr.info It's digital: Information is more.
So people are the weakest link in security. Let us appreciate the fact that an authority like Schneier acknowledges his mistake and shares with us. This is not a book if you are looking at just building firewalls, IDE, secure code or encryption algorithm.
This book is all about understanding of the security risks and coming out with a practical solution to mitigate them The core thesis of this book is — 1. Security is about managing risks. Security requirement is relative and contextual 3. Instead of going beyond a total secure system, it is better to have a mediocre security 4. The best methodology to build security into your product, is by collective analytical ability — that is provide unlimited access to people to review and critique the product design and implementation 5.
The areas where I would like to see improvements in the second edition of this book are - editorial is bad, sentences are not phrased in a manner to understand easily, no references for further reading. There is no section numbers, which makes the flow difficult. How could anyone ever justify the cause of terrorism pp 53? But definitely this is a must book to read, since gains to be achived by reading this book overweigh these issues 1 and in addtion difficult to put up with those repeated China, UK, and Microsoft bashing!
The first section sets the context for security requirement in the current digital world; the second describes the various technologies and their limitations. But the computer field naturally changes quickly, and this makes it different, to some extent, from other insurance-driven industries. Insurance companies will look to security processes that they can rely on: processes of secure software development before systems are released, and the processes of protection, detection, and response that I talk about in Chapter And more and more, they're going to look toward outsourced services.
We provide outsourced security monitoring for organizations. This isn't just firewall monitoring or IDS monitoring but full network monitoring. We defend our customers from insiders, outside hackers, and the latest worm or virus epidemic in the news. We do it affordably, and we do it well. The goal here isn't percent perfect security, but rather adequate security at a reasonable cost.
This is the kind of thing insurance companies love, and something I believe will become as common as firesuppression systems in the coming years.
The insurance industry prefers security outsourcing, because they can write policies around those services. It's much easier to design insurance around a standard set of security services delivered by an outside vendor than it is to customize a policy for each individual network.
Today, network security insurance is a rarity—very few of our customers have such policies—but eventually it will be commonplace.
And if an organization has Counterpane—or some other company—monitoring its network, or providing any of a bunch of other outsourced services that will be popping up to satisfy this market need, it'll easily be insurable. Actually, this isn't a three-step program. It's a one-step program with two inevitable consequences. Enforce liability, and everything else will flow from it. It has to. There's no other alternative. Much of Internet security is a common: an area used by a community as a whole.
Like all commons, keeping it working benefits everyone, but any individual can benefit from exploiting it. Think of the criminal justice system in the real world. In our society we protect our commons— environment, working conditions, food and drug practices, streets, accounting practices—by legislating those areas and by making companies liable for taking undue advantage of those commons.
This kind of thinking is what gives us bridges that don't collapse, clean air and water, and sanitary restaurants. We don't live in a "buyer beware" society; we hold companies liable when they take advantage of buyers. There's no reason to treat software any differently from other products. Today Firestone can produce a tire with a single systemic flaw and they're liable, but Microsoft can produce an operating system with multiple systemic flaws discovered per week and not be liable.
Today if a home builder sells you a house with hidden flaws that make it easier for burglars to break in, you can sue the home builder; if a software company sells you a software system with the same problem, you're stuck with the damages.
This makes no sense, and it's the primary reason computer security is so bad today. I have a lot of faith in the marketplace and in the ingenuity of people. Give the companies in the best position to fix the problem a financial incentive to fix the problem, and fix it they will.
In it I cover the entire spectrum of security, from the personal issues we face at home and in the office to the broad public policies implemented as part of the worldwide war on terrorism.
Only after we accept the inevitability of trade-offs and learn to negotiate accordingly will we have a truly realistic sense of how to deal with risks and threats. Building real-world cryptographic systems is vastly different from the abstract world depicted in most books on cryptography, which assumes a pure mathematical ideal that magically solves your security problems.
Designers and implementers live in a very different world, where nothing is perfect and where experience shows that most cryptographic systems are broken due to problems that have nothing to do with mathematics. This book is about how to apply the cryptographic functions in a real-world setting in such a way that you actually get a secure system. Every month there are new ideas, new disasters, and new news stories that completely miss the point.
For almost six years now I've written Crypto-Gram, a free monthly e-mail newsletter that tries to be a voice of sanity and sense in an industry filled with fear, uncertainty, and doubt. With more than , readers, Crypto-Gram is widely cited as the industry's most influential publication. There's no fluff. There's no advertising. Just honest and impartial summaries, analyses, insights, and commentaries about the security stories in the news.
I hope you enjoy it, and I hope you find it useful. They look at the security of the product, rather than the security of the system.
The first questions to ask are: "Secure from whom? Imagine a vendor selling a secure operating system. Is it secure against a hand grenade dropped on top of the CPU?
