Mission Critical Security Planner

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." Read on for the rest of Kerberos99's review. Mission Critical Security Planner author Eric Greenberg pages 416 publisher Wiley rating 9.5 reviewer Kerberos99 ISBN 0471211656 summary Provides an innovative approach to create a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while reducing time and cost.

Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.

Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.

MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.

Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.

MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.

Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.

Table of Contents

• Chapter 1: Setting the Stage For Successful Security Planning.
• Chapter 2: A Security Plan That Works
• Chapter 3: Using the Security Plan Worksheets: The Fundamentals
• Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
• Chapter 5: Strategic Security Planning with PKI
• Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future

You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

security

[AyeFly]

My linksys router's firewall doesn't provide good security???

Re:security

when will people learn?
firewalls =/= security.

Re:security

[t0ny]

When will people know what they are talking about? The original poster was making a joke about the non-firewall in the linksys firewall.

Consumer routers that do NAT are being marketted, for some reason, as firewalls.

Re:security

[Forgotten]

They are firewalls. Not extremely featured or powerful firewalls, but a NAT box is a type of transport-layer proxy firewall. And for most people's home LAN needs they're probably enough.

I haven't really seen NAT being marketed as a major security feature to date, though I wouldn't doubt it. That sort of marketing does suck, but it doesn't harm the fact that a NAT really does provide some security benefits.

./ing

[olip]

I can't see the chapter about "how to avoid slashdotting".
Webmasters sure need a "actionable, meaningful security approach" for this ;-)

Re:./ing

[Vodak]

It's very easy to protect your website against the slashdot effect. Create a website that has no useful information on it. If you do this there is a 50/50 chance that the website will be immune to the slashdot effect. =]

Re:./ing

[t0ny]

well, if your useless website even has a peripheral relation to Linux, Apple, or a baseless complaint about Microsoft, that chance of being on /. (not ./ as the poster put) goes up to about 90%...

What is this guy thinking?

A Useful, Actionable, Manageable approach to security???

Doesn't this guy know that security is all complicated and stuff and that people need to hire VERY expensive security consultants like me?

It is certainly different (which is a good thing)

[nemaispuke]

This is the first time I have seen a book since my leadership training in the mid 80's that actually talks about measured improvement! Every job I have held since I retired from the Navy (all IT related), security "success or failure" is based on scanning with Nessus or a similar tool and if the machine passes "It's secure". No measurement of improvement, no training, just run the scan and use a "click through PowerPoint presentation" and you're done! The problem with the Government and security is that it gets tied up too much in "committee" where you have people who have no clue on security weighing in and actually believing that if you are C2, you are secure. This book should be a requirement for IT management, regardless of whether they are in the public or private sector. From what I can see of the worksheets, it is not tied down with details, but straightforward questions of what to do and how to measure the results. Find that in TCSEC or Common Criteria!

Amazon

[monkeydo]

I know /. gets a commission if we click on that link to buy the book from B&N, but Amazon has it for $10 less.

Re:Amazon

[volsung]

You can also get it $10 cheaper than B&N on Half.com.

Jeff Bezos Is My Cousin

[Acidic_Diarrhea]

Here's the link to buy it from Amazon. Also, here's a review someone left in Amazon that I found interesting:

"Eric Greenberg has put together an excellent book, at last someone has thought about planning security, instead of hacking security precautions on as an afterthought. Mr. Greenberg has obviously dived into his depth of experiences and amalgamated them into a coherent way to build a security strategy. Were the book really shines and that experience comes through is in realizing that security is not just about putting a lock on a door. It is about putting the procedures, hardware, software, people and most importantly the mindset into an organization in a cohesive way so that nothing is overlooked and the checks and balances are in place to validate every part of these measures. The author also understands the vital importance that security is all cost and benefit.

By taking the overhead view and delving into the cracks in the armor organizations seldom think about, the book provides the templates for building that elusive security plan. These templates (worth the price of admission alone) are used in a step-by-step approach to replacing the haphazard security with a coherent, manageable, administrable, and most importantly, a downright implemental plan. And book doesn't just stop at getting the plan in place; it goes into the extremely vital and usually overlooked, "What happens next?" and builds the strategy for response, recovery, testing, support, procurement, integration, staging and training.

