PrologueIn the Beginning...
It has been nine years since I first took up the sword to ward off a malicious two-headed hacker that was invading my lands. Over the past nine years I have witnessed a great deal of carnage and gore in the information security world. Securing everything from governments, Fortune 500 companies, health-care giants, medical research institutes, and even the good, old mom-and-pop shops has led me though a long maze of questioning and discovering. I have lived a cycle of life starting from the intrigued beginner, to the sworn hands-on technologist, to the enthused architect, to the senior advisor, and finally, the simple philosopher.
Like many philosophers, I cannot claim the ideas and practices in my book to be my own. They have simply been the inspiration of security related events and studies that have passed before me over the years. Eventually, the mind begins to notice things, patterns to what otherwise seems like simple madness. I began to realize what an incredible tool the recognition of these patterns presented; weapons of defense that can be wielded by everyone, not just by the security experts and the technically elite.
Here, I invite you to use these same weapons to protect your own homeland. The practices contained in this book have been proven time and again in direct combat with the enemy. The companies that have unfixed their eye from the size of their cannons and focused instead on the principles presented here have achieved security without a great deal of effort. For you see, the determining factors in a successful battle are not simply the technologies used, but the planning, strategizing, and decision making that take place before, during, and after the battle is complete.
Today, too many battles have been lost while following the commonly adopted guns and swords of information security. Too much blood has been spilled and too many retreats have been sounded in the chambers of our corporate lords. The first line of this book states, "The time has come for a different way of thinking about information security." What we are about to look into is not really "new" at all, but time honored practices of the ages, simply presented in a new and effective way.
Who Should Read this Book?
Inside the Security Mind was written in such a manner that anyone with the most basic IT knowledge will be able to read it. This was done with great care as I truly believe that everyone associated with technology within an organization should read this book. The chapters build upon constant and universally applicable rules of security that everyone should know and practice. Rather than having to spend years in study or practicing in the industry, however, the reader has only to grasp the concepts presented here. That is the goal of this book, to provide the reader with tools to think like a security expert and to correct the many flaws that currently plague the information security world. As such, I highly encourage the following people to read this book:
- IT Managers. This book is designed to help the reader make good, effective, and consistent security decisions without a great deal of study. Today, security should be a concern for all IT-related managers and directors, and for many who are not directly related to IT. Even if you are not responsible for any specific security practice, it is important to protect your department, facility, or corporation from the many security and availability threats in the world. The majority of successful security attacks over the past few years could have been prevented if the local staff only had been aware of security. When the concepts contained herein are understood and practiced, you will become "security aware" without having to take a class or learn how to install a firewall. I highly encourage those in charge of any aspect of IT to read this book and recommend it to your IT employees.
- Technical Gurus. As has become obvious over the years, every piece of information technology is in need of security focus. It is impossible to implement a server, router, application, VPN, or wireless extension without affecting the security of the rest of the organization. As such, anyone dealing with technology should have security awareness while performing their daily duties. This book is designed to create a high degree of such awareness and provide tools and techniques that can be applied to every type of technology, whether designing, developing, or implementing it. In the final sections, we will explore several technologies that require the most security care, and we will discuss how to safely implement them. Going far beyond this, however, the guidelines given throughout the book can and should be applied to all technologies. After reading this book, the next time you hook up a router, install a server, or bring up a new WAN link, you will know where to look for the security implications and how they should be addressed, regardless of the specific technology.
- Up-and-Coming Security Practitioners. The concepts presented in this book represent the heart and soul of information security. Anyone desiring to be a security professional should become thoroughly familiar with them. So put down that firewall manual, take a break from configuring the IDS sensor, and venture to read what security is all about. This book is probably the quickest way to advance to the next level in your security abilities.
- Seasoned Professional Security Practitioners. This will be a great book for building on concepts you probably already have in your head. I have found it of great use to have the concepts that are normally flitting about in the back of the mind, laid out in plain sight. Beyond this, Inside the Security Mind provides a great structure for you to build security practices, and is quite helpful in conveying security concepts to your managers, directors, employees, and clients.
How to Read this Book
As you have no doubt concluded, this is probably not going to be your everyday IT reading experience. The style of this book was not adopted just to be cute and friendly, but rather to set the proper mood. In a moment, you will turn to Chapter 1, and you will not find a formal textbook on information security, but a true-to-life guide on surviving in the IT industry. This book requires only that the reader proceed with an open mind and an expectation of something pleasantly different. I would not be surprised if there are sections within this book that contradict the practices you have read or seen in the past, and perhaps, at the conclusion of the book, we will all agree on why.
