You are previewing Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition.
O'Reilly logo
Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

Book Description

This anniversary edition which has stood the test of time as a runaway best-seller provides a practical, straight-forward guide to achieving security throughout computer networks. No theory, no math, no fiction of what should be working but isn't, just the facts. Known as the master of cryptography, Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. A much-touted section: Schneier's tutorial on just what cryptography (a subset of computer security) can and cannot do for them, has received far-reaching praise from both the technical and business community.

Praise for Secrets and Lies

"This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library."-Business Week

"Startlingly lively....a jewel box of little surprises you can actually use."-Fortune

"Secrets is a comprehensive, well-written work on a topic few business leaders can afford to neglect."-Business 2.0

"Instead of talking algorithms to geeky programmers, [Schneier] offers a primer in practical computer security aimed at those shopping, communicating or doing business online-almost everyone, in other words."-The Economist

"Schneier...peppers the book with lively anecdotes and aphorisms, making it unusually accessible."-Los Angeles Times

With a new and compelling Introduction by the author, this premium edition will become a keepsake for security enthusiasts of every stripe.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright
  4. Dedication
  5. Contents
  6. Foreword to 2015 15 th Anniversary Edition
  7. Introduction from the Paperback Edition
  8. Preface
  9. About the Author
  10. CHAPTER 1: Introduction
    1. STEP ONE: ENFORCE LIABILITIES
    2. STEP TWO: ALLOW PARTIES TO TRANSFER LIABILITIES
    3. STEP THREE: PROVIDE MECHANISMS TO REDUCE RISK
    4. ADDITIONAL BOOKS
    5. FURTHER READING
  11. PART 1: THE LANDSCAPE
    1. CHAPTER 2: Digital Threats
      1. THE UNCHANGING NATURE OF ATTACKS
      2. THE CHANGING NATURE OF ATTACKS
      3. PROACTION VS. REACTION
    2. CHAPTER 3: Attacks
      1. CRIMINAL ATTACKS
      2. PRIVACY VIOLATIONS
      3. PUBLICITY ATTACKS
      4. LEGAL ATTACKS
    3. CHAPTER 4: Adversaries
      1. HACKERS
      2. LONE CRIMINALS
      3. MALICIOUS INSIDERS
      4. INDUSTRIAL ESPIONAGE
      5. PRESS
      6. ORGANIZED CRIME
      7. POLICE
      8. TERRORISTS
      9. NATIONAL INTELLIGENCE ORGANIZATIONS
      10. INFOWARRIORS
    4. CHAPTER 5: Security Needs
      1. PRIVACY
      2. MULTILEVEL SECURITY
      3. ANONYMITY
      4. PRIVACY AND THE GOVERNMENT
      5. AUTHENTICATION
      6. INTEGRITY
      7. AUDIT
      8. ELECTRONIC CURRENCY
      9. PROACTIVE SOLUTIONS
  12. PART 2: TECHNOLOGIES
    1. CHAPTER 6: Cryptography
      1. SYMMETRIC ENCRYPTION
      2. TYPES OF CRYPTOGRAPHIC ATTACKS
      3. RECOGNIZING PLAINTEXT
      4. MESSAGE AUTHENTICATION CODES
      5. ONE-WAY HASH FUNCTIONS
      6. PUBLIC-KEY ENCRYPTION
      7. DIGITAL SIGNATURE SCHEMES
      8. RANDOM NUMBER GENERATORS
      9. KEY LENGTH
    2. CHAPTER 7: Cryptography in Context
      1. KEY LENGTH AND SECURITY
      2. ONE-TIME PADS
      3. PROTOCOLS
      4. INTERNET CRYPTOGRAPHIC PROTOCOLS
      5. TYPES OF PROTOCOL ATTACKS
      6. CHOOSING AN ALGORITHM OR PROTOCOL
    3. CHAPTER 8: Computer Security
      1. DEFINITIONS
      2. ACCESS CONTROL
      3. SECURITY MODELS
