Publisher: Prentice Hall PTR
We are all at risk. This is the state of things and it will not change. What can change is our way of thinking about security issues and the way we approach them. Security is a complex process with dynamic details and in order to make efficient security decisions you need a security mind, and that's exactly what the author helps you develop with this book.
About the author
Kevin Day is a CISSP and has worked as the lead security engineer and security practice manager for major East Coast consulting firm. In these positions, Day worked on a series of high-profile projects for Fortune 500 companies and government organizations. He is the founder of the Relational Security Corporation and currently heads up a joint venture developing new tools and methodologies, security risk assessment and auditing. Kevin has developed numerous methodologies in the security field and has invented patent-pending technologies in relation to information security risk management.
An interview with Kevin Day is available here.
Inside the book
Day starts by illustrating the things that differentiate security from other technical fields and refers to this area of study as the "world of information security". He notes that the usage of the term "world" is appropriate since there is a whole world within the topic, and I can only agree with this statement. The author writes about the good guys and the bad guys and provides you with an understanding of the fear factor and its role in the security decision-making process.
In the third chapter, "The Four Virtues of Security", Day states that good security is all about proper focus and defines the essential virtues of information security as: daily consideration, community effort, higher focus and education. What it all comes down to is that security must be a daily consideration in every area, a community effort; security practices must maintain a generalized focus and must include training for everyone.
Next the author introduces the eight rules of security that should help you in the process of making security decisions. According to Day, if you apply these rules, you'll make decisions that are consistent and intelligent. The rules are easy to understand and you'll be able to put them into practice pretty soon after going through them.
What follows is a chapter in which the author shows you how to develop a higher security mind by analyzing key security practices that you can use to defend yourselves. Among other things explained here, you learn about the importance of security layering, log filtering, dividing responsibilities, and so on.
As we move on we learn more about the decision-making process. Day demonstrates how to utilize all the information supplied in the first five chapters of the book. This is the place to look if you want to put your theoretical knowledge into practical use. You learn a lot more by taking a look at an example decision.
In order to defend yourself properly, you need to know all you can about your enemy. Chapter 7 tries to bring you closer in understanding the methods and motives of the attackers. This is no new material, basically the same thing you get in most security books: script kiddies, disgruntled employees, and so on. Also here, on the topic of vulnerabilities, Day writes about operating systems, applications, chained vulnerabilities, etc.
One of the most important things when it comes to assuring the security of your network is using security auditing. You surely want to discover the vulnerabilities in your network before the bad guys do. This part of the book offers some insight on how various assessment models look like and discusses the importance of implementing a security policy.
Next comes a chapter dedicated to a topic not often encountered elsewhere - the security staff. Naturally, a good security team is the foundation of a solid security infrastructure. Day shows us the do's and don'ts of building a strong security empire. Illustrated here are the qualities of a security professional, the controversy that surrounds the hiring of hackers, the training of security personnel, etc.
The 10th chapter brings forward more on security products and explains why good security means layered security. The author discusses firewalls, intrusion detection systems and vulnerability scanners. There's a part dedicated to a quite sensitive topic - open source vs. closed source security. To close the chapter, Day writes about wireless networks and encryption.
The last part of the book shows you how to put all you've learned into practice by serving as a guide in applying the information within specific topics. The topics are: perimeter defenses, internal defenses, physical defenses, direct object defenses, and others. As for what awaits us in the future, the author offers his opinion on the future of information security. In the appendixes you find links to resources, training ideas, audit practices as well as a list of recommended reading.
My 2 cents
This book contains knowledge that is vital for consultants, managers and security staff members. If you're serious about tightening your security, you should get this book as it will teach you how to adjust your thinking and deal with some potentially stressful situations.