Beyond Fear: Thinking Sensibly about Security in an Uncertain World by Bruce Schneier

Selected quotes from
Bruce Schneier.
Beyond Fear: Thinking Sensibly about Security in an Uncertain World
Copernicus Books (Springer Verlag), 2003.
ISBN 0-387-02620-7 [ See this book at Amazon.com]
compiled by Tom Verhoeff in April 2004.

Ch.1: All Security Involves Trade-offs

p.3
"In the wake of 9/11, many of us want to reinvent our ideas about security. But we don't need to learn something completely new; we need to learn to be smarter, more skeptical, and more skilled about what we already know. Critical to any security decision is the notion of trade-offs, meaning the costs---in terms of money, convenience, comfort, freedoms, and so on---that inevitably attach themselves to any security system. People make security trade-offs naturally, choosing more or less security as situations change. This book uses a five-step process to demystify the choices and make the trade-offs explicit. A better understanding of trade-offs leads to a better understanding of security, and consequently to more sensible security decisions."

p. 11
"All security is, in some way, about prevention. But prevention of what, exactly? Security is about preventing adverse consequences from the intentional and unwarranted actions of others."

p.12
"Protecting assets from unintentional actions is safety, not security."

p.14
"Security is complex, but complex things can be broken down into smaller and simpler steps. Throughout this book, I use a five-step process to analyze and evaluate security systems, technologies, and practices. ...

Ch.2: Security Trade-offs Are Subjective

p.17
"There is no single correct level of security; how much security you have depends on what you're willing to give up in order to get it. This trade-off is, by its very nature, subjective---security decisions are based on personal judgments. Different people have different senses of what constitutes a threat, or what level of risk is acceptable. What's more, between different communities, or organizations, or even societies, there is no agreed-upon way in which to define threats or evaluate risks, and the modern technological and media-filled world makes these evaluations even harder."

Ch.3: Security Trade-offs Depend on Power and Agenda

p.33
"Most security decisions are complicated, involving multiple players with their own subjective assessments of security. Moreover, each of these players also has his own agenda, often having nothing to do with security, and some amount of power in relation to the other players. In analyzing any security situation, we need to assess these agendas and power relationships. The question isn't which system provides optimal security trade-offs---rather, it's which system provides the optimal security trade-offs for which players."

Ch.4: Systems and How They Fail

p.50
"At a basic level, security systems are different from any other type of system. Most systems ... are useful for what they do. Security systems are useful precisely for what they don't allow to be done. Most engineering involves making systems work. Security engineering involves making sure systems don't fail. It involves figuring out how systems fail and then preventing those failures."

p.51
"Designing systems with failure in mind isn't completely foreign to engineers. Safety and reliability engineers also go to great lengths to ensure performance in the face of failure, but there is an important difference between what they do and what security engineers do. When you're designing for safety reliability, you're designing for a world where random faults occur. ... Security systems need to work under such random circumstances, but they also have to give special consideration to nonrandom events; that is, to the presence of an intelligent and malicious adversary who forces faults at precisely the most opportune time and in precisely the most opportune way."

p.53
"Security usually fails at the seams---at the points where two systems interact---..."

p.54
"Security systems can fail in two completely different ways. The first way is that they can fail in the face of an attack. ... These are passive failures: The system fails to take action when it should. A security system can also fail by doing what it's supposed to do, but at the wrong time. ... These are active failures The system fails by taking action when it shouldn't."

...

"In most security systems, active failures are more frequent than passive failures. Security countermeasures continually affect the normal functionality of the system, while they only occasionally affect attackers. (Actual attacker are, after all, relatively rare.) This magnifies the effects of active failures, and the impact security systems have on the innocent. ... Systems with a relatively high rate off active failures are almost always more trouble than they're worth because of the high rate of false alarms."

p.57
"When a security event occurs regularly, people become experienced and know what to do. If the event happens only once every few years, there could be an entire office staff that has never seen it. Staff members might have no idea what to do. They might ignore anomalies, thinking they are just system problems and not security incidents."

Ch.5: Knowing the Attackers

p.62
"Criminals tend not to have good access, with the exception of those who are insiders."

...

"Yet perhaps the most common security mistake of all is to expend considerable effort combating outsiders while ignoring the insider threat."

p.64
"..., there are far more opportunists than professional criminals. Circumstances can have an effect on even the most honest people. In many countries, it is illegal for the police to deliberately try to trick opportunists into committing crime---it's called entrapment---precisely because of this."

p.69
"Terrorism is not a movement or an ideology, but a military tactic. A terrorist is someone who employs physical of psychological violence against noncombatants in an attempt to coerce, control, or simply change a political situation by causing terror in the general populace. The desire to influence the audience is an essential component of terrorism."

p.70
"The primary aim of a terrorist is to make a statement; news of the attacks is more important than the attacks themselves. Without widespread publicity, the attacks lose much of their effectiveness."