      4. SECURITY KERNELS AND TRUSTED COMPUTING BASES
      5. COVERT CHANNELS
      6. EVALUATION CRITERIA
      7. FUTURE OF SECURE COMPUTERS
    4. CHAPTER 9: Identification and Authentication
      1. PASSWORDS
      2. BIOMETRICS
      3. ACCESS TOKENS
      4. AUTHENTICATION PROTOCOLS
      5. SINGLE SIGN-ON
    5. CHAPTER 10: Networked-Computer Security
      1. MALICIOUS SOFTWARE
      2. MODULAR CODE
      3. MOBILE CODE
      4. WEB SECURITY
    6. CHAPTER 11: Network Security
      1. HOW NETWORKS WORK
      2. IP SECURITY
      3. DNS SECURITY
      4. DENIAL-OF-SERVICE ATTACKS
      5. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
      6. THE FUTURE OF NETWORK SECURITY
    7. CHAPTER 12: Network Defenses
      1. FIREWALLS
      2. DEMILITARIZED ZONES
      3. VIRTUAL PRIVATE NETWORKS
      4. INTRUSION DETECTION SYSTEMS
      5. HONEY POTS AND BURGLAR ALARMS
      6. VULNERABILITY SCANNERS
      7. E-MAIL SECURITY
      8. ENCRYPTION AND NETWORK DEFENSES
    8. CHAPTER 13: Software Reliability
      1. FAULTY CODE
      2. ATTACKS ON FAULTY CODE
      3. BUFFER OVERFLOWS
      4. THE UBIQUITY OF FAULTY CODE
    9. CHAPTER 14: Secure Hardware
      1. TAMPER RESISTANCE
      2. SIDE-CHANNEL ATTACKS
      3. ATTACKS AGAINST SMART CARDS
    10. CHAPTER 15: Certificates and Credentials
      1. TRUSTED THIRD PARTIES
      2. CREDENTIALS
      3. CERTIFICATES
      4. PROBLEMS WITH TRADITIONAL PKIS
      5. PKIS ON THE INTERNET
    11. CHAPTER 16: Security Tricks
      1. GOVERNMENT ACCESS TO KEYS
      2. DATABASE SECURITY
      3. STEGANOGRAPHY
      4. SUBLIMINAL CHANNELS
      5. DIGITAL WATERMARKING
      6. COPY PROTECTION
      7. ERASING DIGITAL INFORMATION
    12. CHAPTER 17: The Human Factor
      1. RISK
      2. EXCEPTION HANDLING
      3. HUMAN–COMPUTER INTERFACE
      4. HUMAN–COMPUTER TRANSFERENCE
      5. MALICIOUS INSIDERS
      6. SOCIAL ENGINEERING
  13. PART 3: STRATEGIES
    1. CHAPTER 18: Vulnerabilities and the Vulnerability Landscape
      1. ATTACK METHODOLOGY
      2. COUNTERMEASURES
      3. THE VULNERABILITY LANDSCAPE
      4. RATIONALLY APPLYING COUNTERMEASURES
    2. CHAPTER 19: Threat Modeling and Risk Assessment
      1. FAIR ELECTIONS
      2. SECURE TELEPHONES
      3. SECURE E - MAIL
      4. STORED-VALUE SMART CARDS
      5. RISK ASSESSMENT
      6. THE POINT OF THREAT MODELING
      7. GETTING THE THREAT WRONG
    3. CHAPTER 20: Security Policies and Countermeasures
      1. SECURITY POLICIES
      2. TRUSTED CLIENT SOFTWARE
      3. AUTOMATIC TELLER MACHINES
      4. COMPUTERIZED LOTTERY TERMINALS
      5. SMART CARDS VS. MEMORY CARDS
      6. RATIONAL COUNTERMEASURES
    4. CHAPTER 21: Attack Trees
      1. BASIC ATTACK TREES
      2. PGP ATTACK TREE
      3. CREATING AND USING ATTACK TREES
    5. CHAPTER 22: Product Testing and Verification
      1. THE FAILURE OF TESTING
      2. DISCOVERING SECURITY FLAWS AFTER THE FACT
      3. OPEN STANDARDS AND OPEN SOURCE SOLUTIONS
      4. REVERSE ENGINEERING AND THE LAW
      5. CRACKING AND HACKING CONTESTS
      6. EVALUATING AND CHOOSING SECURITY PRODUCTS
    6. CHAPTER 23: The Future of Products
      1. SOFTWARE COMPLEXITY AND SECURITY
      2. TECHNOLOGIES TO WATCH
      3. WILL WE EVER LEARN?
    7. CHAPTER 24: Security Processes
      1. PRINCIPLES
      2. DETECTION AND RESPONSE
      3. COUNTERATTACK
      4. MANAGE RISK
      5. OUTSOURCING SECURITY PROCESSES
    8. CHAPTER 25: Conclusion
  14. Afterword
  15. Resources
  16. Acknowledgments
  17. Index