Inside the Security Mind: Making the Tough Decisions

"This is a really good book ...it spells out the motherhood and apple pie of information security in a highly readable way." - Warwick Ford, CTO, VeriSign, Inc."An excellent security read! Breaks down a complex concept into a simple and easy-to-understand concept." - Vivek Shivananda, PresidentRedefine your organization's information securityLearn to think and act like a top security guru! Understand the founding principles of security itself and make better decisionsMake your security solutions more effective, easily manageable, and less costly!Make smarter, more informed security decisions for your companyOrganizations today commit ever-increasing resources to information security, but are scarcely more secure than they were four or five years ago! By treating information security like an ordinary technological practice - that is, by throwing money, a handful of the latest technologies, and a lineup of gurus at the problem - they invariably wind up with expensive, but deeply flawed, solutions. The only way out of this trap is to change one's way of thinking about security: to grasp the reasoning, philosophy, and logic that underlie all successful security efforts.In Inside the Security Mind: Making the Tough Decisions, security expert Kevin Day teaches you how to approach information security the way the top gurus do - as an art, rather than a collection of technologies. By applying this discipline, your solutions will be more secure and less burdensome in time, expense, and effort. The first part of the book explains the practice of breaking security decisions down into a set of simple rules. These rules may then be applied to make solid security decisions in almost any environment. In the second part, Day uses a series of practical examples to illustrate exactly how the discipline works in practice. Additional material covers:Designing an enterprise security plan, including perimeter/firewall and Internal defenses, application, system, and hardware securityOngoing security measures - recurring audits, vulnerability maintenance, logging and monitoring, and incident response, plus risk assessmentChoosing between open source and proprietary solutions; and wired, wireless, and virtual private networksThis book is essential reading for anyone working to keep information secure. Technical and non-technical IT professionals alike can apply Day's concepts and strategies to become security gurus, while seasoned practitioners will benefit from the unique and effective presentation of the essential security practices.

Table of Contents:
Prologue. Acknowledgments. 1. Introduction. The Security Mind. Where Do We Start? Where Does It End? 2. A New Look at Information Security. Security as an Art Form. What We Know About Security. Understanding the Fear Factor. How to Successfully Implement and Manage Security. 3. The Four Virtues of Security. Introduction to the Virtues. The Virtue of Daily Consideration. The Virtue of Community Effort. The Virtue of Higher Focus. The Virtue of Education. Using These Virtues. 4. The Eight Rules of Security (Components of All Security Decisions). Introduction to the Rules. Rule of Least Privilege. Rule of Change. Rule of Trust. Rule of the Weakest Link. Rule of Separation. Rule of the Three-Fold Process. Rule of Preventative Action (Proactive Security). Rule of Immediate and Proper Response. Incorporating the Rules. 5. Developing a Higher Security Mind. The Art of Higher Security. Thinking in Zones. Creating Chokepoints. Layering Security. Working in Stillness. Understanding Relational Security. Understanding Secretless Security. Dividing Responsibilities. Failing Securely. 6. Making Security Decisions. Using the Rules to Make a Decision. The Decision-Making Process. Example Decision. 7. Know Thy Enemy and Know Thyself. Understanding the Modern Hacker. Where Modern Vulnerabilities Exist. Modern Targets. Modern Exploits. Neglecting the Rules: A Hacker's Tale. Creating Your Own Security Profile. Becoming Invisible to Your Enemies. 8. Practical Security Assessments. The Importance of a Security Audit. Understanding Risks and Threats. The Traditional Security Assessment Model. The Relational Security Assessment Model. Relational Security Assessment Model: Risks. Relational Security Assessment Model: Controls. Relational Security Assessment Model: Tactical Audit Process. Analytical Audit Measures. Additional Audit Considerations. 9. The Security Staff. Building a Successful Security Team. Bringing in Security Consultants. Outsourcing Security Maintenance. 10. Modern Considerations. Using Standard Defenses. Open Source vs. Closed Source Security. Wireless Networks. Encryption. Virtual Private Networking. 11. The Rules in Practice. Practicing the Rules. Perimeter Defenses. Internal Defenses. Physical Defenses. Direct Object Defenses. Outbound Internet Access. Logging and Monitoring. Handling Authentication. 12. Going Forward. The Future of Information Security. Appendix A. Tips on Keeping Up-to-Date. Appendix B. Ideas for Training. Appendix C. Additional Recommended Audit Practices. Appendix D. Recommended Reading. Appendix E. The Hidden Statistics of Information Security. Index.

About the Author :
KEVIN DAY is a CISSP and has worked as the lead security engineer and security practice manager fora major East Coast consulting firm. In these positions, Day worked on a series of high-profileprojects for Fortune 500 companies and government organizations. He is the founder of theRelational Security Corporation and currently heads up a joint venture developing new tools andmethodologies security risk assessment and auditing.