Surviving Security
by Amanda Andress and Mandy Andress
Sams 2001.
ISBN 0672321297.
Reviewed by Ross Patel January 3, 2005
As the title implies, Surviving Security emphasises the need to understand and integrate the many facets of security, which must interact correctly to create an effective security infrastructure.
This book covers ground that is commonly neglected in the field; how to effectively integrate security controls with operational processes. This is a crucial consideration and one that is often skirted over in other tomes.
As security practitioners are acutely aware, security is about balance and interests; providing the right balance of control and countermeasure, while acting to maintain the interests of those it affects. Systems can be locked down and restrictive policies implemented to provide the utmost control over permissible and accountable actions. However, this will usually have an adverse effect on the business and create ill feeling among staff and a sense that the only way to get the job done properly is to cut corners, effectively bypassing or disregarding all the security in place.
Security must not hinder operational activities, but instead must be implemented as an enabler - a way of doing business as usual in a safer and more structured manner that can ultimately benefit the bottom line.
The work covers many spheres of security, from policies and architecture concerns to technical controls such as firewalls, IDSs and OS hardening.
For many organisations, the chapters on authentication and safe remote access to company resources will be of particular interest and value.
One of the more useful dimensions of the book is the analytical nature of the text, which highlights common misconceptions and pitfalls. The often used analogy of the 'weakest link in the chain' being the shortcoming that compromises the whole security process is a theme that runs throughout this book. Surviving Security does well to keep this message in the forefront of the reader's mind while delving into more specialist spheres that are often neglected. From patch management strategies to system log and process monitoring, Andress stresses that the devil is in the detail, and where security is concerned ignorance or lack of attention can have far reaching consequences. With the cost of doing nothing far greater than that of taking action to safeguard information and infrastructures, organisations must take a considered look at the risks and exposures they face. Staying on the right side of this critical curve is essential.
Andress's style of writing is insightful and engaging. By basing the text on personal experiences in the field of information assurance, the book swiftly cuts through the theoretical side of security and draws out strategies and techniques that have been proved at the coal-face. Most sections are appended with a 'For more information' box that lists additional points of reference (websites, books, journals etc) where particular issues or concerns are expanded in greater detail. SAMS, the publishers, have also created a complimentary website to the text, which helps keep the reader in step with updates and changes in both threats and Best Practice. Also featured are independent product reviews. This is a particularly useful resource, which for a fast moving industry such as information security is particularly welcome.
Surviving Security goes further than most books by providing an opportunity to take a Miller styled 'view from the bridge' at the security landscape. In a field full of specialist technical books, this wider perspective is especially valuable.