...

"The best way to deter terrorist attacks is to deny terrorists their goal by giving them only minimal media coverage. Admittedly, doing this is difficult in practice."

Ch.7: Technology Creates Security Imbalances

p.90
"As a security professional, I think complexity is terrifying. It leads to more and more subtle vulnerabilities. It leads to catastrophic failures, which are both harder to test for beforehand and harder to diagnose afterwards. ... Computer pioneer Niklaus Wirth once said: "Increasingly, people seem to misinterpret complexity as sophistication, which is baffling---the incomprehensible should cause suspicion rather than admiration."

"Complex systems have even more security problems when they are nonsequential and tightly coupled."

p.93
"Technological advances bring with them standardization, which also adds to security vulnerabilities, because they make it possible for attackers to carry out class breaks: attacks that can break every instance of some feature in a security system."

Ch.8: Security Is a Weakest-Link Problem

p.103
"All systems have a weakest link, and there are several general strategies for securing systems despite their vulnerabilities. Defense in depth ensures that no single vulnerability can compromise security. Compartmentalization ensures that a single vulnerability cannot compromise security entirely. And choke points reduce the number of potential vulnerabilities by allowing the defender to concentrate his defenses. In general, tried and true countermeasures are preferable to innovations, and simpler overlapping countermeasures are preferable to highly complex stand-alone systems. However, because attackers inevitably develop new attacks, reassessment and innovation must be ongoing."

Ch.10: Security Revolves Around People

p.133
"People are the strongest point in a security process. When a security system succeeds in the face of a new or coordinated devastating attack, it's usually due to the efforts of people."

p.137
"People are essential for security, but people are a double-edged sword. They are often the weakest security link and the main reason why security fails. People can cause security to fail in many ways."

...

"Every security system, without exception, needs trusted people to function, though these people are not necessarily trustworthy."

p.139
"There are three basic ways to secure trusted people---or trusted machines, for that matter. The first: Try to put trustworthy people in points of trust, and try extra hard for positions of extreme trust."
p.140
"The second way to secure trusted people is through compartmentalization. ... We can increase security by limiting out trust: Give trusted people only the information, access, and compatibilities they need to accomplish their tasks. In the military, people are told only things that they "need to know," even if they have the requisite clearance."
p.141
"The third way to secure systems with trusted people is to apply the principle of defense in depth: Give trusted people overlapping spheres of trust, so they effectively watch each other."

Ch.11: Detection Works Where Prevention Fails

p.147
"The ideal of any security system is to prevent an attack, but prevention is the hardest aspect of security to implement, and often the most expensive. To be practical as well as effective, almost all modern security systems combine prevention with detection and response, forming a triad that operates as an integrated system to provide dynamic security, resilient failure, and defense in depth. Audits (retrospective detection) and prediction (prospective attempts at detection) don't produce the decisive real-time results that most people associate with security systems, but are extremely important in evaluating and thinking about ways to improve security systems."

Ch.12: Detection Is Useless Without Response

p.167
"Responses fall into five categories. Reaction, directed against the attacker, defends; mitigation, focused on the assets, limits the effects of an attack; recovery repairs the security system after an attack; forensics is the post-attack analysis of evidence to determine what happened; and counterattack turns the defenders into attackers---to exact revenge, but also to prevent future attacks. Deterrence, which broadly includes all the steps taken to prevent future attacks, is another form of response, as is education."

p.176
"One of the reasons legal deterrence does work is that laws apply only to extreme behavior. ... Countries that have laws to regulate normal behavior have a far greater number of people violating those laws."

Ch.13: Identification, Authentication, and Authorization

p.182
"Identification, authentication, and authorization. The three concepts are closely related, but in a security system it's critical that we tell them apart. Here's the shorthand guide:

p.186
"Basically, there are three ways to authenticate someone: by something he knows, by something he has, and by something he is."

p.194
"Expiration dates serve two purposes: They ensure that the bearer doesn't keep his authorization past a set time period, and they limit the usefulness of stolen cards and forgeries ... assuming, of course, that the expiration date can't just be forged and that the verifier compares the card's expiration date with the date in the database (as credit card verification systems do)."

Ch.14: All Countermeasures Have Some Value, But No Countermeasure Is Perfect

p.225
"A security protocol is a series of steps that some trusted person carries out, steps to enforce some sort of security rules."

p.226
"Like protocols, procedures are steps that a trusted person carries out. But in security lingo, procedures are exceptions; they're the things that people do when a security event occurs. ... Protocols are the routines trusted people follow day to day; procedures are what they do in response to an anomaly."

