Inside the Security Mind

Making the Tough Decisions

Publisher: Prentice Hall, 2003, 309 pages

ISBN: 0-13-111829-3

Last modified: May 17, 2021, 12:12 a.m.

Synopsis

Make smarter, more informed security decisions for your company

Organizations today commit ever-increasing resources to information security, but are scarcely more secure than they were four or five years ago! By treating information security like an ordinary technological practice — that is, by throwing money, a handful of the latest technologies, and a lineup of gurus at the problem — they invariably wind up with expensive, but deeply flawed, solutions. The only way out of this trap is to change one's way of thinking about security: to grasp the reasoning, philosophy, and logic that underlie all successful security efforts.

In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do — as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:

Designing an enterprise security plan, including perimeter/firewall and Internal defenses, application, system, and hardware security
Ongoing security measures — recurring audits, vulnerability maintenance, logging and monitoring, and incident response, plus risk assessment
Choosing between open source and proprietary solutions; and wired, wireless, and virtual private networks

This book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.

Chapter 1 Introduction

The Security Mind

Serious Matters
What Is a Security Mind?

Where Do We Start?

Erasing the Programming Around Us
Knowing Ourselves
Knowing We Are ready

Where Does It End?

Sunny Skies Ahead

Chapter 2 A New Look at Information Security

Security as an Art Form

The Youngest of the IT Practice
The Most Dynamic IT Practice
And About Those Humans

What We Know About Security

The Good Guys
The Bad guys
Our Abstract Battleground
Is Anyone Winning?

Understanding the Fear Factor

Positive Effects of the Fear Factor
Negative Effects of the Fear Factor
Combating the Fear Factor

How to Successfully Implement and manage Security

Security Focus
Following the Virtues and Rules

Chapter 3 The Four Virtues of Security

Introduction to the Virtues

Focusing on the Virtues

The Virtue of Daily Consideration

The Seven Steps of Doom
The Three Steps to Success
Considering Security in Everything
Practicing This Virtue

The Virtue of Community Effort

Our Role in the Inner Security Community
Our Role in the Outer Security Community
Practicing This Virtue

The Virtue of Higher Focus

Avoiding Details With the Townsfolk
Higher Focus Security Measures
Practicing This Virtue

The Virtue of Education

Who’s Really in Charge?
The Psychological Obstacle
Practicing This Virtue

Using These Virtues

Chapter 4 The Eight Rules of Security (Components of All Security Decisions)

Introduction to the Rules
Rule of Least Privilege

Concept
Practicing This Rule

Rule of Change

Concept
Practicing This Rule

Rule of Trust

Concept
Practicing This Rule

Rule of the Weakest Link

Concept
Practicing This Rule

Rule of Separation

Concept

Rule of the Three-Fold Process

Practicing This Rule

Rule of Preventative Action (Proactive Security)

Practicing This Rule

Rule of Immediate and Proper Response

Reacting Quickly
Reacting Properly
Documentation
Turning an Attack to Your Advantage
Practicing This Rule

Incorporating the Rules

Putting the Rules in Writing
Decision-Making with the Rules
Thinking with the Rules

Chapter 5 Developing a Higher Security Mind

The Art of Higher Security
Thinking in Zones

Defining a Zone
Separating Zones
Communicating Between Zones
Inbound Communications/Access
Outbound Communications/Access
Applying the Zoning Concepts
Example of the Zoning Process

Creating Chokepoints

Network Chokepoints
Application Chokepoints
Social Chokepoints
Consolidating Chokepoints
A Note on Single points of Failure
Applying the Chokepoint Concept

Layering Security

Basic Security Layering
Layering Network Security
Layering Systems Security
Layering Physical Security
Applying the Concept of Layered Security

Working in Stillness

Creating Stillness
Tiered Silence
Striking a Balance

Understanding Relational Security

Vulnerability Inheritance
Chained Values and Risks
Chaining Trusts

Understanding Secretless Security

Secretless Security
The Necessary Evil of Passwords

Dividing Responsibilities

Practicing Division of Responsibilities

Failing Securely

Chapter 6 Making Security Decisions

Using the Rules to Make a Decision
The Decision-Making Process

Identify the Components
Identify the Risks and Threats
Filter Through the Rules
Considering Zones
Layering Security
Considering the Overall Level of Security
The Policy Test

