How to Cheat at Managing Information Security
By Mark Osborne
()
About this ebook
These individuals do not need to know about every last bit and byte, but they need to have a solid understanding of all major, IT security issues to effectively manage their departments. This book is designed to cover both the basic concepts of security, non – technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory.
Written by a well known Chief Information Security Officer, this book gives the information security manager all the working knowledge needed to: • Design the organization chart of his new security organization • Design and implement policies and strategies • Navigate his way through jargon filled meetings • Understand the design flaws of his E-commerce and DMZ infrastructure
* A clearly defined guide to designing the organization chart of a new security organization and how to implement policies and strategies
* Navigate through jargon filled meetings with this handy aid
* Provides information on understanding the design flaws of E-commerce and DMZ infrastructure
Read more from Mark Osborne
100 Things Maple Leafs Fans Should Know & Do Before They Die Rating: 0 out of 5 stars0 ratings
Related to How to Cheat at Managing Information Security
Titles in the series (10)
How to Cheat at Designing a Windows Server 2003 Active Directory Infrastructure Rating: 0 out of 5 stars0 ratingsHow to Cheat at Windows System Administration Using Command Line Scripts Rating: 0 out of 5 stars0 ratingsHow to Cheat at Managing Information Security Rating: 0 out of 5 stars0 ratingsHow to Cheat at Securing a Wireless Network Rating: 2 out of 5 stars2/5How to Cheat at Configuring ISA Server 2004 Rating: 0 out of 5 stars0 ratingsHow to Cheat at Deploying and Securing RFID Rating: 0 out of 5 stars0 ratingsHow to Cheat at Configuring Exchange Server 2007: Including Outlook Web, Mobile, and Voice Access Rating: 0 out of 5 stars0 ratingsHow to Cheat at Configuring Open Source Security Tools Rating: 0 out of 5 stars0 ratingsHow to Cheat at VoIP Security Rating: 0 out of 5 stars0 ratingsHow to Cheat at IIS 7 Server Administration Rating: 0 out of 5 stars0 ratings
Related ebooks
The Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsCSA Guide to Cloud Computing: Implementing Cloud Privacy and Security Rating: 0 out of 5 stars0 ratingsCyber Security Awareness for CEOs and Management Rating: 2 out of 5 stars2/5Zero Trust Security: An Enterprise Guide Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsHands-on Incident Response and Digital Forensics Rating: 0 out of 5 stars0 ratingsStart-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratingsCyber Adversary Characterization: Auditing the Hacker Mind Rating: 5 out of 5 stars5/5Security Sage's Guide to Hardening the Network Infrastructure Rating: 0 out of 5 stars0 ratingsInformation Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsSecurity+ Study Guide Rating: 0 out of 5 stars0 ratingsBuilding an Intelligence-Led Security Program Rating: 5 out of 5 stars5/5Security Assessment: Case Studies for Implementing the NSA IAM Rating: 3 out of 5 stars3/5Qualified Security Assessor Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 Guide to the CCSP CBK Rating: 0 out of 5 stars0 ratingsISO 19770 A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCISSP Practice Exams, Fifth Edition Rating: 1 out of 5 stars1/5Cloud Security and Risk Standards A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security Rating: 0 out of 5 stars0 ratingsDictionary of Information Security Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Cybersecurity Operations Handbook Rating: 5 out of 5 stars5/5CCISO Third Edition Rating: 0 out of 5 stars0 ratingsThreat Intelligence Capabilities A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Information Protection Playbook Rating: 0 out of 5 stars0 ratingsIncident Response Team A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsInformation security Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsSoftware License Optimization And Entitlement A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Security For You
Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Hacking For Dummies Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Blockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsNetwork+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsHacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Pentester BluePrint: Starting a Career as an Ethical Hacker Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5
Reviews for How to Cheat at Managing Information Security
0 ratings0 reviews
Book preview
How to Cheat at Managing Information Security - Mark Osborne
messages.
Preface
Mark Osborne, 2006
Sometimes I’m asked why I wrote this book, and my answer can be summed up by a very simple story. While I worked for a large audit firm, I was phoned up by an auditor I vaguely knew. Hi, I have an interview for the position of security manager next week,
he said with obvious enthusiasm. I know it’s got a lot to do with passwords and hackers, but can you give me more details?
