It Security: Risking the Corporation

Reading this book should scare you to the ends of your toenails. It is largely a recapitulation of security audits done by McCarthy with some other instances of security breaches added in to further emphasize an already well made point. Namely, that computer security, even among many of the heavy hitters, is very unorganized and inadequate. The author was able to sit down at terminals and obtain read/write access to some of the most sensitive data of the companies that she was auditing. The culprits are generally a listing of the usual suspects. Lack of security training, lack of time to apply known security patches, the mistaken belief that "it is not my job", arrogance in believing that one knows how to repair all problems, trusting outdated security software such as firewalls, the unwarranted trusting of other systems and lack of sufficient management direction. Solutions are easy to find and are essentially the inverse of all the usual suspects. To expect untrained personnel to be able to implement complex security policies is unrealistic and the cost of training is dwarfed by the expense of repairing a security breach. It is the job of employees to rigorously enforce the security procedures, which includes the trusting of no one until they are proven to be worthy of trust. And then, you only allocate the minimum amount of privilege needed for them to complete their tasks. I personally have no time for people in IT who think they know everything and I am not alone in thinking that it is the most dangerous of all the security mistakes that can be made. The game of computer security is one where the stakes rise higher with every passing day. With our increasing dependence on computers to manage everything from our credit cards to our public utilities, it is probably only a matter of time before a major security breach occurs which takes down a large part of the American economy or even causes a large number of deaths. One of the most frightening stories is how a hacker managed to access the controls to the flood gates at a Canadian dam. If they had been able to use this knowledge to open them, entire towns could have been flooded. Implementing effective security features is not an option and as the author points out, failure to do so could leave you open to liability charges. Therefore, if you are involved in setting down the security policies for your company, you must read this book. It will show you how things are being done wrong, which is the first step in doing them right.

Learning from other people's mistakes is not only valuable... but interesting. The lessons taught in this book come from real life experiences at very real life companies. The style is engaging and fun to read which makes the lessons learned that much more striking and memorable. After each story the author gives practical advice on how the particular situation should have been handled or prevented.Security has always been an important aspect of technology, but as technology has advanced security has become a more important concern than ever. It is an issue that must be addressed, whether you're starting a small business or working for a large corporation, and it permeates more areas within your company than you probably realize. You might think you can buy and install a security package and be done with it. You might think email is a safe way to communicate. You might presume that your company's management is on top of things, security-wise. Read this book. And for extra brownie points, get your boss a copy, too!

While this book will NOT teach you how to hack into someone's systems, it is clear from these stories from Linda McCarthy, that it is far too easily done. McCarthy's uses an excellent format for conveying what could be a host of confusing information. She tells a series of stories based on her experience as a security auditor and consultant. The stories are all very entertaining and an easy read. She concludes each story with a series of learnings and best practice ideas based on analyzing what could prevent these kinds of problems from happening in the future. What amazed me the most was that like many things, IT Security often comes down to people - their experience and training, motivation and how they are organized and managed - with technology secondary. I'd recommend this book to anyone from systems administrators and those in security management to CIO/CEO's. It's full of practical advice.

This book focuses on the real world problems with security. If you need funding for security -- give this book to your CIO. These are problems that you see in every company. I liked it a lot!

I read this book on the plane flight home from a SANS workshop called Audit and Security Controls that Work. About 25 percent of the workshop participants were CTO/CSOs from best in class IT shops, companies like Verisign. Tripwire and Bear Stearns. Needless to say, most IT shops are not best in class, and the rich question the second stringers are asking is: what are the first steps to improve. The first step is senior management commitment to security. The problem is that CEOs don't read router configuration files and network administrators don't communicate well in terms of business goals. There is a huge communication gap and very few people are comfortable in both environments. The author of this book, Linda McCarthy is one of those few people. She has written a book that could help turn the lights on for a manager. I really like the subtitle, "Risking the Corporation". That is what managers do when they make decisions that do not take security into account. That is a bit scary since only one manager, the CEO, is actually authorized to risk the corporation. This book can help department heads and CIO types understand the limits to their authority and the need to practice due diligence.I like the use of headings, the sections are only a paragraph or two long so that a senior manager can get nuggets out of the book in as little as five minutes and if they can invest a half hour or two on a plane they can learn enough to begin to get them to rethink their assumptions. I liked the use of quote pages, where there is a quote from a famous person in information security in large type, but the quotes themselves were not chosen with the care they should have been. If there is a second edition, I would recommend removing chapter 12, if a senior manager runs into a chapter of nothing but unix commands which they do not understand they will be irritated. The book is well written and very digestible up to that point, and then boom, in a flash we undo much of the good that has been done. This is a nice set of stories, it is more appropriate for management than any other security book I can remember seeing. Buy a copy, give it to your boss the day she is leaving on travel. Ask her to read it on the way home and to schedule a half hour to discuss it when she gets back. Your organization will be much better off if you do.