PrologueIn the Beginning...
It has been nine years since I first took up the sword to ward off a malicious two-headed hacker that was invading my lands. Over the past nine years I have witnessed a great deal of carnage and gore in the information security world. Securing everything from governments, Fortune 500 companies, health-care giants, medical research institutes, and even the good, old mom-and-pop shops has led me though a long maze of questioning and discovering. I have lived a cycle of life starting from the intrigued beginner, to the sworn hands-on technologist, to the enthused architect, to the senior advisor, and finally, the simple philosopher.
Like many philosophers, I cannot claim the ideas and practices in my book to be my own. They have simply been the inspiration of security related events and studies that have passed before me over the years. Eventually, the mind begins to notice things, patterns to what otherwise seems like simple madness. I began to realize what an incredible tool the recognition of these patterns presented; weapons of defense that can be wielded by everyone, not just by the security experts and the technically elite.
Here, I invite you to use these same weapons to protect your own homeland. The practices contained in this book have been proven time and again in direct combat with the enemy. The companies that have unfixed their eye from the size of their cannons and focused instead on the principles presented here have achieved security without a great deal of effort. For you see, the determining factors in a successful battle are not simply the technologies used, but the planning, strategizing, and decision making that take place before, during, and after the battle is complete.
Today, too many battles have been lost while following the commonly adopted guns and swords of information security. Too much blood has been spilled and too many retreats have been sounded in the chambers of our corporate lords. The first line of this book states, "The time has come for a different way of thinking about information security." What we are about to look into is not really "new" at all, but time honored practices of the ages, simply presented in a new and effective way.Who Should Read this Book?
Inside the Security Mind was written in such a manner that anyone with the most basic IT knowledge will be able to read it. This was done with great care as I truly believe that everyone associated with technology within an organization should read this book. The chapters build upon constant and universally applicable rules of security that everyone should know and practice. Rather than having to spend years in study or practicing in the industry, however, the reader has only to grasp the concepts presented here. That is the goal of this book, to provide the reader with tools to think like a security expert and to correct the many flaws that currently plague the information security world. As such, I highly encourage the following people to read this book:
As you have no doubt concluded, this is probably not going to be your everyday IT reading experience. The style of this book was not adopted just to be cute and friendly, but rather to set the proper mood. In a moment, you will turn to Chapter 1, and you will not find a formal textbook on information security, but a true-to-life guide on surviving in the IT industry. This book requires only that the reader proceed with an open mind and an expectation of something pleasantly different. I would not be surprised if there are sections within this book that contradict the practices you have read or seen in the past, and perhaps, at the conclusion of the book, we will all agree on why.
The book flows linearly with each concept building upon the concepts presented before it. In the beginning, we will cover The Virtues of Security, basic understandings of how security should be embraced within an organization. We will then build upon those virtues to derive The Eight Rules of Security, practical concepts that can be easily applied in just about every situation. Next, you will find higher concepts that build upon the rules, and then, finally, a plethora of practical applications where all of this information is synthesized into real-world uses.
As you can probably guess, this is not a book with which one should skip back and forth through the pages searching for a specific topic. In order to fully understand the recommendations on protecting your VPNs, for example, you must first understand the virtues, rules, and concepts that the recommendation has been built upon. As such, I would highly recommend reading Inside the Security Mind in its entirety, even the sections that may not seem to directly apply to your environment. Sections within this book that deal with specific technologies actually apply universally and will often yield information to help apply the same concepts elsewhere.
This brings me to my next point. When reading this book it is crucial to not get to sidetracked with any specific technologies mentioned. While we will certainly delve into specific areas to help hone in the concepts, all sections are built upon the same reasoning, understanding, and philosophy. Thus, while I am saying "a server", it is also applicable to a router, room, application, network, and employee. Our goal here is far more than simply implementing a firewall and monitoring our intrusion detection system.Making the Tough Decisions
The main goal of this book is to arm you with the ability to make good security decisions in all situations either simple or complex. Because the human thought process is a vastly complex beast, I have attempted to isolate the major points that should always flash through the mind when making a decision. After we have journeyed through the virtues, rules, and higher practices, you will find a short chapter describing how to use this information to make a good security decision. This section is a synthesis of everything that came before it, and is a good example of how one should think with a security mind. If you follow this section with an open mind, you may find that all of your security problems follow a similar flow. You will surely notice that some of the comments I make do not apply in every situation, but the heart of the process is extremely effective in recognizing and solving security problems.Beginning at the End
As a final thought before venturing on I believe it would be helpful to understand the ultimate purpose of this reading. So, if I may, I invite you to take a glimpse at the conclusion that it may stay in your mind during the gap between page turns.
"To date, security has been a goal unachieved by many organizations. For some, information security appears to be a large, untamable beast that they simply hope will not bite them. As we have seen, though, security is not a monster, but rather a series of interrelated core concepts surrounded by an infinite number of possibilities. By taking our eyes off the infinite possibilities and focusing on the core concepts presented in this book, security becomes a much easier matter to comprehend and deal with. Placing proper focus on daily practices allows organizations to break away from the traditional security nightmares and makes security a natural extension of everyday actions."
"When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security. In this infinitely dynamic world of IT, practicing such higher principles of security is the only chance we have to defend ourselves against enemies. If organizations continue to embrace new security technologies without developing a higher understanding of security, the enemies will simply be required to develop new and more clever technologies with which to attack us. However, when organizations begin to develop a security mind, they will begin to transcend such common "thrust and parry tactics," and through these efforts, emerge from the war victorious."
"This is a really good book ... it spells out the motherhood and apple pie of information security in a highly readable way."
—Warwick Ford, CTO, VeriSign, Inc.
"An excellent security read! Breaks down a complex concept into a simple and easy-to-understand concept."
—Vivek Shivananda, President
In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do—as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:
This book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.See all Product Description
Great book albeit a little old. Still the concepts are still very applicable in today's world.Published 13 months ago by J.Esti
A very interesting book, that tries a new approach to security, and tries to avoid the mumbo-jumbo of IT-security and still be valid in a business environment. Read morePublished on Aug. 30 2003 by Roland Buresund
The book provides an excellent holistic approach to information security.
It is highly recommended. Read more
I could not agree more with Stephen Northcutt's Review of Inside the Security Mind. I see this book as a bold and Powerful new approach to thinking about infosec. Read morePublished on July 16 2003 by Michael Wren
Well, besides the fact that Amazon said it would be "hard cover" and it was actually "soft cover", this was well worth the sacrifice. Its very readable, and I highly recommend it. Read morePublished on April 7 2003 by Tim Jonahan
I liked it.... put it along the lines of "Secrets and Lies". Just as interesting, and probably more useful (practical) for most. -just my opinion.Published on March 28 2003 by Avram Andela
The approach is very nice. The author lays out his concepts and ideology, and then gives real world examples on making decisions and implementing change. Read morePublished on March 27 2003 by Steve
This is not a traditional techie "how-to" book; nor does it appear that it was intended to be. Read morePublished on March 26 2003 by John Forge