Rating: 
Summary: IT Security Risking the Corporation
Review: I read this book on the plane flight home from a SANS workshop called Audit and Security Controls that Work. About 25 percent of the workshop participants were CTO/CSOs from best in class IT shops, companies like Verisign. Tripwire and Bear Stearns. Needless to say, most IT shops are not best in class, and the rich question the second stringers are asking is: what are the first steps to improve. The first step is senior management commitment to security. The problem is that CEOs don't read router configuration files and network administrators don't communicate well in terms of business goals. There is a huge communication gap and very few people are comfortable in both environments. The author of this book, Linda McCarthy is one of those few people. She has written a book that could help turn the lights on for a manager. I really like the subtitle, "Risking the Corporation". That is what managers do when they make decisions that do not take security into account. That is a bit scary since only one manager, the CEO, is actually authorized to risk the corporation. This book can help department heads and CIO types understand the limits to their authority and the need to practice due diligence. I like the use of headings, the sections are only a paragraph or two long so that a senior manager can get nuggets out of the book in as little as five minutes and if they can invest a half hour or two on a plane they can learn enough to begin to get them to rethink their assumptions. I liked the use of quote pages, where there is a quote from a famous person in information security in large type, but the quotes themselves were not chosen with the care they should have been. If there is a second edition, I would recommend removing chapter 12, if a senior manager runs into a chapter of nothing but unix commands which they do not understand they will be irritated. The book is well written and very digestible up to that point, and then boom, in a flash we undo much of the good that has been done. This is a nice set of stories, it is more appropriate for management than any other security book I can remember seeing. Buy a copy, give it to your boss the day she is leaving on travel. Ask her to read it on the way home and to schedule a half hour to discuss it when she gets back. Your organization will be much better off if you do.
Rating: 
Summary: What your CXO needs to know
Review: I read this book on the plane flight home from a SANS workshop called Audit and Security Controls that Work. About 25 percent of the workshop participants were CTO/CSOs from best in class IT shops, companies like Verisign. Tripwire and Bear Stearns. Needless to say, most IT shops are not best in class, and the rich question the second stringers are asking is: what are the first steps to improve. The first step is senior management commitment to security. The problem is that CEOs don't read router configuration files and network administrators don't communicate well in terms of business goals. There is a huge communication gap and very few people are comfortable in both environments. The author of this book, Linda McCarthy is one of those few people. She has written a book that could help turn the lights on for a manager. I really like the subtitle, "Risking the Corporation". That is what managers do when they make decisions that do not take security into account. That is a bit scary since only one manager, the CEO, is actually authorized to risk the corporation. This book can help department heads and CIO types understand the limits to their authority and the need to practice due diligence. I like the use of headings, the sections are only a paragraph or two long so that a senior manager can get nuggets out of the book in as little as five minutes and if they can invest a half hour or two on a plane they can learn enough to begin to get them to rethink their assumptions. I liked the use of quote pages, where there is a quote from a famous person in information security in large type, but the quotes themselves were not chosen with the care they should have been. If there is a second edition, I would recommend removing chapter 12, if a senior manager runs into a chapter of nothing but unix commands which they do not understand they will be irritated. The book is well written and very digestible up to that point, and then boom, in a flash we undo much of the good that has been done. This is a nice set of stories, it is more appropriate for management than any other security book I can remember seeing. Buy a copy, give it to your boss the day she is leaving on travel. Ask her to read it on the way home and to schedule a half hour to discuss it when she gets back. Your organization will be much better off if you do.
Rating: 
Summary: Real world security horror stories from a security pro
Review: IT Security: Risking the Corporation, is basically stories from Linda McCarthy's security consulting experiences. While the book is not focused toward a technologist; it is an excellent resource for management. The book details numerous stories where information security has been ignored, with dire consequences. The book is written in an easy to read and often entertaining style, and can be completed in a few hours. After each story, practical solutions are given on how the situation described could have been better handled. Overall, the book is a nice set of security chronicles that are low on FUD and technical acronyms, which makes it appealing to management. While the book is valuable for anyone interested in computer security, the real audience who should read this book are those that are just starting in infosec and those that often don't really get the importance of effective information security; namely CxO's. Hopefully, after reading the book, any CxO will understand the enormity of the importance of information security and take appropriate action.