"All detection and response that involves people requires procedures. Response is difficult and complicated, and the times that a response is called for are likely to be stressful. If you want any hope of getting any of it right, you need to have procedures in place beforehand."

"Planning is on of the most important aspects of security defense, especially for detection and response. Protocols and procedures need to be thought out, and are subtle and hard to get right. And the only way to get them right is to plan carefully."

p.228
"... benefits of training and practice. The more people who are trained, the more likely it is that someone will be able to do whatever needs to be done. And during practice, you can develop new and better procedures. Procedures aren't very useful without training and constant practice. When security events are rare, people don't expect them and often don't even notice them. Training is a way to deal with that aspect of human nature. When security events are rare, people don't gain experience dealing with them. Any system that is rarely used will fail when used. Practice solves that problem. One goal of training and practice is for people to react reflexively and instinctively in a crisis situation instead of having to ponder what to do next."

...

"Finally there is testing, one of the hardest things in security. On one hand, it's impossible to test security. On the other, it is essential to test security."

p.230
"Whenever security involves people, testing will provide considerable information. It might not tell you whether security will work, but it will certainly give you insight into how it might fail."

Ch.15: Fighting Terrorism

p.233
"Because terrorism is largely a crime against the mind, the assets to be protected are hard to define. Terrorism is rare; while the threats are serious, the risks are lower than most people think; and responses are out of proportion to the actual risk. Most countermeasures are less effective than they appear, and many cause additional security risks. In an atmosphere of fear, keeping trade-offs commensurate with real risks is not easy."

p.242
"Benefit denial is a critical countermeasure. Morale is the most significant terrorist target. By refusing to be scared, by refusing to overreact, and by refusing to publicize terrorist attacks endlessly in the media, we limit the effectiveness of terrorist attacks."

p.243
"Long-term countermeasures, such as deterrence and education, are the only real solution, and even they are imperfect. The best way to reduce terrorism is to solve the underlying socioeconomic and geopolitical problems that cause it to arise in the first place. This isn't absolute, but nothing in security is ever absolute. It is also extremely difficult, and some of the problems seem, and may be, impossible to solve."

p.244
"Constitutionally protected liberties are more important to individual security than are democratic elections, and taking away liberties in the name of security is an enormous trade-off. As Benjamin Franklin said in 1784: "They that give up essential liberties to obtain a little temporary safety deserve neither liberty nor safety.""

p.247
"When you examine the details, only two effective antiterrorism countermeasures were taken in the wake of 9/11: strengthening cockpit doors and passengers learning they need to fight back. Everything else---let me repeat that: everything else---was only minimally effective, at best, and not worth the trade-offs."

p.253
"Anyone implementing a counterterrorism security system had best learn humility. It's impossible to prevent all terrorist attacks. It's impossible to eradicate terrorism from the planet; recovering from and minimizing the damage from terrorist attacks form important parts of defense. Teaching people to remain calm, and not to live in fear, is another part of defense. Refusing to overreact after a terrorist attack is another. We can win the war on terror using sensible security, if we can convince people that sensible security is in fact the solution."

Ch.16: Negotiating for Security

p.268
"If we expect companies to spend significant resources on security---especially the security of their customers---the security vendor must be liable for security mishap. If we expect product vendors to market secure products, they must be liable for security vulnerabilities in their products. Liability is an essential component of an environment that fosters security."

p.269
"One of the interesting effects is the rise of the insurance industry as a facilitator of increased security. In many areas of our society, the insurance industry drives security. A company doesn't by security equipment ... just because it want to feel safe. It buys that security because then its insurance rates go down."

p.270
"If you are interested in finding a security solution that more closely matches your agenda and your own perceptions of your risks, you need to learn how to negotiate. You need to align the interests of players with each other. You need to align the security interests of players with their capabilities."

Ch.17: Security Demystified

p.271
"Security is a tax on the honest."

p.278-279
"Anyone can understand security. The people who think they know best, and the people who think they ought to, would have you believe that security is like quantum mechanics or brain surgery, and that it should best be left to the experts. These people are wrong: they're trying to co-opt your agenda and increase their own power in negotiating trade-offs. Don't accept claims that you can't understand security. You can. Don't accept that the technology is too complicated for you to understand. The details may be complicated, but the ways in which the system works and fails won't be."

p.279
"And I want to leave you with three final rules:

p.280
"The one thing that defenders have going for them is that there are far more of them than there are attackers."


Feedback on this page is welcome.