Surviving Security: How to Integrate People, Process, and Technology

Thousands of years ago, a geometry teacher informed his royal subject and student that there was no royal road or shortcut to the understanding of geometry. That statement also holds true for computer system security. Like the steps in a geometric proof, any shortcut taken in security has the potential for invalidating the entire structure. Furthermore, developing a sound security policy requires that many of our deeply held social and legal attitudes be set aside. In the American legal structure, any person is entitled to the presumption of innocence until their guilt is proven. However, to create and maintain an adequate computer security policy, everyone must be assumed untrustworthy until it has been proven otherwise. This creates an enormous potential for hard feelings, leading some to bypass the controls as a form of protest. Sound security policies also erects barriers that often reduce the efficiency of everyone accessing the system, creating an ongoing dent in the company bottom line. With all of this social, technical and economic baggage, it would appear that constructing an effective security system would be impossible. While constructing an impenetrable system is impossible, one can always reach a best possible level, and you see how to do it in this book. All of the problems in computer security, from the initial meeting to regular audits are covered in this book. As the title implies, the emphasis is on the integration of the many parts that interact to build a secure system. Knowledge of human psychology is important, as the users must be treated with an iron fist wrapped inside a fuzzy velvet glove. The coverage is thorough in the broad sense, but shallow in the depth sense. This is not a criticism, just a statement of fact. Each section has links to resources that provide the depth of explanation that may be needed. Security puts another level of complexity on top of the very difficult task of writing software that works. In the past, getting software to work took priority over getting it to work in a secure manner. Those days are gone and it is very difficult to conceive of any scenario where that will change. No one knows when it occurred, but several years ago, the cost of paying for security fell below the cost of repairing the damage caused by lax security practices. To get on the right side of this critical curve, read this book and follow the advice.

One of the few technology books that is actually under-priced based on the value you'll get from it. Content is very good and it's an easy read. You don't have to already be a security wiz to understand. There is also some unique treatment to process issues that I haven't seen elsewhere... Highly recommended.

I have been an information assurance professional for over 40-years. This is the only book that ties it all together and provides so many additonal bonuses that you cannot go wrong for the price.What I found best about the book:1. Great price for all the pertinent and up-to-date information, including references and URL's,2. Complete, concise, focused; no wandering down memory lane,3. A great study reference guide in preparation for the CISSP examination (I used it, I took the exam, I am now certified as an Information System Security Professional),4. The book will be a solid reference for years to come,5. The author knows her subject and presents it in such a logical manner that it is impossible not to grasp the concepts presented.6. Can use the author's web site for this book so that you maintain your currency (who else offers this?), 7. If your on the security profession career path this book is mandatory, and8. Where in the hell (heck) was this book 10-15 years ago.

Surviving Security is a really good book for someone needing a thorough introduction to information security. The book covers all of the most important security technologies and processes. After completing the book, the reader will come out with a good understanding the components of an information systems security infrastructure.All of the chapters contain loads of valuable information. Two extremely valuable sections are (Page 358) ?Sample Audit Checklist? and (Page 399) ?Assessing Your Needs?.The Sample Audit Checklist contains over 30 pages of technology items that require security. Assessing Your Needs details all of the items required for an effective incident response team....For those people needing an effective and easily readable reference about computer security, Surviving Security is an excellent resource.

I am the network manager at a mid-size Chicago company and have been tasked with the job of developing a formal security infrastructure for our organization. I have read many of Mandy's InfoWorld articles and eagerly awaited the release of this book. Needless to say, I was not disappointed. Surviving Security is a great resource for understanding the components of a security infrastructure, how they fit together, and how to analyze and select the best approach for your environment. She covers all the basics (security policies, firewalls, IDS, remote access, OS hardening, network architecture, etc.) In addition, there's a great chapter on authentication techniques. She also discusses the issues most people forget or do not really think about until it is too late: keeping up-to-date with patches, monitoring systems and logs, creating incident response teams, developing secure applications, etc. Most sections have "For More Information" boxes that give resources (books, websites, etc.) where you can go for more detailed information. I thought these were a great feature. She provides insightful information and commentary based on her experiences and then refers you to places where you can find more information. This book does not try to be all things for all people.The companion website is a great way to keep the content up-to-date. As long as the author keeps the information and links current, this will be a good resource for security information. The product reviews give an independent, third-party opinion that is sometimes hard to find. For those looking to develop a complete security infrastructure, this is the book to read. Surviving Security gives you an excellent "big picture" look at security that I have found lacking in other security books I have looked at.