Inside the Security Mind

Making the Tough Decisions

Kevin Day

Publisher: Prentice Hall, 2003, 309 pages

ISBN: 0-13-111829-3

Keywords: Information Security

Last modified: May 17, 2021, 12:12 a.m.

Make smarter, more informed security decisions for your company

Organizations today commit ever-increasing resources to information security, but are scarcely more secure than they were four or five years ago! By treating information security like an ordinary technological practice — that is, by throwing money, a handful of the latest technologies, and a lineup of gurus at the problem — they invariably wind up with expensive, but deeply flawed, solutions. The only way out of this trap is to change one's way of thinking about security: to grasp the reasoning, philosophy, and logic that underlie all successful security efforts.

In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do — as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:

  • Designing an enterprise security plan, including perimeter/firewall and Internal defenses, application, system, and hardware security
  • Ongoing security measures — recurring audits, vulnerability maintenance, logging and monitoring, and incident response, plus risk assessment
  • Choosing between open source and proprietary solutions; and wired, wireless, and virtual private networks

This book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.

  • Chapter 1 Introduction
    • The Security Mind
      • Serious Matters
      • What Is a Security Mind?
    • Where Do We Start?
      • Erasing the Programming Around Us
      • Knowing Ourselves
      • Knowing We Are ready
    • Where Does It End?
      • Sunny Skies Ahead
  • Chapter 2 A New Look at Information Security
    • Security as an Art Form
      • The Youngest of the IT Practice
      • The Most Dynamic IT Practice
      • And About Those Humans
    • What We Know About Security
      • The Good Guys
      • The Bad guys
      • Our Abstract Battleground
      • Is Anyone Winning?
    • Understanding the Fear Factor
      • Positive Effects of the Fear Factor
      • Negative Effects of the Fear Factor
      • Combating the Fear Factor
    • How to Successfully Implement and manage Security
      • Security Focus
      • Following the Virtues and Rules
  • Chapter 3 The Four Virtues of Security
    • Introduction to the Virtues
      • Focusing on the Virtues
    • The Virtue of Daily Consideration
      • The Seven Steps of Doom
      • The Three Steps to Success
      • Considering Security in Everything
      • Practicing This Virtue
    • The Virtue of Community Effort
      • Our Role in the Inner Security Community
      • Our Role in the Outer Security Community
      • Practicing This Virtue
    • The Virtue of Higher Focus
      • Avoiding Details With the Townsfolk
      • Higher Focus Security Measures
      • Practicing This Virtue
    • The Virtue of Education
      • Who’s Really in Charge?
      • The Psychological Obstacle
      • Practicing This Virtue
    • Using These Virtues
  • Chapter 4 The Eight Rules of Security (Components of All Security Decisions)
    • Introduction to the Rules
    • Rule of Least Privilege
      • Concept
      • Practicing This Rule
    • Rule of Change
      • Concept
      • Practicing This Rule
    • Rule of Trust
      • Concept
      • Practicing This Rule
    • Rule of the Weakest Link
      • Concept
      • Practicing This Rule
    • Rule of Separation
      • Concept
    • Rule of the Three-Fold Process
      • Practicing This Rule
    • Rule of Preventative Action (Proactive Security)
      • Practicing This Rule
    • Rule of Immediate and Proper Response
      • Reacting Quickly
      • Reacting Properly
      • Documentation
      • Turning an Attack to Your Advantage
      • Practicing This Rule
    • Incorporating the Rules
      • Putting the Rules in Writing
      • Decision-Making with the Rules
      • Thinking with the Rules
  • Chapter 5 Developing a Higher Security Mind
    • The Art of Higher Security
    • Thinking in Zones
      • Defining a Zone
      • Separating Zones
      • Communicating Between Zones
      • Inbound Communications/Access
      • Outbound Communications/Access
      • Applying the Zoning Concepts
      • Example of the Zoning Process
    • Creating Chokepoints
      • Network Chokepoints
      • Application Chokepoints
      • Social Chokepoints
      • Consolidating Chokepoints
      • A Note on Single points of Failure
      • Applying the Chokepoint Concept
    • Layering Security
      • Basic Security Layering
      • Layering Network Security
      • Layering Systems Security
      • Layering Physical Security
      • Applying the Concept of Layered Security
    • Working in Stillness
      • Creating Stillness
      • Tiered Silence
      • Striking a Balance
    • Understanding Relational Security
      • Vulnerability Inheritance
      • Chained Values and Risks
      • Chaining Trusts
    • Understanding Secretless Security
      • Secretless Security
      • The Necessary Evil of Passwords
    • Dividing Responsibilities
      • Practicing Division of Responsibilities
    • Failing Securely
  • Chapter 6 Making Security Decisions
    • Using the Rules to Make a Decision
    • The Decision-Making Process
      • Identify the Components
      • Identify the Risks and Threats
      • Filter Through the Rules
      • Considering Zones
      • Layering Security
      • Considering the Overall Level of Security
      • The Policy Test
    • Example Decision
      • An Example Security Issue
      • Identifying the Components
      • Filtering Through the Security Rules
      • Identify the Risks and Threats of Each Component
      • Considering the Zones
      • Layering Security
      • Considering Overall Security
