Published 2014 (2nd Edition)
“No Shortcuts for Security”.
That’s always been my motto in terms of security. I’ve been working in consulting for some years. I’ve almost seen and done it all…Nope. Just kidding… Security-wise I’ve run across lots of situations: some bad, some so-and-so, and some really bad. After more than 2 decades working in IS/IT my list of things to look out for in terms of security is a bit extensive…
- Although long in the tooth, there are attacks that keep on working in this day and age. Phishing comes to mind;
- IT departments still have an historical approach when dealing with (IT) Security, i.e., they always think all security issues can be dealt with by buying more tools. Nope. That’s not the way to go. The Way to deal with security is by using a bottom-up approach, meaning we have to start from scratch (empowerment, processes, etc.);
- The bigger the number of tools being introduced in an IT department, the greater the complexity to be tackled by the organizations;
- Security is not a commodity. I know lots of companies think that way, but believe me when I say it’s a dead end. For sure. Nothing good will come of it. The approach must be based on sound principles and know-how. Some Security departments I’ve seen are “adaptions” coming from traditional IS/IT departments. It means we “convert” some people coming from a purely IT background, give them one or two courses in security, and voilá, we are in the presence of a security engineer…risible, don’t you think?
- Tools only go so far. To prevent the kind of attacks not coming in standardized form, Security departments need something more in their toolkit…;
- Anti-virus tools are the computer plague of the 21st century. I’ve seen it time and again the bad it does to a company…What I mean is the anti-virus, in its inception, brings along security problems when they are not implemented by security professionals;
- In some of our organizations the gap between the technical areas and management is still too great;
- Security in an organization must come from management and not from the technical areas. Security departments need empowerment…;
- In an organization, having to deal with private data not in use (from third parties) must be handled extra carefully. I call this kind of information a liability, because in case of a security breach, this same organization may be subject to civil as well as criminal sanctions under the applicable laws;
- In Portuguese organizations there’s not an ingrained culture of running security exercises, crisis responses and real-world operations. In all of the major software houses it’s common practice to implement red and blue teams, in a process called “red teaming”. The objective of this kind of internal security exercises is to assess the readiness to fend off “perimeter” breaches (I’ll explain later the reason why perimeter is between quotes). The “red teams” are made of security professionals coming from within an organization. Their objective is to access private information as if they were coming from the outside and inside…I emphasize “inside”;
- All organizations should have professionals possessing an attacking mindset. It goes without saying we’ll be needing several iterations until Nirvana is reached, as far as it’s humanly possible;
- “Hackers” are internet’s immune system. I don’t know who said it, but I take it as gospel truth;
- Organizations should change their paradigm in terms of tools. Forget about anti-this-and-that. Every security department should instead be addressing issues coming from monitoring services. They are the ones that allow us to gather information of what’s happening in our corporate network and on top of it (in the application layer). Only then are we equipped to deal with threats;
- In every organization the concept of perimeter is nonsense. Some of the major and most corrosive attacks come from within…
The above points are not in this book, but I quite agree with Julie Mehan’s take on security: “Cyber security is much more than technology” (one of the phrases I jotted down as well was the following: “security is about three things: people, process and technology”).
If you read it, even you are not a security professional, you’ll learn a thing or two…
What you’ll find in the book:
Technology Is a Double-Edged Sword; 2. Cyberattack: It's A Dangerous World for Information Systems; 3. The Human Factor: The Underrated Threat; 4. Transition from an Environment of "FUD" to a Standards-Based Environment; 5. Establishing a Culture of Cyber Security; 6. Increasing Internationalism: Governance, Laws, and Ethics; 7. Standards: What are They and Why Should We Care; 8. From Reaction to Proaction: Applying Standards in an Environment of Change and Danger; 9. Conclusion: Where Do We Go From Here?; Appendix 1: Gap Analysis Areas of Interest; Appendix 2: Standards Crosswalk
(Chapters 5 and 8 are really good; they’re full of meaty details.)