Cybersecurity Canon Review: Security Engineering
Book written by Ross Anderson
Book review by Ron Woerner
Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.
If you could have only one cybersecurity book, it should be Ross Anderson’s Security Engineering: A Guide to Building Dependable Distributed Systems, second edition.
This book is the encyclopedia of everything about security. While the subtitle insinuates it’s only about distributed systems, it covers every topic associated with systems security, both technical and non-technical. It provides in-depth explanations of cryptography, multilevel security, biometrics, telecom system security and API attacks. It is more than a textbook or manual in that it includes other topics such as “Usability and Psychology,” “Economics,” “Physical Security,” “Electronic Warfare,” “Terror, Justice, and Freedom,” and “The Bleeding Edge.”
This review is of the second edition, which Dr. Anderson updated in 2008 due to the many changes that occurred between those years. Don’t let the date of the book fool you into thinking it’s out of date. While technologies and terms may have changed, the concepts have not. For example, in the Preface (p. xxix) Dr. Anderson states, “How good is all this new security technology? Unfortunately, the honest answer is “nowhere near as good as it should be. New systems are often rapidly broken, and the same elementary mistakes are repeated in one application after another.” This is still true over ten years later.
Dr. Anderson is the perfect person to have written this book. He has computer engineering experience since the 1970s, has worked in industry and academia for over 30 years and this book shows this mix. His industry experience includes aviation, banking, and technology development. Today, Dr. Anderson is a Professor of Security Engineering at University of Cambridge and still writes on his website and blog, both of which are also recommended reading. The writing style is conversational and easy to understand. He takes from experience and uses case studies as examples.
Security Engineering accomplishes multiple goals. It was written to help working engineers better secure systems. Its purpose, which it achieves, is to give a solid introduction to security engineering at four levels:
- As a textbook read cover-to-cover as an introduction to security.
- As a reference book that provides an overview of the security workings of specific systems including ATMs, industrial systems, communications and medical records databases.
- As an introduction to underlying security technologies, such as cryptography, access controls, tamper resistance (both physical and cyber), biometrics, emission control, etc. This is a basic roadmap for each subject, plus a reading list.
- As an original, scientific contribution providing common principles that underlie security engineering and the lessons that people building systems should learn.
As he says in the forward, his audience is Dilbert: the working programmer, systems administrator, business analyst or engineer who is “who is trying to design real systems that will keep on working despite the best efforts of customers, managers, and everybody else.” It is useful to the established professional security manager or consultant as a first-line reference; to the computer science professor doing research in or teaching cryptology; to the working police detective trying to figure out the latest phishing scams; and to policy wonks struggling with the conflicts involved in regulating security, privacy, systems and anonymity.
Dr. Anderson divided Security Engineering into three parts:
- A review of basic concepts of computing systems, such as usability and psychology, protocols, access controls, cryptography, updates, and economics. Yes, economics and psychology! Security is fundamentally both a financial and human problem solved through people, process and technology.
- Details of specific computing applications, which are used to introduce more advanced technologies and concepts. Topic areas include military communications, medical record systems, financial machines, mobile phones, and pay-tv. It also considers information security from the viewpoint of a number of different interest groups, such as companies, consumers, criminals, police, and spies.
- A review of organizational and policy issues: How computer security interacts with law, evidence and corporate politics; how we can gain confidence that a system will perform as intended and how the whole business of security engineering can best be managed.
It’s impossible to do justice to all of the content and context contained within the nearly 1,000-page Security Engineering. Below are some highlights:
- Chapter 1 describes the fundamentals of security: How security is much more than technology and requires cross-disciplinary expertise in areas like computer science, mathematics, physical and logical protection as well as knowledge of economics, applied psychology, organizations and the law. Security professionals need to figure out what needs protecting, and how to do it. They also need to ensure that the people who will guard the system and maintain it are properly motivated. This chapter provides a high-level framework required in every security program. It leverages four case studies as examples of this framework, which will resonate with any reader.
- Security Engineering goes into detail on cryptography, algorithms and managing encryption keys. Chapter 5 provides significant background on encryption modes of operation, symmetric and asymmetric cryptography, and hashing algorithms. These are the tools that underlie most modern security protocols. Any security professional studying for a certification exam should read this chapter for an in-depth, yet highly readable explanation of these potentially challenging topics.
- Ross Anderson prognosticated much of the future of security. For example, in sections 2.4.8, The Future of Phishing, he explains how phishing will morph into spear phishing and whaling. “Research has shown that the bad guys can greatly improve their yields if they match the context of their phish to the targets; so phish will get smarter and harder to tell from real emails, just as spam has.” (p. 50) He wasn’t entirely correct with this prediction: “I would not be surprised to see exclusive private banks issuing their customers with dedicated payment devices.” Although, he wasn’t so far off with some providing multi-factor authentication devices.
- Not only does Security Engineering go into the aspects of security associated with all industries and systems such as crypto, access control and authentication, and network attacks and defenses, but also into the verticals with chapters on Banking and Bookkeeping, Electronic Warfare, and Telecommunications. These areas affect us all, no matter where you work.
- Dr. Anderson takes information from the experts at the time of writing. The bibliography itself is massive; 1379 references over 100 pages. If there’s anything you need to learn about computing, it’s in here. In today’s Internet age, it’s not as much what you know, but if you know where to find it. Security Engineering’s prose and bibliography provide the reference needed on every security professional’s bookshelf.
No book is perfect. The challenge with this one is that some of the information is dated and have been overcome by new technology. For example, Windows Vista and Passport are no longer used. Cloud computing, virtualization, mobile, and IoT were in its infancy when the second edition was written. Dr. Anderson addresses the concepts underlying these ideas but was unable to provide details needed to securely engineer today’s environments. Don’t let this dissuade you from reading Security Engineering. The concepts haven’t changed and apply to all new technologies.