Against someone who positions a video camera directly behind the keyboard and screen? Against someone who infiltrates the company? Probably not; not because the operating system is faulty, but because someone made conscious or unconscious design decisions about what kinds of attacks the operating system was going to prevent and could possibly prevent and what kinds of attacks it was going to ignore. Problems arise when these decisions are made without consideration.
And it's not always as palpable as the preceding example. Is a secure telephone secure against a casual listener, a wellfunded eavesdropper, or a national intelligence agency? Is a secure banking system secure against consumer fraud, merchant fraud, teller fraud, or bank manager fraud?
Does that other product, when used, increase or decrease the security of whatever needs to be secured? Exactly what a particular security technology does, and exactly what it does not do, is just too abstruse for many people. Security is never black and white, and context matters more than technology. Just because a secure operating system won't protect against hand grenades doesn't mean that it is useless; it just means that we can't throw away our walls and door locks and window bars.
Different security technologies have important places in an overall security solution. A system might be secure against the average criminal, or a certain type of industrial spy, or a national intelligence agency with a certain skill set. A system might be secure as long as certain mathematical advances don't occur, or for a certain period of time, or against certain types of attacks.
Like any adjective, "secure" is meaningless out of context. In this section, I attempt to provide the basis for this context. I talk about the threats against digital systems, types of attacks, and types of attackers. Then I talk about security desiderata.
I do this before discussing technology because you can't intelligently examine security technologies without an awareness of the landscape. Just as you can't understand how a castle defended a region without immersing yourself in the medieval world in which it operated, you can't understand a firewall or an encrypted Internet connection outside the context of the world in which it operates.
Who are the attackers? What do they want?
Dem Autor folgen
What tools are at their disposal? Without a basic understanding of these things, you can't reasonably discuss how secure anything is. Digital Threats The world is a dangerous place.
Muggers are poised to jump you if you walk down the wrong darkened alley, con artists are scheming to relieve you of your retirement fund, and co-workers are out to ruin your career.
Organized crime syndicates are spreading corruption, drugs, and fear with the efficiency of Fortune companies. There are crazed terrorists, nutty dictators, and uncontrollable remnants of former superpowers "with more firepower than sense.
And if you believe the newspapers at your supermarket's checkout counter, there are monsters in the wilderness, creepy hands from beyond the grave, and evil space aliens carrying Elvis's babies. Sometimes it's amazing that we've survived this long, let alone built a society stable enough to have these discussions.
The world is also a safe place. While the dangers in the industrialized world are real, they are the exceptions.
Almost everyone walks the streets every day without getting mugged. Almost no one dies by random gunfire, gets swindled by flimflam men, or returns home to crazed marauders. Most businesses are not the victims of armed robbery, rogue bank managers, or workplace violence.
Less than one percent of eBay transactions— unmediated long distance deals between strangers—result in any sort of complaint. People are, on the whole, honest; they generally adhere to an implicit social contract. The general lawfulness in our society is high; that's why it works so well.
I realize that the previous paragraph is a gross oversimplification of a complex world. I am writing this book in the United States at the turn of the millennium. I am not writing it in Sarajevo, Hebron, or Rangoon. I have no experiences that can speak to what it is like to live in such a place.
My personal expectations of safety come from living in a stable democracy. This book is about security from the point of view of the industrialized world, not the world torn apart by war, suppressed by secret police, or controlled by criminal syndicates.
This book is about the relatively minor threats in a society where the major threats have been dealt with. Attacks, whether criminal or not, are exceptions. They're events that take people by surprise, that are "news" in its real definition. They're disruptions in the society's social contract, and they disrupt the lives of the victims.
Like the physical world, people populate it. These people interact with others, form complex social and business relationships, live and die.
Cyberspace has communities, large and small. Cyberspace is filled with commerce. There are agreements and contracts, disagreements and torts. And the threats in the digital world mirror the threats in the physical world. If embezzlement is a threat, then digital embezzlement is also a threat. If physical banks are robbed, then digital banks will be robbed.
Invasion of privacy is the same problem whether the invasion takes the form of a photographer with a telephoto lens or a hacker who can eavesdrop on private chat sessions. Cyberspace crime includes everything you'd expect from the physical world: theft, racketeering, vandalism, voyeurism, exploitation, extortion, con games, fraud. There is even the threat of physical harm: cyberstalking, attacks against the air traffic control system, etc. To a first approximation, online society is the same as offline society.
And to the same first approximation, attacks against digital systems will be the same as attacks against their analog analogues. This means we can look in the past to see what the future will hold.
The attacks will look different —the burglar will manipulate digital connections and database entries instead of lockpicks and crowbars, the terrorist will target information systems instead of airplanes—but the motivation and psychology will be the same. It also means we don't need a completely different legal system to deal with the future. If the future is like the past—except with cooler special effects—then a legal system that worked in the past is likely to work in the future.
