Security Engineering: A Guide to Building Dependable Distributed Systems

Be aware: This is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenious ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the cold war brought on a decline in defenses against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say), and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. A terrific read for security professionals and general readers alike. --David Wall

Topics covered: How some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the U.S. Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology, and legal matters.

Product Description
The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Heres straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.

When it comes to information security, its current state is similar to that of a Microsoft airplane--built, but often flashy, while not forcefully functional. The root of the problem is that most organizations view security as something added on in a piecemeal fashion, rather than an integral engineering issue.

Those in the construction business get this concept; they know that designs, plans, permits, coordination, commitment, buy-in, etc.,; are all requirements, not options. Similarly, before any information security product is rolled-out, the appropriate project plans must exist. While the concept that design must come before implementation is a given in most other industries, many IT departments lack this understanding.

Thus is the quandary that Ross Anderson deals with in Security Engineering: A Guide to Building Dependable Distributed Systems. In a nutshell, Security Engineering is one of the best security books ever written. If you are looking for 50 pages of screen prints on how to install and configure a printer under Windows 2000, this is the wrong book for that. What Anderson does, in great detail and with lucidity, is particularize all of the aspects that are required to create a security infrastructure. He relentlessly reiterates that security must be engineered into information systems from the outset. When security is retrofitted into an application or system, it is never as effective.

Anderson defines security engineering as "building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves."

In its 24 chapters, the book covers every domain of computer security. As noted security guru Bruce Schneier writes in the book's foreword "If you're even thinking of doing any security engineering, you need to read this book." Schneier's comment compliments his own attitude that security is not a product, rather a process. Going with that mantra, Anderson demonstrates in exhaustive detail how information security must be implemented in every aspect of the information system's infrastructure in order for systems to be dependable and secure.

The often knee-jerk response to information security is to deal with it at the product level. With that, the security product of the year is purchased (Air Gap, IDS, PKI, etc.) and the company hopes and prays for security. Unfortunately, it does not work like that. Anderson writes that security products can't operate in a vacuum. They must operate in the framework of a comprehensive architecture supported by policies. That is precisely why there are huge amounts of books on security component technology, but very few on how to use them effectively. When it comes to making all of these security technologies interoperate, there are few good titles in print, and that is the value of this book....

In more than 600 pages of intense information, Anderson lays the groundwork on how to build a secure and dependable system. Every aspect of information security is discussed in the book -- from passwords, access control, and attacks, to physical security and policy. Additionally, relevant and timely topics such as information warfare, privacy protection, access control, and more are discussed. This is the only book that covers the end-to-end spectrum of security design and engineering.

Just as important as the technical issues covered in the book, the entire range of attacks that distributed systems can face (technical, procedural, and physical) are also covered. Understanding these threats are paramount in order to properly secure the system. Anderson notes from years of personal experience that many security systems are designed solely to keep the good guys out without thinking of the bad guys. There are two mistakes with this approach -- it only solves a smart part of the problem, and more importantly, the bad guys do not follow the rules. Bruce Schneier likens this approach to security as putting a pole in front of your house and hoping the attacker runs into the pole. The reality is that the adversary will simply go around the pole.

While many of the chapter topics may sound unexciting, Anderson has a wonderful writing style and at times reads almost like a Tom Clancy thriller with its details of military command and control systems and other similar topics. Anyone responsible for information security should read Security Engineering.


Comprehensive, current, and stunningly good   April 6, 2001
Avi Rubin (Baltimore, MD USA)
26 out of 28 found this review helpful

It is about time that this book has been written!

Ross Anderson has a unique perspective to offer. He explains complex information, such as the inner working of cryptographic functions, with a clear and precise manner, while at the same time always relating the content to the real world. He possess a rare combination of expertise in theory and experience in practice.

This book covers everything from security of ATM machines, to secure printing; from multi-level security to information warfare; from hardware security to e-commerce; from legal issues to intellectual property protection; from biometrics to tamper resistance. In short, Anderson's book basically covers the entire field of computer security. It is also refreshing that the book is as deep as it is broad.

I will use this book to teach and also to learn. It is a good read cover to cover, and I imagine it will make a fine textbook for many classes on computer security. Every chapter ends with suggestions for interesting research problems and further reading.

As I was reading this book, I kept asking myself how one person could have produced such a comprehensive and complete book. It is indeed a treasure.


A watershed book for the security community   June 27, 2002
Richard Bejtlich (Washington, DC)
14 out of 15 found this review helpful

This book changes everything. "Security Engineering" is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson's ability to blend technology, history, and policy makes "Security Engineering" a landmark work.

Engineers learn more from failure than success. "Security Engineering" brings this practice to life, investigating the design and weaknesses of ATM machines, currency printing, nuclear command and control, radar, and dozens of other topics. Anderson's insights are accurate and helpful, partly because he's served as consultant for diverse industries. His descriptions of criminal and intelligence agency exploitation of insecure systems are startling; fake cellular base stations, fly-by-night phone companies, TEMPEST/EMSEC viruses, freezing electronics to preserve RAM -- all are explained in layman's terms.

