Slashdot Mirror
Mission Critical Security Planner
Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.
Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.
MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.
Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.
MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.
Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.
Table of Contents
- Chapter 1: Setting the Stage For Successful Security Planning.
- Chapter 2: A Security Plan That Works
- Chapter 3: Using the Security Plan Worksheets: The Fundamentals
- Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
- Chapter 5: Strategic Security Planning with PKI
- Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future
You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I can't see the chapter about "how to avoid slashdotting". ;-)
Webmasters sure need a "actionable, meaningful security approach" for this
A Useful, Actionable, Manageable approach to security???
Doesn't this guy know that security is all complicated and stuff and that people need to hire VERY expensive security consultants like me?
This is the first time I have seen a book since my leadership training in the mid 80's that actually talks about measured improvement! Every job I have held since I retired from the Navy (all IT related), security "success or failure" is based on scanning with Nessus or a similar tool and if the machine passes "It's secure". No measurement of improvement, no training, just run the scan and use a "click through PowerPoint presentation" and you're done! The problem with the Government and security is that it gets tied up too much in "committee" where you have people who have no clue on security weighing in and actually believing that if you are C2, you are secure. This book should be a requirement for IT management, regardless of whether they are in the public or private sector. From what I can see of the worksheets, it is not tied down with details, but straightforward questions of what to do and how to measure the results. Find that in TCSEC or Common Criteria!
I know /. gets a commission if we click on that link to buy the book from B&N, but Amazon has it for $10 less.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Microsoft has announced in a press release that it will be suing Wiley and Eric Greenberg for attempted copyright infringement. Microsoft claims that the "MCSP" consolidated title is trying to compete with a yet unannounced revision for a product name: "Microsoft Certified Service Pack (MCSP)."
"This is nothing against Mr. Greenberg," said Bill Gates when asked to comment. "We just don't want any competi- excuse me, confusion."
More on this as details develop.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
The book does exactly that, takes-on real security issues. On social engineering, this is addressed in the book via the "Business-People" security planning template he provides and the associated discussions and commentary/guidance all through the book.
ok, I'll take your flamebait...
2. There is no step 2
Yes, there are other steps:
2. If you believe any Micro$haft product is secure, even with the latest rounds of Security Patches, make your way to an emergency room ASAP to get Bill G.'s hand extruded from your ass, because you're apparently just a puppet with Daddy Bill mouthing the words.
3. If you believe in OpenVMS, visit http://www.reversemylobotomy.com/
Intel can't come up with a chip fast enough that M$ can't slow down...
and that is the point of this book. Security is a process/plan, not a software feature. A firewall could have prented the SQL Slammer. Then again, a firewall could not have prevented the SQL Slammer worm. The difference is whether or not the IT folks knew how to configure the firewall to meet their needs (in this case of the SQL worm, they didn't configure it on port 1434 or in general because clearly most just had a default setup of some kind). Furthermore, the use of software like Microsoft SQL and its related components (MSDE, etc) is a planning issue as it relates to security-- companies don't even know what the have installed and if they have installed it, they have no process to assess their (in)security. This book drives at the heart of that whole debate and tries hard to provide a workable process. How do you plan, for an organization overall, for proper configuration of what you do deploy? How do you convince people to use an IDS and if you do, how to you assure success (e.g. the author discusses the relationship between IDS's and vulnerability analysis)? If you get a book that simply gets quantitative on different software features (e.g. IDS, VA, firewall), it might not be very helpful. What would be helpful is how you plan and use this software. That's what this book helps with.
For instance, a sensibly configured (deny all except what is expressly required) firewall would have stopped the SQL Slammer worm, but wouldn't necessarily work against an attack launched against port 80, for example.
Good network security, as with good physical security, requires a certain element of paranoia - simply sticking a firewall in front of a box will not guarantee security.
You ask why a firewall would fail in the case of SQL Slammer.
There are two possible scenarios - explicitly allowing port 1434 connections would be one, misconfiguration would be the other.
I don't have numbers, but would say that anyone with a firewall that got affected by SQL Slammer should seriously question their firewall policy and possibly kill the admin responsible.
oh brave new world, that has such people in it!