Willie Sutton robbed banks because that was where the money was. Today, the money isn't in banks; it's zipping around computer networks. Every day, the world's banks transfer billions of dollars among themselves by simply modifying numbers in computerized databases. Meanwhile, the average physical bank robbery grosses a little over fifteen hundred dollars. And cyberspace will get even more enticing; the dollar value of electronic commerce gets larger every year.
Where there's money, there are criminals. Walking into a bank or a liquor store wearing a ski mask and brandishing a. Organized crime prefers to attack large-scale systems to make a large-scale profit. Fraud against credit cards and check systems has gotten more sophisticated over the years, as defenses have gotten more sophisticated.
Automatic teller machine ATM fraud has followed the same pattern. If we haven't seen widespread fraud against Internet payment systems yet, it's because there isn't a lot of money to be made there yet. When there is, criminals will be there trying. And if history is any guide, they will succeed. Privacy violations are nothing new, either. An amazing array of legal paperwork is public record: real estate transactions, boat sales, civil and criminal trials and judgments, bankruptcies.
Want to know who owns that boat and how much he paid for it? It's a matter of public record. Even more personal information is held in the 20, or so in the United States personal databases held by corporations: financial details, medical information, lifestyle habits.
Investigators private and police have long used this and other data to track down people. Even supposedly confidential data gets used in this fashion. No TV private investigator has survived half a season without a friend in the local police force willing to look up a name or a license plate or a criminal record in the police files.
Police routinely use industry databases. And every few years, some bored IRS operator gets caught looking up the tax returns of famous people. Marketers have long used whatever data they could get their hands on to target particular people and demographics.
In the United States, personal data do not belong to the person whom the data are about, they belong to the organization that collected it. Your financial information isn't your property, it's your bank's. Your medical information isn't yours, it's your doctor's. Doctors swear oaths to protect your privacy, but insurance providers and HMOs do not.
Do you really want everyone to know about your heart defect or your family's history of glaucoma? How about your bout with alcoholism, or that embarrassing brush with venereal disease two decades ago? Privacy violations can easily lead to fraud. In the novel Paper Moon, Joe David Brown wrote about the Depression-era trick of selling bibles and other merchandise to the relatives of the recently deceased. Other scams targeted the mothers and widows of overseas war dead—"for only pennies a day we'll care for his grave"—and people who won sweepstakes.
In many areas in the country, public utilities are installing telephone-based systems to read meters: water, electricity, and the like.
It's a great idea, until some enterprising criminal uses the data to track when people go away on vacation. Or when they use alarm monitoring systems that give up-to-the-minute details on building occupancy. Wherever data can be exploited, someone will try it, computers or no computers. Nothing in cyberspace is new. Child pornography: old hat. Money laundering: seen it. Bizarre cults offering everlasting life in exchange for your personal check: how declasse.
The underworld is no better than businesspeople at figuring out what the Net is good for; they're just repackaging their old tricks for the new medium, taking advantage of the subtle differences and exploiting the Net's reach and scalability. Although attacks in the digital world might have the same goals and share a lot of the same techniques as attacks in the physical world, they will be very different. They will be more common. They will be more widespread. It will be harder to track, capture, and convict the perpetrators.
And their effects will be more devastating. The Internet has three new characteristics that make this true.
Join Kobo & start eReading today
Any one of them is bad; the three together are horrifying. Automation Automation is an attacker's friend. If a sagacious counterfeiter invented a method of minting perfect nickels, no one would care.
The counterfeiter couldn't make enough phony nickels to make it worth the time and effort. Phone phreaks were able to make free local telephone calls from payphones pretty much at will from until the mids. You just can't steal enough cent phone calls to affect the earnings-per-share of a multibillion-dollar company, especially when the marginal cost of goods is close to zero.
In cyberspace, things are different. Computers excel at dull, repetitive tasks. Our counterfeiter could mint a million electronic nickels while he sleeps. There's the so-called salami attack of stealing the fractions of pennies, one slice at a time, from everyone's interest-bearing accounts; this is a beautiful example of something that just would not have been possible without computers.
If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone. In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance.
You'll probably find a couple dozen every day. If you can enlist other computers, you might get hundreds.
Fast automation makes attacks with a minimal rate of return profitable. Attacks that were just too marginal to notice in the physical world can quickly become a major threat in the digital world.
Many commercial systems just don't sweat the small stuff; it's cheaper to ignore it than to fix it. They will have to think differently with digital systems.
Offres spÃ©ciales et liens associÃ©s
Cyberspace also opens vast new avenues for violating someone's privacy, often simply a result of automation. Suppose you have a marketing campaign tied to rich, penguin-loving, stamp-collecting Elbonians with children. It's laborious to walk around town and find wealthy Elbonians with children, who like penguins, and are interested in stamps.