He must have thought I hung up by mistake because he phoned back—twice!
This book isn’t the most comprehensive security text ever written, but I think it contains many of the things you need to understand to be a good IT security manager. It’s exactly the kind of book my auditing chum would never buy.
Introduction
Information security is different from many other disciplines both within main-stream information technology and other business areas. Even though there are now many good books on various areas, getting the breadth of knowledge across the many subareas is still difficult, but it is essential to success.
Unlike so many functions of IT, security is an area that requires practitioners to operate across the whole organization. A chief information security officer (CISO) or a security manager is likely to be asked advice on many aspects of security in situations where there is no alternative but to give some sort of counsel. Sometimes your best shot may be the best hope available. So the sensible security officer strives to have a good foundation in most areas; unfortunately, however, many don’t and rely not on knowledge (either formal or self-taught) but instead use an authoritative tone, tactical Google searches, or the various mantras about security policy.
Those experts who know everything about everything but whose advice needs to be reversed 50 percent of the time often cost companies hundreds of thousands of pounds in project delays and even fines.
This book can’t possibly prepare you for everything you are likely to come across. And in its defense, no other single volume can either, but this book is designed to be a rather good start for that preparation.
This book is designed to cover both the basic concepts of security (i.e., the nontechnical principles and practices) and basic information about the technical details of many of the products—real products, not just theory.
Throughout the book, I have tried to explain why we do things the way we do.
I don’t know this because I’m very clever; let’s say I know this because I’m slightly older than you and was in on the ground floor while people were still trying to work things out.
Chapter 1
The Security Organization
The purpose of this chapter is to:
■ Review typical positions of the information security function and the benefits of each
■ Define the role of the security function
■ Discuss the qualities of a good CISO
Anecdote
To be a chief information security officer (CISO), you must demonstrate certain key qualities to an employer. At the interview for my last position, I sat down, miscalculating the touch-down so the arm of the chair slid neatly into my pants pocket with a ripping sound. My Top-Shelf consultancy suite was now complete with air-conditioning.
I immediately announced, I’ve ripped my trousers
—so my interviewers would know the exact source of the sound that had so obviously come from my seat. Then I said, "Now you can see that I’m not talking out of the seat of my pants.
Now that’s the voice of experience!
Introduction
No two organizations are the same; they are always different culturally and in terms of size, industrial sector, and staff. Consequently, there is no right (but probably plenty of wrong) answer to the question, Where should we position the head of security and the security team(s) in an organization?
Separation of the position of the operational security teams away from the head of security is often a purposeful and commercial decision.
This chapter reviews how organizations, both big and small, set up their security functions. It is based on my observations gained during 10 years experience in security consulting at both a strategic and a technical detailed level to many of the United Kingdom’s leading blue–chip companies.
I have never seen this subject covered in any textbook or manual.
Where to Put the Security Team
Figure 1.1 shows a typical firm with a number of potential positions for the security function. We will analyze the pros and cons of each position to answer the age-old question, where should information security sit?
Figure 1.1 An Information Security Organization’s Hierarchy of Personnel
Where Should Security Sit? Below the IT Director Report
The most common position for the CISO and the security function is reporting up through the IT director or the head of computer operations. Certainly the latter organizational structure is common in small firms where there is no regulatory requirement for security. If the company is regulated or even quoted on an exchange, the authorities may encourage a more elevated position. Strangely enough, it is also common in more visionary firms that have had a security team for 20 years—perhaps because the team evolved from a solid team of Resource Access Control Facility (RACF) administrators (RACF is security software for IBM mainframes)!
Visit any organization with this structure and you will, within a very short time, recognize these benefits and failings.
Pros
Advantages of positioning the security team below the IT director include:
■ The information security function will not receive much outsider resistance
when it makes IT decisions, simply because it is part of the computer department. Therefore, it isn’t external
interference.
■ Operational computer security tasks (firewall installs, router access lists, and the like) will tend to be carried out by the team rather than by producing a specification for another team to execute. As a result, the team will become acknowledged local experts.
