These individuals do not need to know about every last bit and byte, but they need to have a solid understanding of all major, IT security issues to effectively manage their departments. This book is designed to cover both the basic concepts of security, non - technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory.
Written by a well known Chief Information Security Officer, this book gives the information security manager all the working knowledge needed to: . Design the organization chart of his new security organization . Design and implement policies and strategies . Navigate his way through jargon filled meetings . Understand the design flaws of his E-commerce and DMZ infrastructure
* A clearly defined guide to designing the organization chart of a new security organization and how to implement policies and strategies
* Navigate through jargon filled meetings with this handy aid
* Provides information on understanding the design flaws of E-commerce and DMZ infrastructure
This is the only book that covers all the topics that any budding security manager needs to know! This book is written for managers responsible for IT/Security departments from mall office environments up to enterprise networks. These individuals do not need to know about every last bit and byte, but they need to have a solid understanding of all major, IT security issues to effectively manage their departments. This book is designed to cover both the basic concepts of security, non - technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory. Written by a well known Chief Information Security Officer, this book gives the information security manager all the working knowledge needed to: * Design the organization chart of his new security organization * Design and implement policies and strategies * Navigate his way through jargon filled meetings * Understand the design flaws of his E-commerce and DMZ infrastructure* A clearly defined guide to designing the organization chart of a new security organization and how to implement policies and strategies* Navigate through jargon filled meetings with this handy aid* Provides information on understanding the design flaws of E-commerce and DMZ infrastructure
Front Cover 1
How to Cheat at Managing Information Security 4
Copyright Page 5
Contents 12
Preface 24
Introduction 26
Chapter 1. The Security Organization 28
Anecdote 29
Introduction 29
Where Should Security Sit? Below the CEO, CTO, or CFO 33
Your Mission: If You Choose to Accept It 34
Role of the Security Function: What's in a Job? 34
The Hybrid Security Team: Back to Organizational Studies 39
What Makes a Good CISO? 44
Summary 45
Chapter 2. The Information Security Policy 46
Anecdote 47
Introduction 47
Policy, Strategy, and Standards: Business Theory 48
Back to Security 52
The Security Strategy and the Security Planning Process 52
Security Policy Revisited 13
Security Standards Revisited 63
Compliance and Enforcement 64
Summary 69
Chapter 3. Jargon, Principles, and Concepts 76
Anecdote 77
Introduction 77
CIA: Confidentiality, Integrity, and Availability 78
The Vulnerability Cycle 81
Types of Controls 83
Risk Analysis 85
AAA 90
Other Concepts You Need to Know 93
Generic Types of Attack 94
Summary 97
Chapter 4. Information Security Laws and Regulations 98
Anecdote 99
Introduction 100
U.K. Legislation 100
U.S. Legislation 109
Summary 113
Chapter 5. Information Security Standards and Audits 114
Anecdote 115
Introduction 116
ISO/IEC 27001:2005: What Now for BS 7799? 125
PAS 56 126
FIPS 140-2 129
Common Criteria Certification 130
Types of Audit 131
Summary 137
Chapter 6. Interviews, Bosses, and Staff 138
Anecdote 139
Introduction 139
Bosses 147
Worst Employees 149
Summary 149
Chapter 7. Infrastructure Security 150
Anecdote 151
Introduction 151
E-commerce 160
Just Checking 167
Summary 167
Chapter 8. Firewalls 170
Anecdote 171
Introduction 171
Firewall Structure and Design 174
Other Types of Firewalls 184
Commercial Firewalls 185
Summary 201
Chapter 9. Intrusion Detection Systems: Theory 202
Anecdote 203
Introduction 204
Why Bother with an IDS? 205
NIDS in Your Hair 208
For the Technically Minded 226
Summary 231
Chapter 10. Intrusion Detection Systems: In Practice 232
Anecdote 233
Introduction: Tricks, Tips, and Techniques 233
IDS Deployment Methodology 240
Selection 242
Deployment 243
Information Management 252
Incident Response and Crisis Management 254
Test and Tune 258
Summary 261
Chapter 11. Intrusion Prevention and Protection 262
Anecdote 263
Introduction 264
What Is an IPS? 264
Active Response: What Can an IPS Do? 265
A Quick Tour of IPS Implementations 266
Example Deployments 274
Summary 281
Chapter 12. Network Penetration Testing 282
Anecdote 283
Introduction 284
Types of Penetration Testing 285
Network Penetration Testing 286
Controls and the Paperwork You Need 301
What's the Difference between a Pen Test and Hacking? 303
Summary 307
Chapter 13. Application Security Flaws and Application Testing 308
Anecdote 309
Introduction 309
Configuration Management 311
Unvalidated Input 312
Bad Identity Control 322
Fixing Things 325
For the More Technically Minded 326
Summary 329
Index 330
The Security Organization
The purpose of this chapter is to:
■ Review typical positions of the information security function and the benefits of each
■ Define the role of the security function
■ Discuss the qualities of a good CISO
Anecdote
To be a chief information security officer (CISO), you must demonstrate certain key qualities to an employer. At the interview for my last position, I sat down, miscalculating the touch-down so the arm of the chair slid neatly into my pants pocket with a ripping sound. My Top-Shelf consultancy suite was now complete with air-conditioning.
I immediately announced, “I’ve ripped my trousers”—so my interviewers would know the exact source of the sound that had so obviously come from my seat. Then I said, “Now you can see that I’m not talking out of the seat of my pants.
Now that’s the voice of experience!
