Mission Critical Security Planner

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." Read on for the rest of Kerberos99's review. Mission Critical Security Planner author Eric Greenberg pages 416 publisher Wiley rating 9.5 reviewer Kerberos99 ISBN 0471211656 summary Provides an innovative approach to create a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while reducing time and cost.

Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.

Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.

MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.

Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.

MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.

Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.

Table of Contents

• Chapter 1: Setting the Stage For Successful Security Planning.
• Chapter 2: A Security Plan That Works
• Chapter 3: Using the Security Plan Worksheets: The Fundamentals
• Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
• Chapter 5: Strategic Security Planning with PKI
• Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future

You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Amazon

[monkeydo]

I know /. gets a commission if we click on that link to buy the book from B&N, but Amazon has it for $10 less.

Re:Amazon

[volsung]

You can also get it $10 cheaper than B&N on Half.com.

yes, it covers that

The book does exactly that, takes-on real security issues. On social engineering, this is addressed in the book via the "Business-People" security planning template he provides and the associated discussions and commentary/guidance all through the book.

Re:security

[t0ny]

When will people know what they are talking about? The original poster was making a joke about the non-firewall in the linksys firewall.

Consumer routers that do NAT are being marketted, for some reason, as firewalls.

Trust me the people with that data aren't talking

[fw3]

Also, the numbers are 'negative' - if you're lucky you can measure attacks (successful and not), but you can't directly measure the value of the 'safe' systems.

For instance I know a fellow at a large financial institution who put 5 people in prison in 2001. These aren't kiddies or Mitnicks, these are people who've actively targetted this business and tried to break in. Naturally the security geeks mostly lose sleep over the ones they fear they didn't catch / observe.

Kiddies, worms, and all the forms of low-level noise that are part of the modern net aren't the problem. If you're successfully hit by a worm then basically you don't care enough to bother to put defenses in place because the worms usually follow the vulnerability disclosures by months, not hours or days.

If you have assets that are worth protecting then the first step in securing is to assess the cost of being rooted, and determining a cost-effective approach to mitigating attacks.

Usually this means 'defense in depth', e.g. planning and ensuring that an attacker's reconnasance will set off the alarms allowing you to mitigate before an *effective* attack is started.

My $0.02, anyone relying on a *firewall* to protect their assets has already lost the game. A serious perimiter defense probably includes a carefully secured firewall, network IDS, and host/configuration IDS/configuration management, just for starters. As with all engineering tasks, care in design directly translates to both the effectiveness and the cost-effectiveness of the results.

This book sounds like a positive step in communicating the knowlege of how this is done.

Re:Security Basics

[Danta]

Practical Unix and Internet Security is the right book for you. Gives you exact, direct steps to secure your system as well as the bigger picture.