Available for download is chapter 1 entitled "Setting the Stage for Successful Security Planning".
A popular guy to quote in the security World is Sun Tzu, he said: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Let's face it, you network needs to be secured and you have to know a lot about your network and the enemy to make efficient defenses.
With this book Eric Greenberg wants to teach you how to make customized strategies and thus greatly improve your security. Did he manage to achieve this goal and how? Read on to find out.
About the author
Eric Greenberg is Chief Technical Officer and Co-Founder of NetFrameworks, Inc., a provider of professional security services. He was Group Security Product Manager for Netscape, where he led the rollout of a suite of groundbreaking security technologies, including the Secure Sockets layer (SSL) protocol. Previously, he was the Director of Engineering at Sprint International and Chief Operating Officer with Litronic.
An interview with Eric Greenberg is available here.
Inside the book
The author kicks off the book by setting the stage for security planning. What does that include you might ask? Well, you have to understand that security is a process and not a product so there are specific things you have to take in consideration when planning. As with every planning you have to understand the value you are about to protect, the cost of the protection and the likelihood that someone will break the implemented security measures. To start the planning process you have to learn about the pitfalls of bad planning, you have to identify the risks and understand you attackers. Also a crucial part there is the "selling of security" where you learn how to deal with the management in your company.
Now it's time to build a security plan that works. Among other things the author will teach you how to form a planning team. You'll be able to see the anatomy of an effective security plan and begin to understand the security life cycle. Greenberg also teaches you how to deal with problems so there's information on incident response. We are introduced to the security elements, the author defines the 28 security elements in 2 categories: core and wrap-up. The first 15 are the core security elements that represent the heart of your security plan while the 13 wrap-up elements are summary elements that relate heavily to others. The goal here is to give you a complete overview of what a security plan should look like. As you read you'll realize that security planning is a multidimensional effort and that it touches every aspect of your organization: people, business and technology.
What you'll need to use during your planning are the security worksheets - they include a starter set of questions and pointers. If you plan accordingly you'll come up with a comprehensive security plan. The six fundamental security elements presented here are: authorization and access control, authentication, encryption, integrity, nonrepudiation and privacy. The worksheets are explained in great detail that leaves basically nothing in the dark - the author also addresses physical security. After reading this you'll be able to customize your own worksheets and keep them up-to-date to reflect the constant changes that happen in the security World. The worksheets you see in the book can all be downloaded from this website. This is a good idea as it gives you the opportunity to use all the material and apply changes that you need while reading the book.
The book moves on as Greenberg illustrates strategic security planning with Public Key Infrastructure (PKI). As the author notes, it's his intention to unravel the mysteries of PKI so that we'll be able to factor them into our strategic plans. After an introduction you'll see the many challenges of PKI. Since this is not a comprehensive guide to PKI you should need some proir knowledge if you thinking of PKI implementation, for that I can recommend "Undestanding PKI".
What's more important when it comes to this chapter is a case study that the author presents. He summarizes experiences in implementing one of the world's largest PKI-enabled networks called TradeWave, which supports more than $30 billion in online transactions with more than 3000 users and 500 participating companies. This case study is very valuable since it gives us a real world view of the lessons learned by the author and it can only help to clarify any questions regarding PKI.
A good security planner tries to stay ahead of the attacker. To finish off the book Greenberg gives us his view of the future and illustrates what we might expect from attackers in the future. The best practices presented through the book are summarized here. The author also presents the top 10 methods of attack he believes will be around in the future. Some of these attack exist already today but not in the magnitude they might appear in the future. As with everything in this book, don't expect just a list of attacks, what the author delivers is a good explanation for each attack.
My 2 cents
If you've never planned before you'll get your grip on the benefits of effective security planning if you read this book. You can only benefit if you implement the knowledge learned here in your organization. The book is written so that it's not a hard read despite the topic, the author explains everything very clearly so you won't be confused at any time. Also excellent is the comprehensive glossary in which you can locate a term or acronym you don't understand. If you're interested in more information that relates to this book, the author provides a list of reading material.
If you want to do security planning and you don't know where to start, this book is mandatory reading material. It will make your life easier and your system more secure.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.