Inside the Security Mind: Making the Tough Decisions

The book also shares interesting insight on making security decisions using the above eight rules, such as how to estimate risks and design a security architecture. Another interesting topic is the material on building a security team, selecting staff, interviewing. It has a somewhat balanced analysis on hiring hackers, outsourcing security and other "hot" topics in security community.

Among the book drawbacks is that some "analysis" of hackers looks slightly naïve and obtained from books, rather than the real world. The "practical" section serves as illustration of the rules, rather than a complete HOWTO guide.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

Rating:
Summary: A Must Read
Review: A very interesting book, that tries a new approach to security, and tries to avoid the mumbo-jumbo of IT-security and still be valid in a business environment.

Well worth reading, especially his 8 rules, that I decided to adhere to in my future security evaluations.

Don't understand what I'm talking about? Read the book, you will probably find it an enlightening experience (in parts) what regards security.

Rating:
Summary: Inside the Security Mind Review
Review: I could not agree more with Stephen Northcutt's Review of Inside the Security Mind. I see this book as a bold and Powerful new approach to thinking about infosec. The rules of security are well thought-out and very effective. Look at a server, a company, a policy, a relationship, and you can evaluate them all through the same series of methodical rules. The language is very eloquent and the style is extremely read-able. I really feel this book should be required reading for anyone wanting to learn Security! The first 1/2 of the book is the best, and the second 1/2 is great for the "practical examples" of how all the peaces fit in the real world works. One big note here: THIS BOOK is NOT for the Tech-Geek looking for a new way to tweak his techy skills. This is book is for those SERIOUS about learning what INFORMATION SECURITY is all about.

Rating:
Summary: Good
Review: I liked it.... put it along the lines of "Secrets and Lies". Just as interesting, and probably more useful (practical) for most. -just my opinion.

Rating:
Summary: A Step Out Of The Trenches
Review: I really enjoyed the first six chapters, especially chapter 3 and 4 and I really feel those 122 pages are worth the price of the book and then some. After chapter 6, Inside the Security Mind morphs into yet another everything you already know about information security book.

There is treasure, rare treasure in the front of the book. Kevin Day spares us a review of risk management and TCP and instead lays out the information battlescape better than anyone I have seen in a long time. The only other person to shed light on this concept was Dorothy Denning in her classic, Information Warfare & Security. But where Dorothy while comprehensive, was a bit boring with list after list, Kevin Day takes Inside the Security Mind in an entirely different direction.

His words are like a painter with bold brush strokes; he outlines information security in a way that forces even the most hardened techie to stop and rethink the world we live in. When was the last time when you heard about the four virtues of information security? When was the last time you read about virtue for that matter? Something about the philosophical approach of the first six chapters of the book reminds me of The 48 Laws of Power by Robert Greene, but where Power is amoral and more than a bit dark and frightening, Security Mind grabs the high ground and doesn't let go.

Every security manager and technical administrator can benefit from chapter 4, the eight rules of security. Yes we each knew that information at one time, but are we applying those rules all the time? Kevin outlines the concepts and he has me thinking about my data center architecture and some of the design choices we have made recently.

My advice is to read chapter 3 and 4 at least three times. Within 24 hours most of the knowledge you learned from an initial reading is lost, but if you read it again you start to build knowledge you can use for the long term. I would suggest that chapters 1, 2, 5, 6 are each worth reading twice. The rest of the book is certainly worth reading once, but if you have more than ten security titles on your bookshelf you will read most of the information in the back half of the book before.

If you are considering buying a book titled Inside the Security Mind, you are probably familiar with AF Col. John Boyd's Observation, Orientation, Decision Action (OODA) loops. The diligent reader of Inside the Security Mind has an opportunity to program the orientation segment of their minds. This opportunity does not come along every day! Carpe Diem, Buy em and Read em!

Rating:
Summary: A Step Out Of The Trenches
Review: I really enjoyed the first six chapters, especially chapter 3 and 4 and I really feel those 122 pages are worth the price of the book and then some. After chapter 6, Inside the Security Mind morphs into yet another everything you already know about information security book.
There is treasure, rare treasure in the front of the book. Kevin Day spares us a review of risk management and TCP and instead lays out the information battlescape better than anyone I have seen in a long time. The only other person to shed light on this concept was Dorothy Denning in her classic, Information Warfare & Security. But where Dorothy while comprehensive, was a bit boring with list after list, Kevin Day takes Inside the Security Mind in an entirely different direction.

His words are like a painter with bold brush strokes; he outlines information security in a way that forces even the most hardened techie to stop and rethink the world we live in. When was the last time when you heard about the four virtues of information security? When was the last time you read about virtue for that matter? Something about the philosophical approach of the first six chapters of the book reminds me of The 48 Laws of Power by Robert Greene, but where Power is amoral and more than a bit dark and frightening, Security Mind grabs the high ground and doesn't let go.

Every security manager and technical administrator can benefit from chapter 4, the eight rules of security. Yes we each knew that information at one time, but are we applying those rules all the time? Kevin outlines the concepts and he has me thinking about my data center architecture and some of the design choices we have made recently.

