From: Business Week THE SECRETS & LIES OF CYBER-SECURITY

In a readable new book, an expert tells managers how to keep the hackers at bay--almost

09/18/2000

A computer virus shuts down your corporate e-mail for a day. Hackers deface your Web site with pornography. The need to share data with customers and vendors exposes critical corporate information to online theft. With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing or finance.

Such savvy, however, has been hard for nontechie executives to acquire. Books and articles on security generally came in two equally useless varieties: incomprehensible or sensationalized. Remember all those books on how the Y2K bug would end civilization as we knew it?

Now, Bruce Schneier, a highly respected security expert, has stepped into the breach with Secrets & Lies: Digital Security in a Networked World (John Wiley & Sons, $29.99). The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be.

Schneier brings strong credentials to the job. His book Applied Cryptography is a classic in the field, and he is one of the creators of the Twofish algorithm, a finalist in the U.S. government's competition for the Advanced Encryption Standard. Schneier serves as chief technology officer of Counterpane Internet Security (www.counterpane.com), which manages computer security for corporations.

Although this is a book for the general reader, it's not always easy going. But Secrets & Lies requires no prior knowledge of computer or security technology and should be accessible to anyone who is willing to put in a little effort. For example, Schneier explains encryption, essentially a mathematical process, without resorting to a single equation.

While Schneier is not an elegant writer, he has a nice ability to use analogies to make the obscure understandable.

The book has two main thrusts. First is Schneier's mantra: ``Security is a process, not a product.'' Anyone who promises you a hacker-proof system or offers to provide ``unbreakable'' encryption is selling you snake oil. There is simply no way to wave a magic wand over a system to make it--and keep it--secure. Second, Schneier says, getting security right is hard, and small mistakes can be deadly.

RISK MANAGEMENT.

Schneier backs his opinions with real-world examples. For instance, Hollywood was terrified of piracy and worked hard on a scheme to encrypt digital videodisks so that only authorized players could read the disks. The encryption would have been hard to break, but hackers didn't have to do it. A design flaw made it easy to steal the decryption keys from the software players supplied with PCs. Similarly, most e-commerce sites use a technology called SSL to protect transaction data from online snoopers. SSL works fine, but some e-tailers left customers' credit-card information in files where hackers could swipe it.

The last third of the book is most valuable to managers. In it, Schneier discusses the process by which people should assess security vulnerabilities and decide what to do about them. His central point: Computer security is basically risk management. Banks and credit-card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate losses and price their services accordingly. That's good, since zero tolerance would put them out of business. Similarly, seeking perfect security would make a system useless because anything worth doing carries some risk.

Unfortunately, the art of computer security has not progressed to the point where Underwriters Labs can certify that a firewall can protect you against attack for two hours, as can be done for safes and fire doors. But with the crude tools that are available, managers have to decide what they are trying to protect and how much they are willing to spend, both in cost and convenience, to defend it. This is a business issue, not a technical one, and executives can no longer leave such decisions to techies.

That's why Secrets & Lies belongs in every manager's library.

-- FM (scipublic@aol.com), September 15, 2000