Embedding information security curricula in existing programmes
Proceedings of the 1st annual conference on Information security curriculum development
Social Layers in Agents' Behavior Evaluation System
ICCS '08 Proceedings of the 8th international conference on Computational Science, Part III
| Hi-index | 0.00 |
From the Book:Before September 11, we probably would have started out this introduction talking about how nothing has made more of an impact in recent years than the growth of the Internet. In light of the events of that day, though, such a statement seems both ludicrous and disrespectful. What we can do is point out that networks of all kinds have always been media of change and instruments of progress, good or bad.Networks don't have to be created from routers and cable. Networks can weld together individuals of similar purpose and allow them to pool their efforts to accomplish an end. Such ends, unfortunately, are not always principled. Every day we read and hear about terrorist networks and webs of terror. The newspapers report about organized crime networks and law enforcement's efforts to break them. Unfriendly governments run networks of spies and saboteurs. Such images cast the network as an instrument of malevolence, an infrastructure for evil. But networks are not always used to promote discord. There are networks of giving that collect funds for the needy. There are networks of caring that concern themselves with the welfare of the sick. In the business world, people network to improve their company's growth opportunities, while others network to find a mate.The Internet, like any network, provides the same opportunities to individuals who would use it for the common good as it does to those who would abuse it. The intent of this book is to provide security professionals with a guide to the real-world implications of security, to allow them to build their networks and systems in ways that least expose them to risk. Many security books take an encyclopedic approach tosecurity, dutifully going through the details of every protocol and operating system configuration parameter. Although this book does cover the technical details of many operating systems, networking components, applications, and protocols, and although the intended reader of this book is an in-the-trenches practitioner, you will not find it filled with the usual collection of dry explanations and theoretical vulnerabilities. Our intent in creating this book was to encapsulate the experiences that we have garnered during years of system development, cryptographic design, secure networking, and security consulting for scores of large and small clients in a book that takes the reader from security policy to security reality. To that end, you will find that we have included many examples of how security principles have been applied in real networks by real companies. You'll also see a few examples of what can happen when sound security principles are not followed.Most books make the choice of either talking to an audience at the policy and principle level or neglecting these aspects of security and delving immediately into the technical details of such components as firewalls, operating systems, and applications. We believe that it is an injustice to talk about security without talking about the process of security as well. Like it or not, for security to be effective, the steps that an administrator takes to lock down a network have to be an extension of an overarching security policy. Security practitioners who do nothing but implement point solutions such as firewalls and VPNs without thinking about how they fit into an overall program and policy are doing themselves, their employers, and their budgets a disservice. A company that does not protect its critical assets, whether they are information, business processes, or services, will not be in business for long.To protect an asset, you need to first identify it. To protect it adequately, you need to determine what threatens it. To protect it in an efficient manner, you need to weigh the cost and effort to protect it against its value. All of these factors come together in the development of a security policy and program. In the end, the IT department still gets to deploy its firewalls andintrusion-detection systems, but only through a thoughtful process can these systems be selected and put in place in ways that offer the best protection to the most critical assets. This mode of thinking has led us to include two chapters that deal exclusively with risk and policy. These are not the usual dry calls to develop a security policy by picking the appropriate statements from a book of templates. We believe that a meaningful policy must be developed to protect the specific aspects of the organization and that the security practitioner can and should be a valuable contributor in putting together a policy that works.After all this talk about policy, we really need to speak to what the bulk of this book is about, and that's down-and-dirty security. In each chapter, we have attempted to cover aspects of security that build upon each other and ultimately lead to the creation of a "secure" infrastructure. We have taken great efforts to make certain that we talk not just about "ivory tower" security, but that we bring that discussion down to the real-world implementation level as well. For example, many technologists talk about how digital certificates are the silver bullet that can provide a ubiquitous basis for authenticating users on the Internet. They forget to tell you that of the 500 million users who are estimated to be citizens of the Net, about 99.99% of them still rely on a username and password to log on to their systems. Knowing about PKI is good, but knowing how to utilize the username/password in an effective and secure manner is practical.The same holds true in discussions of system vulnerabilities. The classic man-in-the-middle attack, in which a nefarious character intercepts the communications between two network entities and then masquerades as one of the entities, is interesting from a technical standpoint but hardly ever possible from a practical standpoint. This doesn't mean that such an attack can't happenit just means that, in our experience, it hardly ever does. The security practitioner will utilize his time better by keeping Web servers patched to prevent a 13-year-old hacker from crashing them than by implementing encryption among all the servers to block man-in-the-middle attacks. That's just reality, and that's what we think is one of the main differentiators of this bookand a good reason for you to read it.In the end, security requires constant learning and adaptation, much like life itself. This book presents a philosophy of security, an explanation of the techniques and processes used to engineer and maintain a secure network, and examples of how others have used these principles to protect themselves without closing the door on productivity and utility. It is our sincere desire that this book will help to raise the general level of security awareness as well as arm security practitioners with the specific knowledge that they require to go about, as Elvis used to say, taking care of business.