Rating:
Summary: Buy a copy for you, buy a copy for your boss
Review: Learning from other people's mistakes is not only valuable... but interesting. The lessons taught in this book come from real life experiences at very real life companies. The style is engaging and fun to read which makes the lessons learned that much more striking and memorable. After each story the author gives practical advice on how the particular situation should have been handled or prevented. Security has always been an important aspect of technology, but as technology has advanced security has become a more important concern than ever. It is an issue that must be addressed, whether you're starting a small business or working for a large corporation, and it permeates more areas within your company than you probably realize. You might think you can buy and install a security package and be done with it. You might think email is a safe way to communicate. You might presume that your company's management is on top of things, security-wise. Read this book. And for extra brownie points, get your boss a copy, too!
Rating:
Summary: Very scary diary of security problems
Review: Reading this book should scare you to the ends of your toenails. It is largely a recapitulation of security audits done by McCarthy with some other instances of security breaches added in to further emphasize an already well made point. Namely, that computer security, even among many of the heavy hitters, is very unorganized and inadequate. The author was able to sit down at terminals and obtain read/write access to some of the most sensitive data of the companies that she was auditing.
The culprits are generally a listing of the usual suspects. Lack of security training, lack of time to apply known security patches, the mistaken belief that "it is not my job", arrogance in believing that one knows how to repair all problems, trusting outdated security software such as firewalls, the unwarranted trusting of other systems and lack of sufficient management direction.
Solutions are easy to find and are essentially the inverse of all the usual suspects. To expect untrained personnel to be able to implement complex security policies is unrealistic and the cost of training is dwarfed by the expense of repairing a security breach. It is the job of employees to rigorously enforce the security procedures, which includes the trusting of no one until they are proven to be worthy of trust. And then, you only allocate the minimum amount of privilege needed for them to complete their tasks. I personally have no time for people in IT who think they know everything and I am not alone in thinking that it is the most dangerous of all the security mistakes that can be made.
The game of computer security is one where the stakes rise higher with every passing day. With our increasing dependence on computers to manage everything from our credit cards to our public utilities, it is probably only a matter of time before a major security breach occurs which takes down a large part of the American economy or even causes a large number of deaths. One of the most frightening stories is how a hacker managed to access the controls to the flood gates at a Canadian dam. If they had been able to use this knowledge to open them, entire towns could have been flooded.
Implementing effective security features is not an option and as the author points out, failure to do so could leave you open to liability charges. Therefore, if you are involved in setting down the security policies for your company, you must read this book. It will show you how things are being done wrong, which is the first step in doing them right.
Rating:
Summary: IT Security Risking the Corporation
Review: This book focuses on the real world problems with security. If you need funding for security -- give this book to your CIO. These are problems that you see in every company. I liked it a lot!
Rating:
Summary: Disappointing; an "audit everything" approach to incidents
Review: When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others." (p. xiv) The author's own words fit this mold. Consider these quotes:
"I thought these would be fun systems to break into, just because of the nature of the information stored. My last reason [to run a penetration test] was that I had some new toys I wanted to play with. Brad Powell, a known force in security circles for years, had just passed me some great new break-in tools." (p. 74) This sounds like the very sort of person chastised by Spafford.
I was also appalled by the author's readiness to disparage her clients. Consider these, from three "real security audits":
"Did the company consider legal data and financial data unimportant to secure? Or were Kenji and Dawn simply clueless?" (p. 75) "In my opinion, he was a real loser." (p. 61) "Joseph clearly fit into what I call the big-L category, and that's 'L' for loser." (p. 102) Beyond these choice words by a consulting "professional," the author demonstrates no concept of proper incident response procedures. Anyone following her example will destroy evidence and corrupt investigations. In chapter 2, she "helps" an ISP known to be suffering extensive compromise: "within seconds, I had broken root and gained full control of their main sever." (p. 25). What sort of incident response expert collects evidence by breaking into a suspect system? Similar "advice" appears in chapter 3, where "arguably the best security guru in the company" responds by "testing the network for security vulnerabilities" during the latest crisis.
"IT Security" also shows a lack of understanding regarding IDS operations and the security "big picture." The author casually writes "Most IDS can detect the attack only if a signature exists. Sounds silly if you think about it. . . Make sure your IDS can detect new zero-day attacks." (p. 11) While this may make sense on the surface, this breezy statement has no supporting advice and is of little help. The author then claims "You need to know when your company last did a security audit. That is the only way to be sure that your systems are secure." (p. 27). The only thing an audit reveals is the level of risk the day the audit completed. Security is a journey, not a destination!
I rated "IT Security" three stars because the "Let's Not Go There" sections actually contain good advice. Beware the rest of the material.