The book flows linearly with each concept building upon the concepts presented before it. In the beginning, we will cover The Virtues of Security, basic understandings of how security should be embraced within an organization. We will then build upon those virtues to derive The Eight Rules of Security, practical concepts that can be easily applied in just about every situation. Next, you will find higher concepts that build upon the rules, and then, finally, a plethora of practical applications where all of this information is synthesized into real-world uses.
As you can probably guess, this is not a book with which one should skip back and forth through the pages searching for a specific topic. In order to fully understand the recommendations on protecting your VPNs, for example, you must first understand the virtues, rules, and concepts that the recommendation has been built upon. As such, I would highly recommend reading Inside the Security Mind in its entirety, even the sections that may not seem to directly apply to your environment. Sections within this book that deal with specific technologies actually apply universally and will often yield information to help apply the same concepts elsewhere.
This brings me to my next point. When reading this book it is crucial to not get to sidetracked with any specific technologies mentioned. While we will certainly delve into specific areas to help hone in the concepts, all sections are built upon the same reasoning, understanding, and philosophy. Thus, while I am saying "a server", it is also applicable to a router, room, application, network, and employee. Our goal here is far more than simply implementing a firewall and monitoring our intrusion detection system.
Making the Tough Decisions
The main goal of this book is to arm you with the ability to make good security decisions in all situations either simple or complex. Because the human thought process is a vastly complex beast, I have attempted to isolate the major points that should always flash through the mind when making a decision. After we have journeyed through the virtues, rules, and higher practices, you will find a short chapter describing how to use this information to make a good security decision. This section is a synthesis of everything that came before it, and is a good example of how one should think with a security mind. If you follow this section with an open mind, you may find that all of your security problems follow a similar flow. You will surely notice that some of the comments I make do not apply in every situation, but the heart of the process is extremely effective in recognizing and solving security problems.
Beginning at the End
As a final thought before venturing on I believe it would be helpful to understand the ultimate purpose of this reading. So, if I may, I invite you to take a glimpse at the conclusion that it may stay in your mind during the gap between page turns.
"To date, security has been a goal unachieved by many organizations. For some, information security appears to be a large, untamable beast that they simply hope will not bite them. As we have seen, though, security is not a monster, but rather a series of interrelated core concepts surrounded by an infinite number of possibilities. By taking our eyes off the infinite possibilities and focusing on the core concepts presented in this book, security becomes a much easier matter to comprehend and deal with. Placing proper focus on daily practices allows organizations to break away from the traditional security nightmares and makes security a natural extension of everyday actions."
"When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security. In this infinitely dynamic world of IT, practicing such higher principles of security is the only chance we have to defend ourselves against enemies. If organizations continue to embrace new security technologies without developing a higher understanding of security, the enemies will simply be required to develop new and more clever technologies with which to attack us. However, when organizations begin to develop a security mind, they will begin to transcend such common "thrust and parry tactics," and through these efforts, emerge from the war victorious."
"This is a really good book ... it spells out the motherhood and apple pie of information security in a highly readable way."
—Warwick Ford, CTO, VeriSign, Inc.
"An excellent security read! Breaks down a complex concept into a simple and easy-to-understand concept."
—Vivek Shivananda, President
Make smarter, more informed security decisions for your company
- Redefine your organization's information security
- Learn to think and act like a top security guru!
- Understand the founding principles of security itself and make better decisions
- Make your security solutions more effective, easily manageable, and less costly!
Organizations today commit ever-increasing resources to information security, but are scarcely more secure than they were four or five years ago! By treating information security like an ordinary technological practice—that is, by throwing money, a handful of the latest technologies, and a lineup of gurus at the problem—they invariably wind up with expensive, but deeply flawed, solutions. The only way out of this trap is to change one's way of thinking about security: to grasp the reasoning, philosophy, and logic that underlie all successful security efforts.
In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do—as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:
- Designing an enterprise security plan, including perimeter/firewall and Internal defenses, application, system, and hardware security
- Ongoing security measures—recurring audits, vulnerability maintenance, logging and monitoring, and incident response, plus risk assessment
- Choosing between open source and proprietary solutions; and wired, wireless, and virtual private networks
This book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.