My advice is to read chapter 3 and 4 at least three times. Within 24 hours most of the knowledge you learned from an initial reading is lost, but if you read it again you start to build knowledge you can use for the long term. I would suggest that chapters 1, 2, 5, 6 are each worth reading twice. The rest of the book is certainly worth reading once, but if you have more than ten security titles on your bookshelf you will read most of the information in the back half of the book before.

If you are considering buying a book titled Inside the Security Mind, you are probably familiar with AF Col. John Boyd's Observation, Orientation, Decision Action (OODA) loops. The diligent reader of Inside the Security Mind has an opportunity to program the orientation segment of their minds. This opportunity does not come along every day! Carpe Diem, Buy em and Read em!



Rating:
Summary: Very readable and worthwhile security reference
Review: If you are looking for a straight to the point security book, Inside the Security Mind makes for a very good read.

Day takes a holistic view of network security and uses that methodology to forge a system to approaching computer security and risk.

Inside the Security Mind: Making the Tough Decisions takes a high level approach to security. If you are looking for details on how to secure Active Directory or similar; this is not the book. But if you are looking to find out how to determine the risk of deploying Active Directory or similar technology in a large-enterprise, Inside the Security Mind shoes the way in which to approach that endeavor.

Overall, Inside the Security Mind is a very readable reference. It is light on acronyms, fluff and filler (the dirge of many security books) and heavy on methodology and direction.

If you are interested in determining how to deal with security and risk for your enterprise network, Inside the Security Mind is a good place to start.

While the full title is Inside the Security Mind: Making the Tough Decisions; after reading the book, making the tough security decisions won't be so difficult.

Rating:
Summary: Very readable and worthwhile security reference
Review: If you are looking for a straight to the point security book, Inside the Security Mind makes for a very good read.

Day takes a holistic view of network security and uses that methodology to forge a system to approaching computer security and risk.

Inside the Security Mind: Making the Tough Decisions takes a high level approach to security. If you are looking for details on how to secure Active Directory or similar; this is not the book. But if you are looking to find out how to determine the risk of deploying Active Directory or similar technology in a large-enterprise, Inside the Security Mind shoes the way in which to approach that endeavor.

Overall, Inside the Security Mind is a very readable reference. It is light on acronyms, fluff and filler (the dirge of many security books) and heavy on methodology and direction.

If you are interested in determining how to deal with security and risk for your enterprise network, Inside the Security Mind is a good place to start.

While the full title is Inside the Security Mind: Making the Tough Decisions; after reading the book, making the tough security decisions won't be so difficult.

Rating:
Summary: How to increase your organizations security consciousness...
Review: Inside the Security Mind:
Making the Tough Decisions
Kevin Day
Prentice Hall 2003
Isbn 0-13-111829-3

Inside the Security Mind is an easy read geared for the novice and as well as the seasoned pro. It starts with the basics and develops a good path to higher security concepts.

Well written with the focus on developing a good security program and implementing training, Inside the Security Mind will guide you through the steps necessary to allow you to define your security goals and policies. Inside the Security Mind was written with the premise in mind, best defined on page 283, which states:

" the evolution of security will not come through technology, but through awareness."

This book is great for helping to develop your own security and training policies and programs, including appendices complete with outlines and web resources to help setup basic computer security training classes within any organization and keep current with ongoing developments. Inside the Security Mind has comprehensive examples and comparisons through out the text demonstrating how to define security guidelines and setting rules by using risk and threat tables.

Written in simple layman's terms Inside the Security Mind starts with an overview of the realities of computer security including the positive and negative risks and covers subjects such as:

Good guys and bad guys: who really is a hacker and who is not. The 4 types of common hackers, who they are, what they are usually targeting and the most common exploits used for attack.

Allows you assess your necessary considerations, efforts, focus and education required to define your security policies and procedures.

Defines a set of eight necessary security rules and their implications, including the difficulties of granting and implementing these rules.

Demonstrates the effects of trust, change, access, weaknesses, separation, process, prevention, response and their integrated effects on security.

Displays common connection, networking and database vulnerabilities as well as operating and physical vulnerabilities and their relationships.

Shows how attacks can be chained (combined) and the effect of what chaining does.

Differentiates between criminal hackers and the more common garden-variety types

Demonstrates how to lower liabilities from outside the network

Defines security assessment models: how to define risks and threat assessment including traditional US relational security assessments

Displays audit measures and their relationship to acceptable risk assessment regarding perimeter and internal architectures

Shows current audit tools and the types of scans and why they are used

Defines standard defenses and their staffing considerations

How to use of external vs. internal consultants and the truths about certifications

What security hazards associated with hardware-based security exist

How firewalls will and will not be useful to your defenses and why firewalls are not all that is needed.

What the perimeter, internal, physical, server/device, access, authentication and logging/monitoring considerations are and the unique characterizations of each in relation to hardware.

Defines the common defense points and the considerations needed to applying hardening

Vpns and when to use them and their security flaws

This book is a great guide to setting up or reviewing any data security program and will make a nice addition to any security officer's library.

D Bruce Curtis
American Interconnect Corp.

Rating:
Summary: Excellent holistic approach to infosec
Review: The book provides an excellent holistic approach to information security.
It is highly recommended.

It is not an attempt to be a security cure all, but rather a structured and methodical approach to security.