Rating:
Summary: Disappointing; an "audit everything" approach to incidents
Review: When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others." (p. xiv) The author's own words fit this mold. Consider these quotes:
"I thought these would be fun systems to break into, just because of the nature of the information stored. My last reason [to run a penetration test] was that I had some new toys I wanted to play with. Brad Powell, a known force in security circles for years, had just passed me some great new break-in tools." (p. 74) This sounds like the very sort of person chastised by Spafford.
I was also appalled by the author's readiness to disparage her clients. Consider these, from three "real security audits":
"Did the company consider legal data and financial data unimportant to secure? Or were Kenji and Dawn simply clueless?" (p. 75) "In my opinion, he was a real loser." (p. 61) "Joseph clearly fit into what I call the big-L category, and that's 'L' for loser." (p. 102) Beyond these choice words by a consulting "professional," the author demonstrates no concept of proper incident response procedures. Anyone following her example will destroy evidence and corrupt investigations. In chapter 2, she "helps" an ISP known to be suffering extensive compromise: "within seconds, I had broken root and gained full control of their main sever." (p. 25). What sort of incident response expert collects evidence by breaking into a suspect system? Similar "advice" appears in chapter 3, where "arguably the best security guru in the company" responds by "testing the network for security vulnerabilities" during the latest crisis.
"IT Security" also shows a lack of understanding regarding IDS operations and the security "big picture." The author casually writes "Most IDS can detect the attack only if a signature exists. Sounds silly if you think about it. . . Make sure your IDS can detect new zero-day attacks." (p. 11) While this may make sense on the surface, this breezy statement has no supporting advice and is of little help. The author then claims "You need to know when your company last did a security audit. That is the only way to be sure that your systems are secure." (p. 27). The only thing an audit reveals is the level of risk the day the audit completed. Security is a journey, not a destination!
I rated "IT Security" three stars because the "Let's Not Go There" sections actually contain good advice. Beware the rest of the material.
Rating:
Summary: Fun to read and useful too!
Review: While fun-to-read security books are hard to find and I was not even sure I would find more after reading the "Hackers Challenge" series, Linda McCarthy delivered! Her "IT Security: Risking the Corporation" is an excellent fusion of fun short story collection with an in-depth security tutorial and actionable checklists. The stories are supposedly all true, coming from the author's experiences as a security consultant and auditor. Some stories are just too funny and border on unbelievable (such as connecting a main production database server on a default-installed box to Internet with no firewall). All have detailed analysis in the end, summary of things to do to prevent such incidents and summary of things not to do to avoid them. Additionally, they are well-written and the style is not dry at all. The stories cover a wide range of security problems starting from inadequate policies and procedures to weak passwords and excessive system trust all the way to bad attitudes of system admins (the latter having measurable impact on the whole organization's security). It is funny, that the author emphasizes that the book is completely useless to hackers due to the lack of details on exploitation methods. I would venture a guess that it is not true. Apart from serving as a lesson to a security community, the author's stories also help the hacker community by showing that stupid and arrogant security "pros", political games, short-sighted execs and other factors will continue to provide them with plethora of playground space in all the vertical industries, including finance and healthcare. The stories imply that the hackers will always win, since there is plenty of misconfigured systems and undertrained people running them. Humor aside, a reader should make every effort not to become a "character" in a similar book! Among book's minor glitches I would list that author's technical skills show signs of being in the management positions for too long. NTBugtraq is not hosted by SecurityFocus as the book seems to indicate. The Honeynet Project is not called "The Honey Project". The book also suffers a bit from "overquoting" the CSI/FBI survey, but then again - who doesn't do it? Overall, it's a great book to own for people just starting in security implementation and security management. It will also provide fun reading for an experience professional. Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org
Rating:
Summary: Practical Advice - Great read
Review: While this book will NOT teach you how to hack into someone's systems, it is clear from these stories from Linda McCarthy, that it is far too easily done. McCarthy's uses an excellent format for conveying what could be a host of confusing information. She tells a series of stories based on her experience as a security auditor and consultant. The stories are all very entertaining and an easy read. She concludes each story with a series of learnings and best practice ideas based on analyzing what could prevent these kinds of problems from happening in the future. What amazed me the most was that like many things, IT Security often comes down to people - their experience and training, motivation and how they are organized and managed - with technology secondary. I'd recommend this book to anyone from systems administrators and those in security management to CIO/CEO's. It's full of practical advice.
| 