This is a must-read for information security professionals and infrastructure planners"

There has been a lawsuit filed

[Dragon218]

Microsoft has announced in a press release that it will be suing Wiley and Eric Greenberg for attempted copyright infringement. Microsoft claims that the "MCSP" consolidated title is trying to compete with a yet unannounced revision for a product name: "Microsoft Certified Service Pack (MCSP)."

"This is nothing against Mr. Greenberg," said Bill Gates when asked to comment. "We just don't want any competi- excuse me, confusion."

More on this as details develop.

Re:There has been a lawsuit filed

[JavaPriest]

Actually, MCSP stands for Microsoft Certified Solution Provider.

Re:There has been a lawsuit filed

[supersnail]

Well they managed to grab "bookshelf" as their own for a while.

Re:There has been a lawsuit filed

[platypus]

Huh?

I thought Microsoft Certified Solitaire Player?

(I know, old joke)

Security Basics

[Qzukk]

How good is this at covering the basics of the hazy cloud that is "real" security, both against online attacks and social engineering?

I'm currently at the level of "if it passes [insert_attack_script] its safe" but would like to learn how to get past that. I can competently secure a given box, but I think attempting a mid to large size network would be a "learning experience" (read: disaster) for me.

Any suggestions?

Re:Security Basics

[Danta]

Practical Unix and Internet Security is the right book for you. Gives you exact, direct steps to secure your system as well as the bigger picture.

yes, it covers that

The book does exactly that, takes-on real security issues. On social engineering, this is addressed in the book via the "Business-People" security planning template he provides and the associated discussions and commentary/guidance all through the book.

Re:Terror alert updated

Am I supposed to cover all the air intakes, windows and doors with plastic and duct tape if this alert is in force?

Re:abbreviated version

[clarktrip1]

ok, I'll take your flamebait...

2. There is no step 2

Yes, there are other steps:

2. If you believe any Micro$haft product is secure, even with the latest rounds of Security Patches, make your way to an emergency room ASAP to get Bill G.'s hand extruded from your ass, because you're apparently just a puppet with Daddy Bill mouthing the words.

3. If you believe in OpenVMS, visit http://www.reversemylobotomy.com/

quantitative results on security measures ?

[Random+Walk]

The thing I would be most interested in would be some solid, quantitative data on the success/usefulness of various types of security software/solutions (like firewalls, IDSs, etc.).

Like, what percentage of attacks are actually prevented by such measures ? E.g., how many sites have been protected from the SQL Slammer worm by their firewall, and on how many sites has the firewall failed, and why ?

Despite the flood of publications entering the market, I have never seen any in-depth discussion of quantifyable merits of security software. Usually the argument for investments into security is that you will save the cost caused by incidents (so the hidden assumption seems to be that the measures taken will be 100 per cent effective ?). Does this book provide any more insight ?

Re:quantitative results on security measures ?

[BigBadBri]

It's not so much the security measures, as how they are implemented.

For instance, a sensibly configured (deny all except what is expressly required) firewall would have stopped the SQL Slammer worm, but wouldn't necessarily work against an attack launched against port 80, for example.
Good network security, as with good physical security, requires a certain element of paranoia - simply sticking a firewall in front of a box will not guarantee security.
You ask why a firewall would fail in the case of SQL Slammer.
There are two possible scenarios - explicitly allowing port 1434 connections would be one, misconfiguration would be the other.

I don't have numbers, but would say that anyone with a firewall that got affected by SQL Slammer should seriously question their firewall policy and possibly kill the admin responsible.

Re:quantitative results on security measures ?

[somnusgti]

I do agree with how security measures are implemented being the important thing. However, I have two comments:

1. If a firewall was configured to allow port 1434 connections into the network, then the firewall did not fail when the SQL server got infected with slammer. The firewall did exactly as it was told.

2. It's not always the admin's fault when it comes to their machines not always having the latest patches. A lot of times patches cannot be applied to a machine because it will cause the applications on that machine not to work. A lot of the admins who might get blamed were the same ones on the phone with the developers of their applications pleading with them to get their software ms-service pack compliant (before sql slammer was even thought of).

Re:quantitative results on security measures ?

[platypus]

Perhaps a better example would be blocking port 1434 at the firewall, but using that as an excuse not to patch the servers in the intranet (*cough* Microsoft *cough*).

Re:quantitative results on security measures ?

[sheldon]

In a large company with many thousands of computers, it is not inconceivable that someone might bring a laptop in, infected from outside the company and bring it out of hibernation mode within the boundaries of your firewall.