Example Decision

An Example Security Issue
Identifying the Components
Filtering Through the Security Rules
Identify the Risks and Threats of Each Component
Considering the Zones
Layering Security
Considering Overall Security
Putting It All Together

Chapter 7 Know Thy Enemy and Know Thyself

Understanding the Modern Hacker

Summertime Hacker
Script Kiddies
Targeting Criminals
Employees (and Consultants)
True Hackers
Accidental Hackers
The Hacker Community

Where Modern Vulnerabilities Exist

What Do I Mean by “Vulnerable?”
Vulnerable Operating Systems
Vulnerable Applications
Vulnerable Networks
Physical Vulnerabilities
Chained Vulnerabilities

Modern Targets

DNS Servers
Email Servers
Web Servers
Dial-up Modems

Modern Exploits

DoS Exploits
Penetration Exploits (Breaking and Entering)
Entry Point Searching
Sneak Attacks and Back Doors
Authentication Cracking Attacks
Social Engineering
Chained Exploits

Neglecting the Rules: A Hacker’s Tale

“Sneak Attack”
“Self-Sabotage”

Creating Your Own Security Profile

Who Are the Hackers?
What Are the Targets?

Becoming Invisible to Your Enemies

What to Hide From
What Makes Us Visible?
Becoming Invisible

Chapter 8 Practical Security Assessments

The Importance of a Security Audit
Understanding Risks and Threats

What Are Risks and Threats?

The Traditional Security Assessment Model

Traditional Quantitative Assessment
Traditional Qualitative Assessment
Problems with Traditional Models

The Relational Security Assessment Model

What Is the Relational Security Assessment Model?
Basic Rules for any Risk Assessment

Relational Security Assessment Model: Risks

Risk Levels
Risk Factors
Deriving Risk Levels from Risk Factors
Our Risk Assessment Thus Far
Deriving Relational Risks for Containers

Relational Security Assessment Model: Controls

Controls
Control levels
Risk Control Policies
Scoring an Object

Relational Security Assessment Model: Tactical Audit Process

Audit Tools
Basic Audit Steps
Tactical Audit Schedule

Analytical Audit Measures

Perimeter Architecture Audit
Internal Architecture Security Audit

Additional Audit Considerations

Acceptable Risk
Staffing an Audit

Chapter 9 The Security Staff

Building a Successful Security Team

Determining Whether a Security Staff Is Even Required
What Is a Security Professional?
About Hiring Hackers
Training Security Personnel from Within
Interviewing a Security Professional

Bringing in Security Consultants

Dispelling the Consulting Myth
Do We Need Consultants?

Outsourcing Security Maintenance

Limitations of Managed Services
Beware of Free Managed Services
Properly Using Managed Security Services

Chapter 10 Modern Considerations

Using Standard Defenses

The Reality of Firewalls
Intrusion Detection Systems
Vulnerability Scanners

Open Source vs. Closed Source Security

What Is Open Source?
How Secure Is Open Source?
When Should Open Source Security Software be Used?

Wireless Networks

The Security of Wireless
Using Wireless Securely

Encryption

Trusting Encryption
Managing Keys
Diminishing Security via Encryption
The Rules of Encryption

Virtual Private Networking

The Potential of VPN
The Reality of VPN
Concerning Remote Control Software
Securely Using VPNs

Chapter 11 The Rules in Practice

Practicing the Rules
Perimeter Defense

Expanding the Perimeter Concept
Defining the Perimeter
Perimeter Rules

Internal Defenses

Can It Really be Done?
The Need for Internal Security
Internal Rules

Physical Defenses

Casual Damage
Physical Attacks
Natural Disasters
Physical Rules

Direct Object Defenses

Applying the Rules Through Hardening
Some Good Hardening Practices

Outbound Internet Access

Applying the Rules of Security to Outbound Internet Access

Logging and Monitoring

What to Log
Centralizing Logging Efforts
Correlating the Logs
Archiving the Logs

Handling Authentication

Authentication Is Everywhere
Basic Forms of Authentication
Centralizing Authentication
Single Sign-On Considerations
Properly Handling the Power of Administrator/Root

Chapter 12 Going Forward

The Future of Information Security

Stopping the Problem at its Source
Raising the Consciousness
Technical Developments
The Evolution of the Security Mind

Appendix A Tips on Keeping Up-to-Date
Appendix B Ideas for Training
Appendix C Additional Recommended Audit Practices
Appendix D Recommended Reading
Appendix E The Hidden Statistics of Information Security

Reviews