What should you do when a cryptographic crisis scuppers your careful plans to protect your organisation and your customers' data?
"The first step is simple: don't panic [Adams, 1980]", writes Columbia professor Steven M. Bellovin, in Thinking Security: Stopping Next Year's Hackers. The drily academic reference to Douglas Adams flags up the readability of this thoughtful discussion of how -- and, more importantly, why -- to think about security. Adams is not the only science fiction author to make an appearance: you'll find the text sprinkled with quotes from Charles Stross, EE Doc Smith, Lois McMaster Bujold, and many others.
'Why' is crucial, because good security is not a question of going down a list and implementing things until you run out of budget. Instead, good security requires a thoughtful assessment of your particular situation. What do you need to protect? From whom? How big are the risks? What are your constraints? There's little point in trying to protect yourself from "serious adversaries, the kind of people who can create Stuxnet or infiltrate defense contractors" (whom Bellovin labels "the crack Andromedan hacker unit MI31"), when the gaping hole opening your network to attack is an external connection to a small supplier that was made on-the-fly in a business meeting and that doesn't appear on the official network diagram.
Thinking Security is presented in four main sections. In the first, Bellovin considers topics such as adapting to change, identifying your goals, threats, and adversaries, and thinking through threat models. Part two focuses on the tools and techniques you're likely to want to use to secure your organisation -- including everything from antivirus software, firewalls, passwords and cryptography to clouds and virtualisation. It's worth noting that the section on passwords includes a factor often left out of password rules: the need for humans to manage and remember up to 100 of them. Part three discusses wider issues for organisations, including putting the tools together to build secure systems, patching and, most importantly, people -- who, as Bellovin points out, need security not to get in the way of their ability to do the jobs they are paid for and are evaluated on. Finally, a section about the future considers case studies, and coming threats.
A perennial frustration among security professionals is getting people to listen to their advice. Bellovin provides some helpful suggestions about this, too, which revolve around providing specifics in business language: the consequence of a failure is not, for example, a cross-scripting attack but the liability for compromised customer logins.
"Insecurity is like entropy: it can't be destroyed, but it can be moved around," Bellovin writes at one point. It's a concise rendering of the common rationale that if you can slow down the thieves sufficiently they'll move on to the next house. That's not true if someone is targeting you specifically, such as Andromeda's feared MI31 squad (Bellovin's aforementioned stand-in for the surveilling nation-state of your choice). Throughout the book, Bellovin is careful to consider that possibility, but in this rational examination of security management, he reminds us frequently that the Andromedans are not usually the relevant threat model: most of the attackers you're trying to fend off don't care whose money they steal.