In a very taosecurity moment I’m going to quickly review a book. All the way back in January of 2005 Dana Epp had an insightful post giving props to the book. It’s been on my amazon wishlist for these last two years and I finally picked up and read it while going to/from Punta Cana. The Table of Contents itself shows the books objectives:
1 Introduction 2 A New Look At Information Security 3 The Four Virtues of Security 4 The Eight Rules of Security 5 Developing a Higher Security Mind 6 Making Security Decisions 7 Know Thyself & Know Thy Enemy 8 Practical Security Assessments 9 The Security Staff 10 Modern Considerations 11 The Rules in Practice 12 Going Forward A Tips on Keeping Up-to-date B Ideas for Training C Additional Recommended Audit Processes
The book itself is a bit dated (2003) and various parts show that (Modern Considerations, Going Forward chapters) but the majority of the book narrows down to ideas and concepts that are done on a daily basis. The book should be read for chapters 3 and 4 alone. The four virtues and eight rules should resonate loud and clear- for any practitioner these are not new ideas but there’s a lot to be said on clarifying, simplying, and breaking apart concepts used daily. For the newcomer, these virtues and rules truely dictate what should be internalized.
While a bit of Practical Security Assessments are a blatant selling of his companies software it still is refreshing to see down and dirty in-the-trenches suggestions on a potentially intimidating subject. The templates and suggestions put forth are truly a huge win for this book, are actionable and can be shimmed between existing processes allowing for a very good insight into technology deployment.
I don’t have a star scale to go by because I’m not a book reviewer but I do recommend plowing through this in an evening or two. If anything the refreshing content will give you a new perspective of how mature your organization is (or isn’t).