Title : Security Engineering : A Guide to Building Dependable Distributed Systems
Author : Ross Anderson
Pages : 541
Publisher : Wiley & Sons
ISBN : 0-471-38922-6
Reviewed by : Ken Dyke

The FBI found the signal for the events that led up to 9/11. Once they knew what to look for. It was there in their files and reports. Remember this. It is one of the most basic problems in security. The crux of this problem is separating signal from noise.

In the aftermath of 9/11 the cry went out to increase the FBI's information input. Legislation was passed. Policies were put in place that now give the FBI unprecedented (in the United States) powers of survailence. But the effect that this has is to exacerbate their difficulties in detecting signal.

Increasing the input without addressing the signal detection issue properly amounts to a denial of service attack. As some uncovered FBI memos indicate, some agents 'sensed' an alarm situation. Yet, in the normal day to day operations at the FBI these memos were lost in the normal traffic i.e. "noise". In other words, the sensitivity of the system was set too high for its ability to properly process the data flow.

The stance taken by the British banks was that ATM machines are totally secure. The effect of this is that it put all blame of any error on the customer. Digital signatures are an attempt by some to shift the burden to the customer.

The Trusted Computing Platform Alliance (TCPA) proposes that a platform be developed that is "trusted". The owner of this platform is implicitly NOT trusted. In any legal proceding where evidence is obtained from a computer the owner is guilty without question because the computer is "trusted". As the British ATM machines were trusted therefore it must be the user who is guilty.

RJA spends a good deal of time on security models. These are used for design and analysis. An attack on a system is aimed at the cracks between the assumptions made in the construction of the model. Or more often at cracks in the implementation of the design.

A strategy of layering defense upon defense is generally a very expensive tactic that is very unlikely to work. In exercise after exercise, Anderson goes through the litany, what is being defended, from whom, what resources do they have, what is they goal. In one chapter he discusses seven hypothetical cases of "How to steal a painting". Each one details a different threat model.

In the late 80s, early 90s they started making some cars that were highly desirable to thieves difficult to 'hot wire'. So, we saw a huge increase in a new form of auto theft, car jacking. That is, the theives broke the security model by resorting to unanticapated methods.

In conclusion, this is an end to end overview of security system design from the engineer's perspective. It is a book that anyone responsible for security wishes everyone would read, especially pointy_haired_bosses. The reason is simple. Then we won't be forced to deal with the latest high-tech security snake oil as the PHB will be able to poke holes in the marketing hype by themselves. It would also put an end to the effectiveness of FUD regarding 'electonic pearl harbor', 'cyber terrorist attack', and other such ploys to exert political power over a technical field.