You are previewing Assessing Information Security: Strategies, tactics, logic and framework.
O'Reilly logo
Assessing Information Security: Strategies, tactics, logic and framework

Book Description

Build a strategic response to cyber attacks The activities of the cyber criminal are both deliberate and hostile, and they can be compared to military operations. Many people in business understand that the insights from the classics of military strategy are as relevant to modern commerce as they are to war. It is clear that organizations need to develop a view of cybersecurity that goes beyond technology: all staff in the organization have a role to play, and it is the senior managers who must ensure, like generals marshalling their forces, that all staff know the cybersecurity policies that explain what to do when under attack. Cyber crime… cyber war? With this in mind, the authors have drawn on the work of Clausewitz and Sun Tzu, and applied it to the understanding of information security that they have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict. Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103. Product overview » About the authors Dr Andrew Vladimirov is a security researcher. His fields of expertise include network security and applied cryptography, and he has extensive experience of performing information security assessments. He and his fellow authors are the founders of Arhont Ltd, a leading information security consultancy. Konstantin Gavrilenko has over 15 years of experience in IT and security. As a researcher, information security is his speciality, and he has a particular interest in wireless security. He holds a BSc in management science from De Montfort University and an MSc in management from Lancaster University. Andriej Michajlowski is an expert on network security. His research interests include user and device authentication mechanisms, and wireless networking security. He has extensive experience carrying out internal and external information security assessments. He is a graduate of the University of Kent at Canterbury and he holds an MBA. Understand today’s threat landscape and how you can put best practice in place to protect your organization – buy this book today.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Dedication
  5. Preface
  6. About the Authors
  7. Contents
  8. Introduction
  9. Chapter 1: Information Security Auditing and Strategy
    1. The mindsets of ignorance
    2. Defence-in-depth
    3. Compelling adversaries to adapt
  10. Chapter 2: Security Auditing, Governance, Policies and Compliance
    1. General security policy shortcomings
    2. Addressing security audits in policy statements
    3. The erroneous path to compliance
    4. Getting down to earth
  11. Chapter 3: Security Assessments Classification
    1. Black, grey and white box tests
    2. Assessments specialisations and actual scopes
    3. On technical information security assessments
    4. Server, client and network-centric tests
    5. IT security testing levels and target areas
    6. ‘Idiosyncratic’ technical security tests
    7. On non-technical information security audits
    8. Premises and physical security checks
    9. Social engineering tests
    10. Security documentation reviews
    11. Assessing security processes
  12. Chapter 4: Advanced Pre-Assessment Planning
    1. The four-stage framework
    2. Selecting the targets of assessment
    3. Evaluating what is on offer
    4. Professional certifications and education
    5. Publications and tools
    6. The auditor company history and size
    7. Dealing with common assessment emergencies
  13. Chapter 5: Security Audit Strategies and Tactics
    1. Centres of gravity and their types
    2. Identifying critical points
    3. The strategic exploitation cycle
    4. External technical assessment recon
    5. Social engineering recon
    6. Internal technical assessment recon
    7. Technical vulnerability discovery process
    8. A brief on human vulnerabilities
    9. The tactical exploitation cycle
    10. Front, flank, simple, complex
    11. The strategies of creating gaps
  14. Chapter 6: Synthetic Evaluation of Risks
    1. Risk, uncertainty and ugly Black Swans
    2. On suitable risk analysis methodologies
    3. On treatment of information security risks
    4. Relevant vulnerability categories
    5. Gauging attacker skill
    6. Weighting vulnerability impact
    7. Contemplating the vulnerability remedy
    8. Defining vulnerability risk level
    9. Risks faced by large components
    10. Compound risks, systempunkts and attacker logic
    11. Total risk summary utilisation and dissection
  15. Chapter 7: Presenting the Outcome and Follow-Up Acts
    1. The report audience and style
    2. The report summary
    3. The report interpretation chapter
    4. The bulk of the report
    5. Explaining the overall security state
    6. Elaborating on breakdown of risks
    7. Using vulnerability origin investigations
    8. Post-audit assistance and follow-up hurdles
  16. Chapter 8: Reviewing Security Assessment Failures and Auditor Management Strategies
    1. Bad tactics and poor tests
    2. On the assessment team ordnance
    3. Of serpents and eagles
  17. ITG Resources