Product Description

The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here’s straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.

Product Details

• Amazon Sales Rank: #44004 in Books
• Published on: 2008-04-11
• Original language: English
• Number of items: 1
• Binding: Hardcover
• 1080 pages

Amazon.co.uk Review
Gigantically comprehensive and carefully researched, Security Engineering makes it clear just how difficult it is to protect information systems from corruption, eavesdropping, unauthorised use and general malice. Better, Ross Anderson offers a lot of thoughts on how information can be made more secure (though probably not absolutely secure, at least not forever) with the help of both technologies and management strategies. His work makes fascinating reading, and will no doubt inspire considerable doubt--fear is probably a better choice of words--in anyone with information to gather, protect, or make decisions upon.

Be aware: this is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenuous ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the Cold War brought on a decline in defences against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say) and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity and always use common sense in defending valuables. It is a terrific read for security professionals and general readers alike. --David Wall

Topics covered: how some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the US Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology and legal matters.

Review
"...a one-stop guide to getting your business off the ground." --Engineering & Technology, Saturday 7th June 2008

"At over a thousand pages, this is a comprehensive volume." --Engineering & Technology, Saturday 7th June 2008

Review
“At over a thousand pages, this is a comprehensive volume.” Engineering & Technology Saturday 7 June 2008

Customer Reviews

Best Book on This Topic I've Ever Seen
Think you are an expert on computer security? Yes? Well, no matter if you can do triple-DES in your head, by carefully reading this book (and learning its lessons) you will find many holes in any security system you have ever designed. Guess what? They don't need to crack your 1024 bit key to thwart your procedures -- there's at least a hundred ways to go around encryption.

Ross Anderson surveys the entire spectrum of contemporary techno-security, from nuclear weapons to the electric meters used in South Africa, and tells you the nuts-n-bolts of how they are architected, and where things fall apart. What becomes clear is that perfect security doesn't exist in the real world, so you need to create "security in depth", where you secure all aspects of your enterprise. Attacks can come from the CEO, your customer, the janitor, the designer, or a passing crack head. In fact, the biggest threat is time itself -- a procedure secure today will become vulnerable in a couple of years if you don't treat security as a living, growing, changing, high-priority part of your enterprise.

Early in the book he opened my eyes -- I know a thing or two about security, yet his example of a military IFF system blew me away. If I had been asked, I would have swore it was a perfect system. Yet, with a simple little trick, the enemy not only defeated it but used it as a weapon. There's a hundred head-slapping moments in this book where you mutter "holy crap!" when you see how vulnerable some things have been.

Look, just buy the damn book, ok? If you have any responsibility for security, you need it. End of story..

Fantastic book - highly recommended reading on security
This book does so much more than guiding the reader through the design of distributed systems. It is the most comprehensive and general definition and illustration of information security that I have ever seen in one place. This is a book that can teach you to look at the world through security glasses so to speak and that of course is a prerequisite for security engineering. It is also a good thing to be able to do if you need to evaluate security measures for quality and appropriateness.

The way Ross Anderson goes about this task is systematic and pedagogical. He has obviously been lecturing for many years and is both an excellent presenter and a person demonstrating a good understanding of learning curves. Both the book as a whole and the individual chapters have been constructed in such a way that the reader can give up at various points of complexity without losing the plot altogether and simply start at the beginning of the following chapter for a less deep education than if he read and understood everything but nevertheless gaining a comprehensive feel for the nature of security and how to tackle its implementation. This design also enables the book to be used either as a textbook or as a reference work. Very smart - many technical authors could learn something from observing how Ross goes about it.

I also like that each chapter ends with a discussion of possible research projects, literature recommendations and of course a summary. The only irritating thing is that there are too many stupid typos such as missing words, things which another read-through by the editor should have caught. An example: `...using the key in Figure 5.7, it enciphers to TB while rf enciphers to OB...' should be `...using the key in Figure 5.7, rd enciphers to TB while rf enciphers to OB...' It is fine to use typographic tricks for illustrative purposes but you must make sure they make it into print if you do. I'm certain many readers will find the chapter on cryptography difficult enough without errors. Well, next edition...

The book consists of three parts. The first is a quite basic intro to security concepts, protocols, human-to-computer interfaces, access control, cryptography and distributed systems. I think that perhaps Ross gets a little bit carried away in Chapter 5 on crypt - I mean, why is a proof for Fermat's little theorem included? There are no other mathematical proofs anywhere. I also think that parts of this chapter could benefit from added verbosity or perhaps a few more illustrations. Whereas in this context it is not so important how crypt primitives function internally it is of course very important how they behave as system components. Just a suggestion - no real criticism.

In the second part of the book the author ingeniously uses a whole range of well-known systems incorporating security to illustrate both analytical methods and security engineering fundamentals. Using this pedagogical method, moving from the concrete and well-known to the abstract and general is good engineering practice. Almost every main section contains a subsection called What Goes Wrong in which the author analyses and presents architectural and design weaknesses in everything from ATMs to nuclear systems. I find this approach incredibly valuable, not only because it teaches good engineering methodology but also because it gives the author an opportunity to present a huge number of security problems at the implementation level in a context, from which they can be lifted, cross-referenced and placed in different contexts. This method, combined with the informed and intelligent analysis is what makes this book such a brilliant generator of understanding of security, the broad and full concept.

Also in this part of the book there is a clear line which is not only technological but which serves to place security concepts in organisational frameworks, another very strong point in favour of this work. This leads to the third part of the book, which in the words of the author deals with politics, management and assurance. Very good entertainment as well. The book ends with one of the best bibliographies that I have ever seen in the field.

Kudos to Ross Anderson for writing such a fantastic book - highly recommended reading!

A Darned Good Read!
The best general Information Security introduction I�ve read. Very readable, with lots of references, Ross combines a wealth of practical experience with his academic prowess. Note that whilst he explains much of the technology in detail, it is not technology-specific in the way of, say, Hacking Exposed. This is not really a �how to do IS in 10 easy steps� book - it is more reflective, and questions many traditional assumptions. It also takes a critical look at many of the issues involved with physical security, though does not cover Disaster Recovery/ Business Continuity Planning.