Or, I've seen this as well... laptops used to dial out to AOL accounts and then when the modem connection is dropped, they're now back on your LAN.

A firewall is one form of protection, but it's not impervious.

It's not software/features, it's the process

and that is the point of this book. Security is a process/plan, not a software feature. A firewall could have prented the SQL Slammer. Then again, a firewall could not have prevented the SQL Slammer worm. The difference is whether or not the IT folks knew how to configure the firewall to meet their needs (in this case of the SQL worm, they didn't configure it on port 1434 or in general because clearly most just had a default setup of some kind). Furthermore, the use of software like Microsoft SQL and its related components (MSDE, etc) is a planning issue as it relates to security-- companies don't even know what the have installed and if they have installed it, they have no process to assess their (in)security. This book drives at the heart of that whole debate and tries hard to provide a workable process. How do you plan, for an organization overall, for proper configuration of what you do deploy? How do you convince people to use an IDS and if you do, how to you assure success (e.g. the author discusses the relationship between IDS's and vulnerability analysis)? If you get a book that simply gets quantitative on different software features (e.g. IDS, VA, firewall), it might not be very helpful. What would be helpful is how you plan and use this software. That's what this book helps with.

Re:It's not software/features, it's the process

[tupps]

The problem with worms, and I have seen this with Code Red and slammer, is that while the servers might be protected from the outside nasties, all it takes is one default installed IIS or MSDE on a notebook that someone connects up to the net at home and they literally walk the worm into your network.

The hardest part is that to solve these sort of security problems involves educating the users. This takes a lot of time, and most people outside IT just don't care.

Re:It is certainly different (which is a good thin

[t0ny]

I hear that. Once things go to a committee, you are actaully better off explaining your project to a brain-dead hamster.

I suppose it should surprise me why so many idiots got into computer security, but since it is so complex and easy to bullshit, and only a qualified person can tell that they dont know what they are talking about, that it actually ISNT a surprise. And if they make sure nobody around them is competant, then nobody will even know they have been hacked.

I like his...

[meme_police]

...three components: Security Stack, Life-Cycle Stack, and Business Stack. Sounds like a good way to have respective officers of a company plan for security, CTO handle security, CIO handle life-cycle, and CEO handle the business.

Re:I like his...

[telstar]

Usually all three of them are too busy counting their money to handle anything else...

Trust me the people with that data aren't talking

[fw3]

Also, the numbers are 'negative' - if you're lucky you can measure attacks (successful and not), but you can't directly measure the value of the 'safe' systems.

For instance I know a fellow at a large financial institution who put 5 people in prison in 2001. These aren't kiddies or Mitnicks, these are people who've actively targetted this business and tried to break in. Naturally the security geeks mostly lose sleep over the ones they fear they didn't catch / observe.

Kiddies, worms, and all the forms of low-level noise that are part of the modern net aren't the problem. If you're successfully hit by a worm then basically you don't care enough to bother to put defenses in place because the worms usually follow the vulnerability disclosures by months, not hours or days.

If you have assets that are worth protecting then the first step in securing is to assess the cost of being rooted, and determining a cost-effective approach to mitigating attacks.

Usually this means 'defense in depth', e.g. planning and ensuring that an attacker's reconnasance will set off the alarms allowing you to mitigate before an *effective* attack is started.

My $0.02, anyone relying on a *firewall* to protect their assets has already lost the game. A serious perimiter defense probably includes a carefully secured firewall, network IDS, and host/configuration IDS/configuration management, just for starters. As with all engineering tasks, care in design directly translates to both the effectiveness and the cost-effectiveness of the results.

This book sounds like a positive step in communicating the knowlege of how this is done.

Re:abbreviated version

:(

I tried to go to that site, but it couldn't be found.

Careful Eric...

Careful Eric, the acronym "MCSP" could be construed as "confusingly similar" to the acronym "MCSE".... plus, Bill Gates purchased the rights to the letters 'M' and 'S' last week, and you used both. Cough up!

s/nerd/boss/
s/jock/janitor/
s/baghdad/crater/

Y'all ain't right ..., I'm so old I know ....

[ectropy777]

I remember a time before Microsoft when MCSP meant "More Crappy Software Patches" that Microsoft decided to use the Acronym to mean other very similar things just proves the old proverb: (1) A rose by any other name would smell as sweet, (2) Shit piled any other way would still stink, or (3) MS Bash can be fun for some fact for others . . ..