An infosec reading list for the new year

David Strom 27 Dec 2022

Bruce Schneier’s work has withstood the test of time and is still relevant today.

If you’re looking for recommendations for infosec books to give to a colleague – or even to catch up on some holiday reading of your own – here’s a suggestion: Take a closer look at the oeuvre of Bruce Schneier, a cryptographer and privacy specialist who has been writing about the topic for more than 30 years and has his own blog that publishes interesting links to security-related events, strategies and failures that you should follow. 

Schneier coined the term “security theater” back in 2007, and in 2006, started the discussion around movie plot threats, or unrealistic security threats used in popular films. In 2015, Schneier received the Lifetime Achievement Award from Electronic Privacy Information Center.

His forthcoming book is titled A Hacker’s Mind and will be coming out in February 2023. Schneier says that “we can understand the hacking mindset and rebuild our economic, political, and legal systems to counter those who would exploit our society. And we can harness artificial intelligence to improve existing systems, predict and defend against hacks, and realize a more equitable world.” But while we await that volume, it is worth taking a look back in time at some of his other original works (he has several volumes that have collected his blog posts and other essays too).

Let’s go back in time to Schneier’s Beyond Fear, which was published in 2003. It contains a surprisingly cogent and relevant series of suggestions for the current day. At the core of Schneier’s book is a five-point assessment tool that he uses to analyze and evaluate any security initiative.

  1. What assets are you trying to protect?
  2. What are the risks to those assets?
  3. How well will the proposed security solution mitigate these risks?
  4. What other problems will this solution create?
  5. What are the costs and trade-offs imposed?

He says that the answers to these five questions can help protect banks from robbers to fighting international terrorism to the more expected IT security-related issues. There’s a lot of other great advice in this book too. For example, “Knowledge, experience and familiarity all matter. When a security event occurs, it is important that those who have to respond to the attack know what they have to do because they’ve done it again and again, not because they read it in a manual five years ago.” This highlights the importance of training, and disaster and penetration planning exercises so that any security solution should have elements of prevention, detection and response.  

Schneier’s 2015 book, Data and Goliath, (make sure you obtain the updated 2016 edition) shows us exactly what we can do to reform government surveillance programs, shake up surveillance-based business models, and protect our individual privacy. This book was an early warning about the misuse of private data by social media companies.

2012’s Liars and Outliers talks about how our society can't function without trust, and yet must function even when people are untrustworthy. He develops an understanding of trust, cooperation, and social stability. He points out that we don’t usually do background checks on our plumber or do chemical analysis on our food, but when it comes to our computers and digital applications, we don’t have this inherent trust.  

Click Here to Kill Everybody (2018) was Schneier’s book about the dangers of IoT and how “everything is becoming a computer,” which he said in a talk at Google about his research for the book. He came up with several lessons learned from this megatrend, including that most software is poorly written and insecure, and the internet was never designed with security in mind back in its earliest days. “Complex systems are hard to secure, hard to design and hard to test. Today’s top-secret NSA program becomes tomorrow’s PhD thesis and the next day becomes a common hacker tool.”

In Beyond Fear, Schneier says that “secrets are hard to keep and hard to generate, transfer and destroy safely.” He points out the king who builds a secret escape tunnel from his castle. There always will be someone who knows about the tunnel’s existence. If you are a CEO and not a king, you can’t rely on killing everyone who knows the secret to solve your security problems. Think about how you protect your corporate secrets and what happens when the personnel who are involved in this protection leave your company. 

It was good advice nearly 20 years ago, showing how Schneier’s work has withstood the test of time and is still relevant today.

--> -->