Introduction
No two organizations are the same; they are always different culturally and in terms of size, industrial sector, and staff. Consequently, there is no right (but probably plenty of wrong) answer to the question, “Where should we position the head of security and the security team(s) in an organization?” Separation of the position of the operational security teams away from the head of security is often a purposeful and commercial decision.
This chapter reviews how organizations, both big and small, set up their security functions. It is based on my observations gained during 10 years experience in security consulting at both a strategic and a technical detailed level to many of the United Kingdom’s leading blue–chip companies.
I have never seen this subject covered in any textbook or manual.
Where to Put the Security Team
Figure 1.1 shows a typical firm with a number of potential positions for the security function. We will analyze the pros and cons of each position to answer the age-old question, where should information security sit?
Where Should Security Sit? Below the IT Director Report
The most common position for the CISO and the security function is reporting up through the IT director or the head of computer operations. Certainly the latter organizational structure is common in small firms where there is no regulatory requirement for security. If the company is regulated or even quoted on an exchange, the authorities may encourage a more elevated position. Strangely enough, it is also common in more visionary firms that have had a security team for 20 years—perhaps because the team evolved from a solid team of Resource Access Control Facility (RACF) administrators (RACF is security software for IBM mainframes)!
Visit any organization with this structure and you will, within a very short time, recognize these benefits and failings.
Pros
Advantages of positioning the security team below the IT director include:
■ The information security function will not receive much “outsider resistance” when it makes IT decisions, simply because it is part of the computer department. Therefore, it isn’t “external” interference.
■ Operational computer security tasks (firewall installs, router access lists, and the like) will tend to be carried out by the team rather than by producing a specification for another team to execute. As a result, the team will become acknowledged local experts.
■ Technical security staff can be allowed to specialize and work closely with other technical areas. Therefore, not only will there be skill transfer, but relationships should generally be better.
Cons
Disadvantages of positioning the security team below the IT director report include:
■ Security will not have a powerful voice.
■ Security will probably be under-funded.
■ Security will not be independent; it will always be seen as taking the easiest route for the IT department. Typically, because of the low-ranking positions and the fact that it is embedded in the IT department, the focus will tend to be on computer security rather than information security. Business risk techniques to assess loss and impact will tend not to play a key role.
Obviously, in some situations this positioning will not be a big disadvantage. One of the largest U.K. banks is organized exactly in this manner. But when you are a direct report to an IT director who is responsible for 5,000 people and you have over 100 security staff reporting to you, you probably won’t feel that your punch lacks power. Similarly, if the organization has nearly all its problems within the IT department and IT is the core business (such as with an Internet company), placement here could be a significant advantage.
Generally, however, good all-round risk management cannot prosper in this layout. The scope of the role will allow the security function to manage digital and computer security very effectively, but influence over information risk management for nondigital assets may be advisory at best. This fact will have significant drawbacks at times (such as in the security of paper files), but computing is ubiquitous these days, so the influence of the role may still be considerable. As discussed later in the chapter, sound partnering with other departments may reduce this drawback considerably.
Where Should Security Sit? Below the Head of Audit
Another far from ideal place to position a security team is to have it report to the head of the audit function. In my experience, this is where security teams are often dumped when they grow up and move from being a subdepartment of the computing department to having a wider scope.
But if you have any sort of life, you don’t want to spend it with auditors, I promise you.
Pros
Advantages of positioning the security team below the head of auditing include:
■ The team is independent from the computer department.
■ The team will benefit from “whole business” governance mandate of the audit department. If the accounts team members are sharing passwords and you catch them, they will no longer excuse it by saying, “Oh, it’s just IT.”
■ Your boss (the head of auditing) will insist that you take a holistic information security approach rather than just apply computer security.
■ The security team will have powerful friends such as regulators or the audit committee.
Cons
Disadvantages of positioning the security team below the head of auditing include:
■ Nobody is ever pleased to see an auditor. The team will tend to be perceived as judgmental and reactive, not proactive fixers or problem solvers.
■ Auditors are often jacks-of-all-trades, not uncommonly struggling technically to do the jobs they do. The team will never be recognized as subject matter experts.
Where Should Security Sit? Below the CEO, CTO, or CFO
Placing security below the CEO, CTO, or CFO is the best of all the basic positions. This reporting position ensures that other departments will take notice of your findings, yet it is independent from any operational department.
Pros
Advantages of positioning the security team below the CEO/CTO/CFO include:
■ The security team is endowed with power.
■ It is independent.
■ The position is high enough to have a “whole business” remit.
■ It shows everyone that your organization is taking security seriously.
Cons
Disadvantages of positioning the security team below the CEO/CTO/CFO include:
■ The security team will be accused of being in an ivory tower (but so what).
■ The security team will find it hard to look into the IT director’s business and organization.
Your Mission: If You Choose to Accept It
So what does a good security team do? What are the team’s objectives? The answers to these questions will change from organization to organization, dependent on the particular information security strategy. The factors that may influence the answers, detailed at length in the next chapter, include legal requirements, regulatory requirements, and supplier and customer information security requirements.
This section describes the common activities of an information security department.
Role of the Security Function:...
| Erscheint lt. Verlag | 22.8.2006 |
|---|---|
| Sprache | englisch |
| Themenwelt | Sachbuch/Ratgeber |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| Wirtschaft ► Betriebswirtschaft / Management | |
| ISBN-10 | 0-08-050828-6 / 0080508286 |
| ISBN-13 | 978-0-08-050828-3 / 9780080508283 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 36,7 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 5,7 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
