Mission Critical Security Planner

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." Read on for the rest of Kerberos99's review. Mission Critical Security Planner author Eric Greenberg pages 416 publisher Wiley rating 9.5 reviewer Kerberos99 ISBN 0471211656 summary Provides an innovative approach to create a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while reducing time and cost.

Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.

Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.

MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.

Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.

MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.

Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.

Table of Contents

• Chapter 1: Setting the Stage For Successful Security Planning.
• Chapter 2: A Security Plan That Works
• Chapter 3: Using the Security Plan Worksheets: The Fundamentals
• Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
• Chapter 5: Strategic Security Planning with PKI
• Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future

You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

What is this guy thinking?

A Useful, Actionable, Manageable approach to security???

Doesn't this guy know that security is all complicated and stuff and that people need to hire VERY expensive security consultants like me?

It is certainly different (which is a good thing)

[nemaispuke]

This is the first time I have seen a book since my leadership training in the mid 80's that actually talks about measured improvement! Every job I have held since I retired from the Navy (all IT related), security "success or failure" is based on scanning with Nessus or a similar tool and if the machine passes "It's secure". No measurement of improvement, no training, just run the scan and use a "click through PowerPoint presentation" and you're done! The problem with the Government and security is that it gets tied up too much in "committee" where you have people who have no clue on security weighing in and actually believing that if you are C2, you are secure. This book should be a requirement for IT management, regardless of whether they are in the public or private sector. From what I can see of the worksheets, it is not tied down with details, but straightforward questions of what to do and how to measure the results. Find that in TCSEC or Common Criteria!

Amazon

[monkeydo]

I know /. gets a commission if we click on that link to buy the book from B&N, but Amazon has it for $10 less.

Re:abbreviated version

[clarktrip1]

ok, I'll take your flamebait...

2. There is no step 2

Yes, there are other steps:

2. If you believe any Micro$haft product is secure, even with the latest rounds of Security Patches, make your way to an emergency room ASAP to get Bill G.'s hand extruded from your ass, because you're apparently just a puppet with Daddy Bill mouthing the words.

3. If you believe in OpenVMS, visit http://www.reversemylobotomy.com/

Re:quantitative results on security measures ?

[BigBadBri]

It's not so much the security measures, as how they are implemented.

For instance, a sensibly configured (deny all except what is expressly required) firewall would have stopped the SQL Slammer worm, but wouldn't necessarily work against an attack launched against port 80, for example.
Good network security, as with good physical security, requires a certain element of paranoia - simply sticking a firewall in front of a box will not guarantee security.
You ask why a firewall would fail in the case of SQL Slammer.
There are two possible scenarios - explicitly allowing port 1434 connections would be one, misconfiguration would be the other.

I don't have numbers, but would say that anyone with a firewall that got affected by SQL Slammer should seriously question their firewall policy and possibly kill the admin responsible.