World's Foremost Security Technologist Speaks...
This week, Stephen Ibaraki, I.S.P., has an
exclusive interview with Bruce Schneier, unquestionably the world’s
foremost security technologist and Founder and Chief Technical
Officer for Counterpane Internet Security, Inc., (http://www.counterpane.com).
Amongst his many accomplishments, on June 12, 2003, an independent
panel of judges awarded Bruce, the Secure Computing Lifetime
Achievement Award. Previous winners have included Rivest, Shamir,
and Adleman, the three founders of RSA.
Due to his world-renowned expertise, Bruce, on June 25, 2003,
testified before the Hearing of Homeland Security Subcommittee.
Bruce’s free monthly e-mail newsletter, Crypto-Gram is the most
widely read security newsletter, with more than 90,000 readers. It
can be found at
Bruce’s first book, Applied Cryptography, is the seminal work
in its field, has sold more than 200,000 copies, and has been
translated into five languages. Amongst his eight books, Secrets
& Lies: Digital Security in a Networked World is a best seller
with more than 80,000 copies sold. His latest book, published in
September 2003, is Beyond Fear: Thinking Sensibly About Security
in an Uncertain World. It tackles both the big and small
problems of security: home security, counterfeiting, terrorism, etc.
Bruce, I have long heard of your work as an internationally-renowned
security expert. So, we are very privileged to have you with us
doing this interview. Thank you!
Q: Your work with encryption algorithms is well known. Can you tell
us more about your work in this area and where you see your work
heading in the future in this area?
A: These days most of my work is more in how systems of security
work, most notably systems that involve people. But I still do
mathematical cryptography once in a while. My most recent algorithm
is called Helix, and is an attempt to design a single algorithm that
does both encryption and authentication. I guess this involves
people, too, because I am trying to use mathematics to solve a
common problem in security programming.
Q: What have you discovered in your work on how systems of security
A: It’s far less important to understand how a security system works
than to understand how it fails. Security failures are important
both because attackers use those failures to attack systems, and
because failures prevent legitimate users from using the same
systems. Much of my latest book is devoted to discussing system
Q: What is Counterpane?
A: Counterpane Internet Security, Inc. does Managed Security
Monitoring. The basic idea is that on your network are all sorts of
devices: security and non security. All of these devices produce
audit logs, millions of lines of audit logs a day. These logs need
to be looked at, because hidden amongst those millions of lines are
footprints of attackers. (If you’ve ever had a forensics team come
into your company after an attack, you know this is true. What the
team does is go through the audit logs and figure out how the
attackers broke in, where they went, what they accessed, etc.) By
examining the logs, you can figure out what an attacker did. The
idea behind Counterpane is that if you can read the logs in real
time, you can figure out what the attacker is doing. That’s what we
do. We collect a network’s logs: firewall logs, IDS logs, etc. We
analyze them in real time. And we catch network intruders before
they can do damage.
Q: What are your future plans for Counterpane?
A: Counterpane is continuing to evolve; currently we’re developing
several new services that tie into our core monitoring service.
We’ve developed a vulnerability scanning service, which not only
benefits the customer; it also gives us additional information about
the customer’s network allowing us to monitor them better. We’ve
developed a device management service, which also works in concert
with monitoring. And we’ve developed something called Active
Response, where Counterpane takes defensive actions on behalf of the
customer in the event of a security incident. We plan on rolling all
of these services out in the coming months.
Q: Where do you see the area of security heading in two years, and
A: On bad days, I see security heading down the path of ineffective
and counterproductive measures that make people feel better without
actually increasing their security. Thing like photo-ID requirements
on airplanes don’t make us more secure against terrorism, while at
the same time they make us more vulnerable to invasions of privacy.
On good days, I see a more systemic approach to security. I see
systems that are designed properly, based on actual threats and
taking into account actual trade-offs. Positive bag matching on
airplanes is a good example of this.
Q: What are biggest traps or pitfalls or common mistakes with
regards to security?
A: The most common mistake is misunderstanding the security system:
how it works, how it fails, and what level of security it provides.
Many people actually believe that photo-ID checks on airplanes helps
combat terrorism, despite the ease of obtaining a photo ID, despite
the fact that the false alarms have greatly inconvenienced many, and
despite the fact that all the 9/11 terrorists had photo IDs. On the
IT side, many people believe that because they have a firewall
they’re safe. As long as people don’t understand the details of
security systems, they’re going to be unable to make sensible
Q: What are the most common methods of attack and what are the best
security measures or countermeasures against these attacks? Can you
provide a basic outline for a systematic approach to security?
A: Throughout history, the most common method of attack is to go
after the people. Even in this age of computers and networks,
attacks that target the users are likely to be the most effective.
And sadly, there are often no countermeasures except education and
understanding…something very difficult as systems get more
Q: Based upon your years of experience working at the highest
levels, what advice would you give to IT professionals on security
A: Don’t panic.
Q: What top tips can you provide to others that helped you in your
path to success?
A: Be true to the truth. It’s easy to be sidetracked by rhetoric,
but in the end the truth wins out.
Q: Businesses are seeing many technologies in their strategic paths?
What advice, regarding security, would you give to businesses as
they plan their own evolution in the future? Do you have specific
technologies and processes they should watch out for and implement?
A: Security is a trade-off. You can have as much security as you
want, as long as you’re willing to make the trade-offs necessary to
get it. This means that too much security is just as bad as too
little. If, for example, you have no security, you lose too much
money to attackers. If you have perfect security, it costs too much
money. In the middle there’s a sweet spot: adequate security for a
reasonable cost. And the security manager can’t find this sweet spot
because he doesn’t see the big picture. He might advise you to strip
search all customers coming into your store because it will improve
security, but he’s not going to see that if you do that you won’t
have any more customers. Most security decisions have nothing to do
with security; they’re business decisions. I spend a lot of pages of
my latest book on this, because it’s really important.
Q: Why did you get into writing books? Can you discuss the main
themes with each one including any tips you can provide? What books
are you planning for the future?
A: I write books because I feel that I have something to say, and I
believe that I can say it in a way that can be understood. I’ve
written about eight books, but only three of them are ones I
consider to be major works. These three books mirror my career,
starting with something very specific at the core of security and
slowly moving outwards. Applied Cryptography is a book about
cryptography: mathematical data security. Secrets and Lies is more
general; it’s a book about computer and network security. Beyond
Fear is more general still; it’s a book about the totality of
Right now I have no book plans for the future. I don’t know how I
can generalize from here. But if I know myself, I’ll have an idea in
a couple of years.
**Thank you Bruce for sharing with us, your vast experience, wisdom
and knowledge. It has been a real pleasure discussing security with