The bibliography offers exceptional opportunities for further research, but the second edition needs a glossary. I found some of the cryptography chapter too complicated for non-mathematicians. I also believe the author was misled by whomever told him that "at the time of writing, the US Air Force has so far not detected an intrusion using the systems it has deployed on local networks." (p. 387) (I know from experience this is false.) Nevertheless, these are my only criticisms for a 612 page text.

"Security Engineering" is a book of principles, lessons, and case studies. It offers history, tools, and standards to judge engineering endeavors. This book actually inspired me to learn how brick-and-mortar engineers learn their trade, as their methods and failure analysis may apply to the software world. "Security Engineering" will remain relevant for years, but I recommend you read it as soon as possible.


Fantastic book - highly recommended reading on security   June 21, 2001
Ross Anderson (Cambridge, England)
11 out of 12 found this review helpful

This book does so much more than guiding the reader through the design of distributed systems. It is the most comprehensive and general definition and illustration of information security that I have ever seen in one place. This is a book that can teach you to look at the world through security glasses so to speak and that of course is a prerequisite for security engineering. It is also a good thing to be able to do if you need to evaluate security measures for quality and appropriateness.

The way Ross Anderson goes about this task is systematic and pedagogical. He has obviously been lecturing for many years and is both an excellent presenter and a person demonstrating a good understanding of learning curves. Both the book as a whole and the individual chapters have been constructed in such a way that the reader can give up at various points of complexity without losing the plot altogether and simply start at the beginning of the following chapter for a less deep education than if he read and understood everything but nevertheless gaining a comprehensive feel for the nature of security and how to tackle its implementation. This design also enables the book to be used either as a textbook or as a reference work. Very smart - many technical authors could learn something from observing how Ross goes about it.

I also like that each chapter ends with a discussion of possible research projects, literature recommendations and of course a summary. The only irritating thing is that there are too many stupid typos such as missing words, things which another read-through by the editor should have caught. An example: `...using the key in Figure 5.7, it enciphers to TB while rf enciphers to OB...' should be `...using the key in Figure 5.7, rd enciphers to TB while rf enciphers to OB...' It is fine to use typographic tricks for illustrative purposes but you must make sure they make it into print if you do. I'm certain many readers will find the chapter on cryptography difficult enough without errors. Well, next edition...

The book consists of three parts. The first is a quite basic intro to security concepts, protocols, human-to-computer interfaces, access control, cryptography and distributed systems. I think that perhaps Ross gets a little bit carried away in Chapter 5 on crypt - I mean, why is a proof for Fermat's little theorem included? There are no other mathematical proofs anywhere. I also think that parts of this chapter could benefit from added verbosity or perhaps a few more illustrations. Whereas in this context it is not so important how crypt primitives function internally it is of course very important how they behave as system components. Just a suggestion - no real criticism.

In the second part of the book the author ingeniously uses a whole range of well-known systems incorporating security to illustrate both analytical methods and security engineering fundamentals. Using this pedagogical method, moving from the concrete and well-known to the abstract and general is good engineering practice. Almost every main section contains a subsection called What Goes Wrong in which the author analyses and presents architectural and design weaknesses in everything from ATMs to nuclear systems. I find this approach incredibly valuable, not only because it teaches good engineering methodology but also because it gives the author an opportunity to present a huge number of security problems at the implementation level in a context, from which they can be lifted, cross-referenced and placed in different contexts. This method, combined with the informed and intelligent analysis is what makes this book such a brilliant generator of understanding of security, the broad and full concept.

Also in this part of the book there is a clear line which is not only technological but which serves to place security concepts in organisational frameworks, another very strong point in favour of this work. This leads to the third part of the book, which in the words of the author deals with politics, management and assurance. Very good entertainment as well. The book ends with one of the best bibliographies that I have ever seen in the field.

Kudos to Ross Anderson for writing such a fantastic book - highly recommended reading!


Incomparable book on information security   May 2, 2001
R. Smith (Minnesota USA)
7 out of 7 found this review helpful

Those of us in the computer security business have been mining Ross Anderson's web site for years, since he's done some really unique and important work in the field. Finally he's pulled it into an incredible book, one that's essential for anyone interested in information security.

Two elements combine make this book unique: first, the book manages to cover all of the major topics in the field, and second, the book covers the whole range of attacks that systems can face: technical, procedural and physical. Historically, writers on information security have focused on computers and disembodied "users," downplaying the crucial issues of physical security, perimeters, operating procedures, and the limits of human behavior. This book tries to integrate such concerns into information security thinking, instead of treating them as "special concerns that computer geeks don't really care about."

Best of all, the book is a great read. Ross has a fine way of drawing out the irony we encounter in user behavior, enterprise behavior, and even in the actions of presumed authorities in industry and government. At one point he discusses a government endorsed security evaluation process "which, as mentioned, is sufficient to keep out all attackers but the competent ones."

Ross unabashedly explains several aspects of information security that most writers ignore entirely, like security printing, seals, tamper resistance, and associated procedures. In my own books, reviewers have chided me for including such "irrelevant" topics, even though they play an essential part in making a real system work. As Ross ably points out, most successful attacks these days are pretty mundane and don't involve cryptanalysis or sophisticated protocol hacking. ATM fraud, for example, often relies on pre-computer technology like binoculars to pick up a victim's PIN. This book should open a lot of peoples' eyes.