      • Putting It All Together
  • Chapter 7 Know Thy Enemy and Know Thyself
    • Understanding the Modern Hacker
      • Summertime Hacker
      • Script Kiddies
      • Targeting Criminals
      • Employees (and Consultants)
      • True Hackers
      • Accidental Hackers
      • The Hacker Community
    • Where Modern Vulnerabilities Exist
      • What Do I Mean by “Vulnerable?”
      • Vulnerable Operating Systems
      • Vulnerable Applications
      • Vulnerable Networks
      • Physical Vulnerabilities
      • Chained Vulnerabilities
    • Modern Targets
      • DNS Servers
      • Email Servers
      • Web Servers
      • Dial-up Modems
    • Modern Exploits
      • DoS Exploits
      • Penetration Exploits (Breaking and Entering)
      • Entry Point Searching
      • Sneak Attacks and Back Doors
      • Authentication Cracking Attacks
      • Social Engineering
      • Chained Exploits
    • Neglecting the Rules: A Hacker’s Tale
      • “Sneak Attack”
      • “Self-Sabotage”
    • Creating Your Own Security Profile
      • Who Are the Hackers?
      • What Are the Targets?
    • Becoming Invisible to Your Enemies
      • What to Hide From
      • What Makes Us Visible?
      • Becoming Invisible
  • Chapter 8 Practical Security Assessments
    • The Importance of a Security Audit
    • Understanding Risks and Threats
      • What Are Risks and Threats?
    • The Traditional Security Assessment Model
      • Traditional Quantitative Assessment
      • Traditional Qualitative Assessment
      • Problems with Traditional Models
    • The Relational Security Assessment Model
      • What Is the Relational Security Assessment Model?
      • Basic Rules for any Risk Assessment
    • Relational Security Assessment Model: Risks
      • Risk Levels
      • Risk Factors
      • Deriving Risk Levels from Risk Factors
      • Our Risk Assessment Thus Far
      • Deriving Relational Risks for Containers
    • Relational Security Assessment Model: Controls
      • Controls
      • Control levels
      • Risk Control Policies
      • Scoring an Object
    • Relational Security Assessment Model: Tactical Audit Process
      • Audit Tools
      • Basic Audit Steps
      • Tactical Audit Schedule
    • Analytical Audit Measures
      • Perimeter Architecture Audit
      • Internal Architecture Security Audit
    • Additional Audit Considerations
      • Acceptable Risk
      • Staffing an Audit
  • Chapter 9 The Security Staff
    • Building a Successful Security Team
      • Determining Whether a Security Staff Is Even Required
      • What Is a Security Professional?
      • About Hiring Hackers
      • Training Security Personnel from Within
      • Interviewing a Security Professional
    • Bringing in Security Consultants
      • Dispelling the Consulting Myth
      • Do We Need Consultants?
    • Outsourcing Security Maintenance
      • Limitations of Managed Services
      • Beware of Free Managed Services
      • Properly Using Managed Security Services
  • Chapter 10 Modern Considerations
    • Using Standard Defenses
      • The Reality of Firewalls
      • Intrusion Detection Systems
      • Vulnerability Scanners
    • Open Source vs. Closed Source Security
      • What Is Open Source?
      • How Secure Is Open Source?
      • When Should Open Source Security Software be Used?
    • Wireless Networks
      • The Security of Wireless
      • Using Wireless Securely
    • Encryption
      • Trusting Encryption
      • Managing Keys
      • Diminishing Security via Encryption
      • The Rules of Encryption
    • Virtual Private Networking
      • The Potential of VPN
      • The Reality of VPN
      • Concerning Remote Control Software
      • Securely Using VPNs
  • Chapter 11 The Rules in Practice
    • Practicing the Rules
    • Perimeter Defense
      • Expanding the Perimeter Concept
      • Defining the Perimeter
      • Perimeter Rules
    • Internal Defenses
      • Can It Really be Done?
      • The Need for Internal Security
      • Internal Rules
    • Physical Defenses
      • Casual Damage
      • Physical Attacks
      • Natural Disasters
      • Physical Rules
    • Direct Object Defenses
      • Applying the Rules Through Hardening
      • Some Good Hardening Practices
    • Outbound Internet Access
      • Applying the Rules of Security to Outbound Internet Access
    • Logging and Monitoring
      • What to Log
      • Centralizing Logging Efforts
      • Correlating the Logs
      • Archiving the Logs
    • Handling Authentication
      • Authentication Is Everywhere
      • Basic Forms of Authentication
      • Centralizing Authentication
      • Single Sign-On Considerations
      • Properly Handling the Power of Administrator/Root
  • Chapter 12 Going Forward
    • The Future of Information Security
      • Stopping the Problem at its Source
      • Raising the Consciousness
      • Technical Developments
      • The Evolution of the Security Mind
  • Appendix A Tips on Keeping Up-to-Date
  • Appendix B Ideas for Training
  • Appendix C Additional Recommended Audit Practices
  • Appendix D Recommended Reading
  • Appendix E The Hidden Statistics of Information Security

Reviews

Inside the Security Mind

Reviewed by Roland Buresund

Very Good ******** (8 out of 10)

Last modified: May 21, 2007, 3:06 a.m.

A very interesting book, that tries a new approach to security, and tries to avoid the mumbo-jumbo of IT-security and still be valid in a business environment.

Well worth reading, especially his 8 rules, that I decided to adhere to in my future security evaluations.

Don't understand what I'm talking about? Read the book, you will probably find it an enlightening experience (in parts) what regards security.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required