You are previewing Inside the Security Mind: Making the Tough Decisions.
O'Reilly logo
Inside the Security Mind: Making the Tough Decisions

Book Description

"This is a really good book ... it spells out the motherhood and apple pie of information security in a highly readable way."

—Warwick Ford, CTO, VeriSign, Inc.

"An excellent security read! Breaks down a complex concept into a simple and easy-to-understand concept."

—Vivek Shivananda, President

  • Redefine your organization's information security

  • Learn to think and act like a top security guru!

  • Understand the founding principles of security itself and make better decisions

  • Make your security solutions more effective, easily manageable, and less costly!

Make smarter, more informed security decisions for your companyOrganizations today commit ever-increasing resources to information security, but are scarcely more secure than they were four or five years ago! By treating information security like an ordinary technological practice—that is, by throwing money, a handful of the latest technologies, and a lineup of gurus at the problem—they invariably wind up with expensive, but deeply flawed, solutions. The only way out of this trap is to change one's way of thinking about security: to grasp the reasoning, philosophy, and logic that underlie all successful security efforts.

In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do—as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:

  • Designing an enterprise security plan, including perimeter/firewall and Internal defenses, application, system, and hardware security

  • Ongoing security measures—recurring audits, vulnerability maintenance, logging and monitoring, and incident response, plus risk assessment

  • Choosing between open source and proprietary solutions; and wired, wireless, and virtual private networks

This book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.

Table of Contents

  1. Copyright
  2. About Prentice Hall Professional Technical Reference
  3. Prologue
  4. Acknowledgments
  5. Introduction
    1. The Security Mind
    2. Where Do We Start?
    3. Where Does It End?
  6. A New Look at Information Security
    1. Security as an Art Form
    2. What We Know About Security
    3. Understanding the Fear Factor
    4. How to Successfully Implement and Manage Security
  7. The Four Virtues of Security
    1. Introduction to the Virtues
    2. The Virtue of Daily Consideration
    3. The Virtue of Community Effort
    4. The Virtue of Higher Focus
    5. The Virtue of Education
    6. Using These Virtues
  8. The Eight Rules of Security (Components of All Security Decisions)
    1. Introduction to the Rules
    2. Rule of Least Privilege
    3. Rule of Change
    4. Rule of Trust
    5. Rule of the Weakest Link
    6. Rule of Separation
    7. Rule of the Three-Fold Process
    8. Rule of Preventative Action (Proactive Security)
    9. Rule of Immediate and Proper Response
    10. Incorporating the Rules
  9. Developing a Higher Security Mind
    1. The Art of Higher Security
    2. Thinking in Zones
    3. Creating Chokepoints
    4. Layering Security
    5. Working in Stillness
    6. Understanding Relational Security
    7. Understanding Secretless Security
    8. Dividing Responsibilities
    9. Failing Securely
  10. Making Security Decisions
    1. Using the Rules to Make a Decision
    2. The Decision-Making Process
    3. Example Decision
  11. Know Thy Enemy and Know Thyself
    1. Understanding the Modern Hacker
    2. Where Modern Vulnerabilities Exist
    3. Modern Targets
    4. Modern Exploits
    5. Neglecting the Rules: A Hacker's Tale
    6. Creating Your Own Security Profile
    7. Becoming Invisible to Your Enemies
  12. Practical Security Assessments
    1. The Importance of a Security Audit
    2. Understanding Risks and Threats
    3. The Traditional Security Assessment Model
    4. The Relational Security Assessment Model
    5. Relational Security Assessment Model: Risks
    6. Relational Security Assessment Model: Controls
    7. Relational Security Assessment Model: Tactical Audit PROCESS
    8. Analytical Audit Measures
    9. Additional Audit Considerations
  13. The Security Staff
    1. Building a Successful Security Team
    2. Bringing in Security Consultants
    3. Outsourcing Security Maintenance
  14. Modern Considerations
    1. Using Standard Defenses
    2. Open Source vs. Closed Source Security
    3. Wireless Networks
    4. Encryption
    5. Virtual Private Networking
  15. The Rules in Practice
    1. Practicing the Rules
    2. Perimeter Defenses
    3. Internal Defenses
    4. Physical Defenses
    5. Direct Object Defenses
    6. Outbound Internet Access
    7. Logging and Monitoring
    8. Handling Authentication
  16. Going Forward
    1. The Future of Information Security
  17. Tips on Keeping Up-to-Date
    1. Resources for Staying Informed About Important Security Issues
    2. Resources for Finding Information on New Vulnerabilities, Threats, and Countermeasures
  18. Ideas for Training
    1. 25-Minute Basic Security Awareness Class
    2. 30-Minute Internet Security for End–Users Class
  19. Additional Recommended Audit Practices
    1. Recommended Desktop/Workstation Auditing Tasks
    2. Recommended Perimeter Auditing Tasks
    3. Recommended Internal Auditing Tasks
    4. Recommended Physical Auditing Tasks
    5. Recommended Controls for Risk Control Policies
  20. Recommended Reading
  21. The Hidden Statistics of Information Security
    1. Looking Up the Crime Rate
    2. The Hidden Statistics
    3. A Closing Thought on Statistics
  22. Index