1st Edition

Security De-Engineering Solving the Problems in Information Risk Management

By Ian Tibble Copyright 2012
    332 Pages
    by Auerbach Publications

    332 Pages
    by Auerbach Publications

    As hacker organizations surpass drug cartels in terms of revenue generation, it is clear that the good guys are doing something wrong in information security. Providing a simple foundational remedy for our security ills, Security De-Engineering: Solving the Problems in Information Risk Management is a definitive guide to the current problems impacting corporate information risk management. It explains what the problems are, how and why they have manifested, and outlines powerful solutions.

    Ian Tibble delves into more than a decade of experience working with close to 100 different Fortune 500s and multinationals to explain how a gradual erosion of skills has placed corporate information assets on a disastrous collision course with automated malware attacks and manual intrusions. Presenting a complete journal of hacking feats and how corporate networks can be compromised, the book covers the most critical aspects of corporate risk information risk management.

    • Outlines six detrimental security changes that have occurred in the past decade
    • Examines automated vulnerability scanners and rationalizes the differences between their perceived and actual value
    • Considers security products—including intrusion detection, security incident event management, and identity management

    The book provides a rare glimpse at the untold stories of what goes on behind the closed doors of private corporations. It details the tools and products that are used, typical behavioral traits, and the two types of security experts that have existed since the mid-nineties—the hackers and the consultants that came later. Answering some of the most pressing questions about network penetration testing and cloud computing security, this book provides you with the understanding and tools needed to tackle today’s risk management issues as well as those on the horizon.

    PEOPLE AND BLAME

    Whom Do You Blame?
    The Buck Stops at the Top?
    Managers and Their Loyal Secretaries
    Information Security Spending—Driving Factors in the Wild
    Do Top-Level Managers Care About Information Security?
    Ignoring the Signs
    Summary

    The Hackers
    Hat Colors and Ethics
    "Hacker" Defined
    Zen and the Art of Remote Assessment
    The Hacker through the Looking Glass
    Communication, Hyper-Casual Fridays, and "Maturity"
    Hacker Cries Wolf
    Unmuzzled Hackers and Facebook
    Summary

    Checklists and Standards Evangelists
    Platform Security in HELL
    CASE Survival Guidelines
    CASEs and Network Security
    Security Teams and Incident Investigation
    Vulnerability/Malware Announcements
    This Land Is Our Land
    Common CASE Assertions
    Summary

    DE-ENGINEERING OF SECURITY

    How Security Changed Post 2000
    Migrating South: Osmosis of Analysis Functions to Operations Teams
    Rise of Automated Vulnerability Scanner
    Rise of Checklist
    Incident Response and Management—According to Best Practices
    "Best Practices" in Security Service Provision
    Tip of the Iceberg—Audit Driven Security Strategy
    Summary

    Automated Vulnerability Scanners
    Law of Diminishing Enthusiasm
    False Positive Testing Revelations
    Great Autoscanning Lottery
    Judgment Day
    Automation and Web Application Vulnerability Assessment
    Web Application Security Source Code Testing
    Summary

    Eternal Yawn: Careers in Information Security
    Information Security and Strange Attractors
    Specialization in Security
    Instant Manager
    Technical Track
    Summary

    Penetration Testing—Old and New
    Testing Restrictions
    Restriction 1: Source IP Address
    Restriction 2: Testing IP Address Range(s)
    Restriction 3: Exploits Testing
    Penetration Testing—The Bigger Picture
    Summary

    Love of Clouds and Incidents—Vain Search for Validation
    Love of Incidents
    Love of Clouds
    Summary

    SECURITY PRODUCTS

    Intrusion Detection
    Tuning/Initial Costs
    Belt and Suspenders?
    DoS the NIDS
    Hidden Costs
    Return on Investment
    Network Intrusion Prevention Systems
    Summary
    A Final Note

    Other Products
    Identity Management
    Security Information Event Management Solutions
    Summary

    RE-ENGINEERING OF SECURITY

    One Professional Accreditation Program to Bind Them All
    C-Levels Do Not Trust Us
    Infosec Vocational Classifications
    Requirements of an Infosec Manager
    Requirements of Security Analyst
    Regaining Trust: Theoretical Infosec Accreditation Structure
    Summary

    Index

    Biography

    Ian Tibble was an IT specialist with IBM Global Services before entering into the security arena. His experience of more than 11 years in information security allowed him to gain practical risk management expertise from both an architectural IT and a business analysis aspect. His experience in Infosec has been with service providers Trusecure (now Verizon) and PricewaterhouseCoopers, and also with end users in logistics, banking, and insurance. He has been engaged with security service delivery projects with close to 100 Fortune 500 companies and multinational financial institutions in Asia (Indonesia, Singapore, Malaysia, Taiwan, Hong Kong, and Australia) and Europe.

    This is a passionate call to arms to recognise the contribution of engineering to business. In highlighting what the author believes is a diminishing role of qualified engineers, he lights the lighthouse beacon in the hope that business can thereby avoid crashing into the rocks of avoidable incident and financial loss.
    —Written by Wendy Goucher, Information security consultant, writing on www.infosecskills.com

    Read the full review at: http://resources.infosecskills.com/mm-cat-list-books/mm-cat-list-infosec/114-book-review-sedeeng