Security Transformation
is a book aimed at upper management dealing with the general security issues affected by modern companies. The book is good in that it deals with not only the tech side of things, but the human side — all the firewalls in the world makes no difference if the attack comes in the form of someone wearing a photocopier repair uniform. Unfortunately, it was written in 2001 and has aged very badly. There are lots of occasions of “…as soon as 2005” and the final section “Peering Ahead” is useful only in the way that Tomorrow Land at Disney World is useful to see how we thought the future would look like in the 70s.
All that said, here are the snippets I caught when reading it (most are obvious, but I’ll list them to jog my memory at some point in the future.
Introduction
- A secure enterprise environment must address both neighborhoods — the network neighborhood as well as the physical neighborhood.
- Security is an enabler allowing companies to expand business and lower operating costs
- With unlimited time and an unlimited budget, you can build a nearly perfect security environment. In a relatively short time, with a realistic budget, you can build an appropriate security environment.
Chapter 1 – The World under Siege
- Security vulnerabilities are real and they will never be reduced to zero. Prevention can be strengthened, but it will never be absolute.
Chapter 2 – Just When We Thought It Was Safe…
- Are you legally responsible for information you hold? If so, what’s your exposure?
- The more difficult the (corporate) integration, the greater the risk potential that something downstream will compromise the security of the whole system.
- The Web is a public network. That means sensitive information is exchanged in an inherently non-secured environment.
- In choosing a security environment one can go too far and end up inhibiting rather than enhancing one’s business.
- Not one single security solution has ever proven to be perfectly secure.
- If you wait until your business is compromised, you have waited too long.
- The best intrusion alarm is useless if it is not properly armed, and the best security approach will not work if people fail to do their part.
Chapter 3 – A Business Enabler
- Make it easier to purchase something than pirate it.
Chapter 4 – It’s all about Trust
- Elevate the security discussion to a business-level discussion.
- 3 Ls of the digital age: Liability, Lawsuits, Losses
- Security is a means to an end, and that end is trust.
Chapter 5 – A Multifaceted Process
- Security is about culture and values.
- People are your greatest security asset — and your biggest vulnerability.
- In the absence of hard-and-fast rules and procedures, we’re more inclined to give people the benefit of the doubt.
- Like everything else about security, the process starts at the top of the organization.
- Would your employees
- Know if what the saw was wrong or not?
- Choose to report it?
- Know who to call?
- You need to detect that you’re under attack. That means knowing your network’s characteristics through constant monitoring.
- If you use tools only on a periodic basis, they won’t help you respond appropriately.
- An “insider” at a partner company may seem like an “outsider” at your company, but if your networks are linked, the distinctions disappear.
- Security is a straightforward exercise, but it’s difficult and detailed.
- Never be a prophet in your own land Get outside validation that your security environment is doing what you think it is.
- You’ve put processes and countermeasures in place and they age. You have to have an approach that is continually looking and updating.
Chapter 6 – Prevention, Detection, Response
- Odds are about 80% that your attacker is in the castle, not on the other side of the moat.
- Good passwords are like dead bolts. Doors with deal bolt locks can be smashed through, but no one gets in by slipping a credit card between the door and the jamb.
- Create just two types of data: secured and unsecured.
- Not every intrusion is discernable.
- Use the integrated logging and auditing features of systems.
- An Intrusion Detection System (IDS) is a host based system that looks at high-level logging information provided to it by the operating system.
- IDS can do anomaly detection based upon traditional operating baselines for CPU, disk activity, memory.
- A Network Intrusion Detection System (NIDS) is a perimeter-oriented device that examines streams of raw, or low-level, network traffic.
- NIDS can do two types of checking
- Signature Analysis – sift through raw packet data looking for particular patterns in network traffic.
- Protocol Analysis – designed to find all instances of an attack.
- System Integrity Verifiers (SIV) calculate and compare checksums.
- Any tool’s effectiveness is only as good as its last update.
- Members of an Incident Response Team
- A C-level executive
- An HR dept. representative
- Someone from IT or Systems
- Someone from the local authorities who is aware that they will get a phone call in such an event
- Secuity
- Practice security incidents.
- Today’s trusted security component is tomorrow’s Swiss cheese.
- Send security notifications via other means than computer (pagers, cell phone, etc)
Chapter 7 – Assessing the Security Risk
- There are no off-the-rack security solutions. Like a capable business system, an enterprise security solution should be built upon business objectives and cultural and organizational factors.
- A security solution that forces your company to change its behavior to fit the solution’s characteristics simple will not work.
- Risk = Asset Value x Threat x Vulnerability
- Asset Value – the importance of an information asset to the firm’s strategy
- Threats – events or actions that could have a negative impact on the availability, integrity, or confidentiality of an information asset
- Vulnerabilities – the absence, inadequacy, or inconsistency of facilities and processes that are deployed to protect the asset’s value from the identified threats
- Questions to ask
- What is your information worth? (asset value)
- Who might benefit from access to that information? (threats)
- What protects access to that information, and how secure are those protections? (vulnerabilities)
- Not all information is equal.
- How does one value information? The answer is, qualitatively. Without needing to be precise, you can establish relative values.
- The network is only one part of the overall vulnerability spectrum.
- Enterprise network vulnerabilities fall into two categories
- Outsides trying to get in
- Insiders trying to escalate their information access privileges
- An Outsider who gets in also becomes an Insider.
- A thorough vulnerability assessment uses the same kids of tools that crackers use to probe and gather information.
- Isolating the filtering function from the router makes sense
- Human judgment plays a key part in an assessment.
Chapter 8 – Your Enterprise Security Architecture
- A risk assessment should be a beginning, not an end.
- Create a current-state baseline table of risks resulting from assets, threats, and vulnerabilities.
- The current baseline model should be examined not only to see what can be done to make it more effective, but to explore how it can be modified or expanded to meet the security requirements of strategic changes in business and operations.
- Ultimately, you must decide which end-state vision best fits your current and future needs.
- Refining the requirements involves taking the current-state baseline and comparing it to current business strategies, then developing a high-level information security strategy and program objectives.
- Only with a clear understanding of risk potential and mitigation, and the costs and benefits associated with all elements of the model, can you create a program that entails intelligent, high-level, risk management qualities.
- By taking a forward-looking, business-driven approach to establishing an ESA, you will b providing a security foundation that can scale and transform with changes to your core business strategies and functions.
Chapter 9 – Taking Back Control
- Information risks and security vulnerabilities are not problems. They are facts.
Chapter 10 – Privacy and Security
- This is very dated…