Mission-Critical Security Planner: When Hackers Won't Take No for an Answer (Paperback)

by Eric Greenberg (Author) "Security isn't a product, a feature, or anything that we can simply acquire and then implement, confident that it will work now and forever after..." (more)
Key Phrases: quality management worksheet, security worksheet, executable management, Business Use Worksheet, Security Stack Use Worksheet, Selling Security Use Worksheet (more...)

Editorial Reviews

Review
“…This book is unique in its approach…and in conveying the overall strategy to the reader…” (Managing Risk, Summer 2003)

Product Description
* Shows step-by-step how to complete a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while dramatically reducing time and cost
* Includes worksheets at every stage for creating a comprehensive security plan meaningful to management and technical staff
* Uses practical risk management techniques to intelligently assess and manage the network security risks facing your organization
* Presents the material in a witty and lively style, backed up by solid business planning methods
* Companion Web site provides all worksheets and the security planning template

See all Editorial Reviews

Product Details

• Paperback: 432 pages
• Publisher: Wiley (January 20, 2003)
• Language: English
• ISBN-10: 0471211656
• ISBN-13: 978-0471211655
• Product Dimensions: 9.2 x 7.5 x 0.9 inches
• Shipping Weight: 1.5 pounds (View shipping rates and policies)
• Average Customer Review: 4.9 out of 5 stars See all reviews (9 customer reviews)
• Amazon.com Sales Rank: #1,324,779 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

4 of 4 people found the following review helpful:

5.0 out of 5 stars Awesome high-level book, May 7, 2003

By	Dr Anton Chuvakin (CA, USA) - See all my reviews

It is very rarely, that you'd see a good high-level security book nowadays. There are lots of great "worm-eye view" books with nice detailed descriptions of attacks, defenses, secure configuration options, tools and tricks. However, many of the high-level books resolve to quoting some outdated CSI/FBI survey, blabbering about security policy and giving out piles of outworldly advice on how to "mitigate risks".

This visionary book proves the opposite: you can have a high-level security book, which is not just practical, but actionable. "Mission Critical Security Planner" delivers a portion of the security process, packed into one toolkit. Make no mistake - this book is about planning how to do security, not how to tweak your scanner or configure a firewall. However, planning is indeed a critical (and, as the author points out, often missing) piece of security conundrum, and the book delivers on that.

An awesome component of the book is a large collection of templates and worksheets on "selling" security measures, planning the implementations, organizing security team, dealing with various business people and many other occasions. The book has the printed versions while its companion website criticalsecurity.com has the download.

The main part of the book is organized around "security fundamentals", large domains of security (such as authentication, encryption, integrity, privacy, etc), which are used to structure the security planning process, described by the author. For each of the fundamentals, the content is organized in sections: summary, security stack (covering various aspects from physical to application level), life-cycle management (from technology selection to response), business (on dealing with various categories of business people, such as suppliers and customers) and selling security (to execs, managers and staff). All of the above contain various templates.

Among the more fun parts, the section on negotiating with hackers is just exclusive and of the never-seen-before kind. Section in hacker profiling is also of interest, since it seems to originate from author's experiences (and not in just reading about it on the news). The book also demystifies such elusive notions as "impact analysis", "security ROI". PKI also has a prominent role in the book. While PKI (as it is defined today) might or might not fly, the book gives a great example of large-scale production implementation, running for many years. Another great feature of the book is author's "future 10 attacks list" with his predictions on threat landscape.

Overall, the book seems indispensable to those responsible for securing networks. Security managers and CSOs will likely gain maximum benefits from using it (due to the book targeting), but other security professionals will benefit as well. Notice, that the benefits can be derived from "using" it as opposed to just "reading" it, although even the latter will prove highly enlightening. The "selling security" templates alone are likely worth their weigh in gold. The book is well-written and, while not possessing the lively style of some recent security books, will beat some of them hands down in real-world applicability. After all, even if you very well know that IDS is valuable, who will help you to "sell" it to the CIO? This book just might!

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

3 of 3 people found the following review helpful:

5.0 out of 5 stars Greenberg has done 1/2 the work for you, March 8, 2003

By	Priscilla Oppenheimer (Ashland, OR USA) - See all my reviews

In Mission-Critical Security Planner, Greenberg lays out all the security elements that should concern you and what questions you should ask about them. With this book, half the battle is won because you at least know how to do the planning. You still have to do the planning, but with the worksheets and tips provided in the book, that will be much easier than it used to be.

I read the book twice: once to get an idea of what all the worksheets were about and once to really read them with all the technical and practical details provided by Greenberg.

Greenberg identifies 28 security elements, including 15 fundamental elements, (six of which are core elements), and 13 wrap-up elements. Core elements include things like authorization and access control, authentication, encryption, integrity, nonrepudiation, and privacy. Those may seem obvious, but Greenberg has a lot of useful things to say about them that others haven't said.

Perhaps the most valuable part of the book is all the other elements, which we tend to forget, including addressing and routing (with tips on how to get those right from a security point of view), configuration management, directory services, time services, staff management, legal issues, and so on.

I'd be interested to see some projects get implemented with Greenberg's methods. I think it should work quite well, although due to entropy, laziness, over-worked engineers, and other such factors, I would guess that some of the numerous worksheets will fall by the wayside. But I think Greenberg would be OK with that as long as most of the worksheets are maintained and the company adopts security as a way of thinking.

In summary, this book is definitely worth reading, probably numerous times!

2 of 2 people found the following review helpful:

4.0 out of 5 stars Great security cookbook., June 16, 2003

By	Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

The truth is, hackers and other attackers won't take no for an answer, and while there is absolutely no way to stop attackers from trying; there are ways to stop them in their tracks.

With that, Mission-Critical Security Planner is a surprisingly good book, aimed at someone looking to start developing their information security infrastructure. Rather than having to reinvent the wheel, the book provides planners with the framework and tools they need to create their information security infrastructure.

One good feature of the book it is large collection of templates and worksheets on various security elements. .../

The book is not overly technical and is quite good for those who need to get their security group up and running in a short timeframe.

For those that are serious about security, they will find that Mission-Critical Security Planner is like a cookbook. They can use it to prepare their security as needed.

Overall, Mission-Critical Security Planner is a very readable and useful book. Those who have an imperative to get their security groups up and running will find huge value in the book immediately.