Careers: Interviews
World's Foremost Security Technologist Speaks...

This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Bruce Schneier, unquestionably the world’s foremost security technologist and Founder and Chief Technical Officer for Counterpane Internet Security, Inc., (http://www.counterpane.com).

Amongst his many accomplishments, on June 12, 2003, an independent panel of judges awarded Bruce, the Secure Computing Lifetime Achievement Award. Previous winners have included Rivest, Shamir, and Adleman, the three founders of RSA.

Due to his world-renowned expertise, Bruce, on June 25, 2003, testified before the Hearing of Homeland Security Subcommittee.

Bruce’s free monthly e-mail newsletter, Crypto-Gram is the most widely read security newsletter, with more than 90,000 readers. It can be found at
http://www.counterpane.com/crypto-gram.html.

Bruce’s first book, Applied Cryptography, is the seminal work in its field, has sold more than 200,000 copies, and has been translated into five languages. Amongst his eight books, Secrets & Lies: Digital Security in a Networked World is a best seller with more than 80,000 copies sold. His latest book, published in September 2003, is Beyond Fear: Thinking Sensibly About Security in an Uncertain World. It tackles both the big and small problems of security: home security, counterfeiting, terrorism, etc.

Discussion:
Bruce, I have long heard of your work as an internationally-renowned security expert. So, we are very privileged to have you with us doing this interview. Thank you!

Q: Your work with encryption algorithms is well known. Can you tell us more about your work in this area and where you see your work heading in the future in this area?

A: These days most of my work is more in how systems of security work, most notably systems that involve people. But I still do mathematical cryptography once in a while. My most recent algorithm is called Helix, and is an attempt to design a single algorithm that does both encryption and authentication. I guess this involves people, too, because I am trying to use mathematics to solve a common problem in security programming.

Q: What have you discovered in your work on how systems of security work?

A: It’s far less important to understand how a security system works than to understand how it fails. Security failures are important both because attackers use those failures to attack systems, and because failures prevent legitimate users from using the same systems. Much of my latest book is devoted to discussing system failures.

Q: What is Counterpane?

A: Counterpane Internet Security, Inc. does Managed Security Monitoring. The basic idea is that on your network are all sorts of devices: security and non security. All of these devices produce audit logs, millions of lines of audit logs a day. These logs need to be looked at, because hidden amongst those millions of lines are footprints of attackers. (If you’ve ever had a forensics team come into your company after an attack, you know this is true. What the team does is go through the audit logs and figure out how the attackers broke in, where they went, what they accessed, etc.) By examining the logs, you can figure out what an attacker did. The idea behind Counterpane is that if you can read the logs in real time, you can figure out what the attacker is doing. That’s what we do. We collect a network’s logs: firewall logs, IDS logs, etc. We analyze them in real time. And we catch network intruders before they can do damage.

Q: What are your future plans for Counterpane?

A: Counterpane is continuing to evolve; currently we’re developing several new services that tie into our core monitoring service. We’ve developed a vulnerability scanning service, which not only benefits the customer; it also gives us additional information about the customer’s network allowing us to monitor them better. We’ve developed a device management service, which also works in concert with monitoring. And we’ve developed something called Active Response, where Counterpane takes defensive actions on behalf of the customer in the event of a security incident. We plan on rolling all of these services out in the coming months.

Q: Where do you see the area of security heading in two years, and five years?

A: On bad days, I see security heading down the path of ineffective and counterproductive measures that make people feel better without actually increasing their security. Thing like photo-ID requirements on airplanes don’t make us more secure against terrorism, while at the same time they make us more vulnerable to invasions of privacy. On good days, I see a more systemic approach to security. I see systems that are designed properly, based on actual threats and taking into account actual trade-offs. Positive bag matching on airplanes is a good example of this.

Q: What are biggest traps or pitfalls or common mistakes with regards to security?

A: The most common mistake is misunderstanding the security system: how it works, how it fails, and what level of security it provides. Many people actually believe that photo-ID checks on airplanes helps combat terrorism, despite the ease of obtaining a photo ID, despite the fact that the false alarms have greatly inconvenienced many, and despite the fact that all the 9/11 terrorists had photo IDs. On the IT side, many people believe that because they have a firewall they’re safe. As long as people don’t understand the details of security systems, they’re going to be unable to make sensible security trade-offs.

Q: What are the most common methods of attack and what are the best security measures or countermeasures against these attacks? Can you provide a basic outline for a systematic approach to security?

A: Throughout history, the most common method of attack is to go after the people. Even in this age of computers and networks, attacks that target the users are likely to be the most effective. And sadly, there are often no countermeasures except education and understanding…something very difficult as systems get more technological.

Q: Based upon your years of experience working at the highest levels, what advice would you give to IT professionals on security issues?

A: Don’t panic.

Q: What top tips can you provide to others that helped you in your path to success?

A: Be true to the truth. It’s easy to be sidetracked by rhetoric, but in the end the truth wins out.

Q: Businesses are seeing many technologies in their strategic paths? What advice, regarding security, would you give to businesses as they plan their own evolution in the future? Do you have specific technologies and processes they should watch out for and implement?

A: Security is a trade-off. You can have as much security as you want, as long as you’re willing to make the trade-offs necessary to get it. This means that too much security is just as bad as too little. If, for example, you have no security, you lose too much money to attackers. If you have perfect security, it costs too much money. In the middle there’s a sweet spot: adequate security for a reasonable cost. And the security manager can’t find this sweet spot because he doesn’t see the big picture. He might advise you to strip search all customers coming into your store because it will improve security, but he’s not going to see that if you do that you won’t have any more customers. Most security decisions have nothing to do with security; they’re business decisions. I spend a lot of pages of my latest book on this, because it’s really important.

Q: Why did you get into writing books? Can you discuss the main themes with each one including any tips you can provide? What books are you planning for the future?

A: I write books because I feel that I have something to say, and I believe that I can say it in a way that can be understood. I’ve written about eight books, but only three of them are ones I consider to be major works. These three books mirror my career, starting with something very specific at the core of security and slowly moving outwards. Applied Cryptography is a book about cryptography: mathematical data security. Secrets and Lies is more general; it’s a book about computer and network security. Beyond Fear is more general still; it’s a book about the totality of security.

Right now I have no book plans for the future. I don’t know how I can generalize from here. But if I know myself, I’ll have an idea in a couple of years.

**Thank you Bruce for sharing with us, your vast experience, wisdom and knowledge. It has been a real pleasure discussing security with you.


Copyright Network Professional Association® 1994-2017. All Rights Reserved.
NPA Privacy Statement