■ Technical security staff can be allowed to specialize and work closely with other technical areas. Therefore, not only will there be skill transfer, but relationships should generally be better.
Cons
Disadvantages of positioning the security team below the IT director report include:
■ Security will not have a powerful voice.
■ Security will probably be under-funded.
■ Security will not be independent; it will always be seen as taking the easiest route for the IT department. Typically, because of the low-ranking positions and the fact that it is embedded in the IT department, the focus will tend to be on computer security rather than information security. Business risk techniques to assess loss and impact will tend not to play a key role.
Obviously, in some situations this positioning will not be a big disadvantage. One of the largest U.K. banks is organized exactly in this manner. But when you are a direct report to an IT director who is responsible for 5,000 people and you have over 100 security staff reporting to you, you probably won’t feel that your punch lacks power. Similarly, if the organization has nearly all its problems within the IT department and IT is the core business (such as with an Internet company), placement here could be a significant advantage.
Generally, however, good all-round risk management cannot prosper in this layout. The scope of the role will allow the security function to manage digital and computer security very effectively, but influence over information risk management for nondigital assets may be advisory at best. This fact will have significant drawbacks at times (such as in the security of paper files), but computing is ubiquitous these days, so the influence of the role may still be considerable. As discussed later in the chapter, sound partnering with other departments may reduce this drawback considerably.
Where Should Security Sit? Below the Head of Audit
Another far from ideal place to position a security team is to have it report to the head of the audit function. In my experience, this is where security teams are often dumped when they grow up and move from being a subdepartment of the computing department to having a wider scope.
But if you have any sort of life, you don’t want to spend it with auditors, I promise you.
Pros
Advantages of positioning the security team below the head of auditing include:
■ The team is independent from the computer department.
■ The team will benefit from whole business
governance mandate of the audit department. If the accounts team members are sharing passwords and you catch them, they will no longer excuse it by saying, Oh, it’s just IT.
■ Your boss (the head of auditing) will insist that you take a holistic information security approach rather than just apply computer security.
■ The security team will have powerful friends such as regulators or the audit committee.
Cons
Disadvantages of positioning the security team below the head of auditing include:
■ Nobody is ever pleased to see an auditor. The team will tend to be perceived as judgmental and reactive, not proactive fixers or problem solvers.
■ Auditors are often jacks-of-all-trades, not uncommonly struggling technically to do the jobs they do. The team will never be recognized as subject matter experts.
Where Should Security Sit? Below the CEO, CTO, or CFO
Placing security below the CEO, CTO, or CFO is the best of all the basic positions. This reporting position ensures that other departments will take notice of your findings, yet it is independent from any operational department.
Pros
Advantages of positioning the security team below the CEO/CTO/CFO include:
■ The security team is endowed with power.
■ It is independent.
■ The position is high enough to have a whole business
remit.
■ It shows everyone that your organization is taking security seriously.
Cons
Disadvantages of positioning the security team below the CEO/CTO/CFO include:
■ The security team will be accused of being in an ivory tower (but so what).
■ The security team will find it hard to look into the IT director’s business and organization.
Your Mission: If You Choose to Accept It
So what does a good security team do? What are the team’s objectives? The answers to these questions will change from organization to organization, dependent on the particular information security strategy. The factors that may influence the answers, detailed at length in the next chapter, include legal requirements, regulatory requirements, and supplier and customer information security requirements.
This section describes the common activities of an information security department.
Role of the Security Function: What’s in a Job?
Figure 1.2 shows the well-respected security team of a live organization
Figure 1.2 A Large Information Security Team
This chart provides a good example of the roles or skills required within a security team that are needed to manage information risk. Management of information risk includes the following duties:
■ Incident management
■ Legal and regulatory requirements
■ Architecture and research
■ Policy, standards, and baseline development
■ Security consultancy
■ Assessments and governance
■ Operational security
The following sections review each of these functions in turn.
Incident Management and Investigations
Every organization needs to deal with a number of categories of security incident. These can vary considerably in their nature and impact on the organization. Typically, the team will be involved in the full range of computer misuse activities,