On the right computer network, it's easy to correlate a marketing database of zip codes of a certain income with birth or motor vehicle records, posts to rec. The Internet has search tools that can collect every Usenet posting a person ever made. Paper data, even if it is public, is hard to search and hard to correlate. Computerized data can be searched easily. Networked data can be searched remotely and correlated with other databases. Under some circumstances, looking at this kind of data is illegal.
People, often employees, have been prosecuted for peeking at confidential police or IRS files. Under other circumstances, it's called data mining and is entirely legal. These data are collected, collated, and sold to anyone willing to pay for it. Credit card databases have a mind-boggling amount of information about individuals' spending habits: where they shop, where they eat, what kind of vacations they take—it's all there for the taking.
DoubleClick is trying to build a database of individual Web-surfing habits. Even grocery stores are giving out frequent shopper cards, allowing them to collect data about the food-buying proclivities of individual shoppers. Acxiom is a company that specializes in the aggregation of public and private databases.
Secrets and lies : digital security in a networked world
The news here is not that the data are out there, but how easily they can be collected, used, and abused. And it will get -worse: More data are being collected. Banks, airlines, catalog companies, medical insurers are all saving personal information. Many Web sites collect and sell personal data. And why not?
Data storage is cheap, and maybe it will be useful some day. These diverse data archives are moving onto the public networks. And more and more data are being combined and cross-referenced. Automation makes it all easy. Action at a Distance As technology pundits like to point out, the Internet has no borders or natural boundaries.
Every two points are adjacent, whether they are across the hall or across the planet. It's just as easy to log on to a computer in Tulsa from a computer in Tunisia as it is from one in Tallahassee. Don't like the censorship laws or computer crime statutes in your country? Find a country more to your liking. Countries like Singapore have tried to limit their citizens' abilities to search the Web, but the way the Internet is built makes blocking off parts of it unfeasible.
As John Gilmore opined, "The Internet treats censorship as damage and routes around it. An attacker could sit behind a computer in St. Petersburg and attack Citibank's computers in New York. This has enormous security implications. If you were building a warehouse in Buffalo, you'd only have to worry about the set of criminals who would consider driving to Buffalo and breaking into your warehouse. Since on the Internet every computer is equidistant from every other computer, you have to worry about all the criminals in the world.
The global nature of the Internet complicates criminal investigation and prosecution, too. Finding attackers adroit at concealing their where-abouts can be near impossible, and even if you do find them, what do you do then? And crime is only defined with respect to political borders. But if the Internet has no physical "area" to control, who polices it? So far, every jurisdiction that possibly can lay a claim to the Internet has tried to. Does the data originate in Germany? Then it is subject to German law.
Does it terminate in the United States? Then it had better suit the American government. Does it pass through France? If so, the French authorities want a say in qu'il s'est passe. In , the operators of a computer bulletin board system BBS in Milpitas, California— where both the people and the computers resided—were tried and convicted in a Tennessee court because someone in Tennessee made a long-distance telephone call to California and downloaded dirty pictures that were found to be acceptable in California but indecent in Tennessee.
The bulletin board operators never set foot in Tennessee before the trial. In July , a year-old woman was convicted by a Swiss court for sending pornography across the Internet—even though she had been in the United States since Does this make any sense? In general, though, prosecuting across jurisdictions is incredibly difficult. Until it's sorted out, criminals can take advantage of the confusion as a shield.
Skip to Main Content. Secrets and Lies: Digital Security in a Networked World Author s: Bruce Schneier. First published: Print ISBN: About this book Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks.
Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems.
This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more.They also provide additional information to a diagnostic engine.
Not the content of the messages themselves, but characteristics about them. All of these will get you thrown in jail if you use some techniques, but not if you use others.
He is also tangentially associated with the TJX data breach of Most of the time, the erosions are small, and no one kicks up a fuss. This book is all about understanding of the security risks and coming out with a practical solution to mitigate them The core thesis of this book is — 1.
- EBOOK 1001 TAFSIR MIMPI
- NITRO PDF READER STANDALONE
- HEIZER AND RENDER OPERATIONS MANAGEMENT PDF
- AGENT-BASED AND INDIVIDUAL-BASED MODELING A PRACTICAL INTRODUCTION PDF
- CARP FISHING EBOOK
- CONSTRUCTION DRAWINGS AND DETAILS FOR INTERIORS PDF
- PDC BY ANAND KUMAR PDF
- MODERN SYSTEMS ANALYSIS AND DESIGN PDF
- GHOST STORIES OF SHIMLA HILLS EBOOK
- A STREETCAR NAMED DESIRE EBOOK
- PERSONALITY PLUS BOOK PDF
- UPANISHADS IN TELUGU PDF
- SSIS WROX EBOOK