You are previewing Assessing Information Security: Strategies, tactics, logic and framework.
O'Reilly logo
Assessing Information Security: Strategies, tactics, logic and framework

Book Description

What do information security and the art of war have in common? The answer, this book argues, is a great deal. Although the authors have an expert technical knowledge of information security, they strongly believe that technical and procedural measures cannot offer a solution on their own.

Table of Contents

  1. Copyright
    1. Dedication
  2. Preface
  3. About the Authors
  4. Introduction
  5. 1. Information Security Auditing and Strategy
    1. To do or not to do?
      1. The mindsets of ignorance
        1. 1. The ‘it will never happen to us’ mindset
        2. 2. The ‘shiny box with flashing lights’ mindset
        3. 3. The ‘we are glad to accept this risk’ mindset
    2. On monetary contemplations
    3. The fundamentals
      1. 1. Information security assessment is an act of corporate or organisational politics
      2. 2. Information security assessment is always shaped by political, administrative, technical and human ‘terrain’
      3. 3. Information security assessment must shape information security systems of its target
      4. 4. Information security assessment is never complete
      5. 5. Information security assessment must be a part of a continuous process
      6. 6. Information security assessment should maintain a proper balance between tempo and depth
      7. 7. Information security assessment must always exceed its perceived scope
      8. 8. Information security assessment always targets corporate or organisational ISMS
      9. 9. Information security assessment should aspire to establish the roots of all discovered vulnerabilities, weaknesses and gaps
      10. 10. Information security assessment should aspire to discover strategic problems through tactical means
      11. 11. Information security assessment must be endorsed, controlled and debriefed at the top
      12. 12. Information security assessment should be understood and appreciated at the bottom
      13. 13. Information security assessment must produce transferrable results
      14. 14. Information security assessment must decrease the friction of the auditee
      15. 15. Information security assessment should promote security awareness and initiative
      16. 16. Information security assessment always operates with probabilities
      17. 17. Information security assessment is mainly a proactive countermeasure
      18. 18. Information security assessment must be impartial
      19. 19. Information security assessment must be dissociated from the checked system
      20. 20. Information security assessment results must be strictly confidential
    4. On aggressive defence
      1. Defence in-depth
      2. Adapting to adversaries
      3. Compelling adversaries to adapt
    5. On counteroffensive
    6. On the conditions of success
  6. 2. Security Auditing, Governance, Policies and Compliance
    1. On evaluating the top-down approach
    2. When things go bottom-up
      1. Contemplating flexible command and control
    3. On analysing ISMS strategies and flows
      1. High level dissection of security processes
    4. On security assessments and security policies
      1. General security policy shortcomings
      2. Addressing security audits in policy statements
    5. On security assessments and compliance
      1. The erroneous path to compliance
      2. Getting down to earth
  7. 3. Security Assessments Classification
    1. On broad categories of security audits
      1. Black, grey and white box tests
      2. Assessments specialisations and actual scopes
    2. On technical information security assessments
      1. Server, client and network-centric tests
      2. IT security testing levels and target areas
      3. ‘Idiosyncratic’ technical security tests
    3. On non-technical information security audits
      1. Premises and physical security checks
      2. Social engineering tests
      3. Security documentation reviews
      4. Assessing security processes
  8. 4. Advanced Pre-Assessment Planning
    1. On pre-audit gap analysis
      1. The four stage framework
      2. Selecting the targets of assessment
    2. On auditing the auditors
      1. Evaluating what is on offer
      2. Judging the assessor’s suitability
      3. Professional certifications and education
      4. Publications and tools
      5. The auditor company history and size
    3. On arranging the audit process
      1. Final auditee preparations and planning
      2. Dealing with common assessment emergencies
  9. 5. Security Audit Strategies and Tactics
    1. On critical points
      1. Centres of gravity and their types
      2. Identifying critical points
      3. The strategic exploitation cycle
    2. On reconnaissance
      1. External technical assessment recon
      2. Social engineering recon
      3. Internal technical assessment recon
    3. On evaluating vulnerabilities and gaps
      1. Technical vulnerability discovery process
      2. On application security testing methods
      3. Assessing network protocols security flaws
      4. A brief on human vulnerabilities
      5. The tactical exploitation cycle
    4. The operational art of vulnerability assessment
      1. Front, flank, simple, complex
      2. The strategies of creating gaps
  10. 6. Synthetic Evaluation of Risks
    1. On applicable epistemology of risk
      1. Risk, uncertainty and ugly ‘black swans’
      2. On suitable risk analysis methodologies
      3. On treatment of information security risks
    2. Analysing individual vulnerability risks
      1. Relevant vulnerability categories
      2. Gauging attacker skill
      3. Weighting vulnerability impact
      4. Contemplating the vulnerability remedy
      5. Defining vulnerability risk level
    3. Risks synthesis, summary and its breakdown
      1. Risks faced by large components
      2. Compound risks, Systempunkts and attacker logic
      3. Total risk summary utilisation and dissection
  11. 7. Presenting the Outcome and Follow-Up Acts
    1. On structure and content of the assessment report
      1. The report audience and style
      2. The report summary
      3. The report interpretation chapter
      4. The bulk of the report
    2. On drawing conclusions
      1. Explaining the overall security state
      2. Elaborating on breakdown of risks
      3. Analysing attack scenarios and trees
      4. Utilising vulnerability origin investigations
      5. Formulating the strategic conclusions
    3. On audit recommendations and follow-up reaction
      1. Delivering a risk reduction plan
      2. Post-audit assistance and follow-up hurdles
  12. 8. Reviewing Security Assessment Failures and Auditor Management Strategies
    1. On information security assessment follies
      1. The fundamentals infringed
      2. Bad tactics and poor tests
    2. On assembling and managing the auditor team
      1. On the assessment team ordonnance
      2. Of serpents and eagles
    3. Science and art of information security evaluation
  13. Bibliography
    1. Information and IT security sources
    2. General/military strategy and related sources
  14. ITG Resources
    1. Other Websites
    2. Pocket Guides
    3. Toolkits
    4. Best Practice Reports
    5. Training and Consultancy
    6. Newsletter