Copyright

Copyright

Library of Congress Cataloging-in-Publication Data

Day, Kevin

Inside the security mind; making the tough decisions / Kevin Day.

p. cm.

Includes index.

ISBN 0-13-111829-3

1. Computer security. I. Title.

QA76.9.A25D39 2003

005.8--dc21 2002192976

Editorial/production supervision: Techne Group

Executive editor: Mary Franz

Manufacturing manager: Alexis R.Heydt

Manufacturing buyer: Maura Zaldivar

Cover design director: Jerry Votta

Art Director: Gail Cocker-Bogusz

Editorial assistant: Noreen Regina

Marketing manager: Dan DePasquale

Full-service production manager: Anne Garcia

© 2003 by Kevin C. Day

Published by Pearson Education, Inc.

Publishing as Prentice Hall PTR

Upper Saddle River, New Jersey 07458

Prentice Hall books are widely used by corporations and government agencies for training, marketing, and resale.

The publisher offers discounts on this book when ordered in bulk quantities. For more information, contact Corporate Sales Department, Phone: 800-382-3419; FAX: 201- 236-7141; E-mail: corpsales@prenhall.com

Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ 07458.

Other company and product names mentioned herein are the trademarks or registered trademarks of their respective owners.

All rights reserved. No part of this book may be reproduced, in any form or by any means, without permission in writing from the publisher.

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

Pearson Education LTD.

Pearson Education Australia PTY, Limited

Pearson Education Singapore, Pte. Ltd.

Pearson Education North Asia Ltd.

Pearson Education Canada, Ltd.

Pearson Educación de Mexico, S.A. de C.V.

Pearson EducationóJapan

Pearson Education Malaysia, Pte. Ltd.

Dedication

To Joselhyt for her inspiration

To Michael and Sandra for their support

To Grand Master Choa for his wisdom

About Prentice Hall Professional Technical Reference

With origins reaching back to the industry's first computer science publishing program in the 1960s, and formally launched as its own imprint in 1986, Prentice Hall Professional Technical Reference (PH PTR) has developed into the leading provider of technical books in the world today. Our editors now publish over 200 books annually, authored by leaders in the fields of computing, engineering, and business.

Our roots are firmly planted in the soil that gave rise to the technical revolution. Our bookshelf contains many of the industry's computing and engineering classics: Kernighan and Ritchie's C Programming Language, Nemeth's UNIX System Adminstration Handbook, Horstmann's Core Java, and Johnson's High-Speed Digital Design.

graphics/prenticehall_icon.gif

PH PTR acknowledges its auspicious beginnings while it looks to the future for inspiration. We continue to evolve and break new ground in publishing by providing today's professionals with tomorrow's solutions.

Prologue

    In the Beginning…

In the Beginning…

It has been nine years since I first took up the sword to ward off a malicious two-headed hacker that was invading my lands. Over the past nine years I have witnessed a great deal of carnage and gore in the information security world. Securing everything from governments, Fortune 500 companies, health-care giants, medical research institutes, and even the good, old mom-and-pop shops has led me though a long maze of questioning and discovering. I have lived a cycle of life starting from the intrigued beginner, to the sworn hands-on technologist, to the enthused architect, to the senior advisor, and finally, the simple philosopher.

Like many philosophers, I cannot claim the ideas and practices in my book to be my own. They have simply been the inspiration of security related events and studies that have passed before me over the years. Eventually, the mind begins to notice things, patterns to what otherwise seems like simple madness. I began to realize what an incredible tool the recognition of these patterns presented; weapons of defense that can be wielded by everyone, not just by the security experts and the technically elite.

Here, I invite you to use these same weapons to protect your own homeland. The practices contained in this book have been proven time and again in direct combat with the enemy. The companies that have unfixed their eye from the size of their cannons and focused instead on the principles presented here have achieved security without a great deal of effort. For you see, the determining factors in a successful battle are not simply the technologies used, but the planning, strategizing, and decision making that take place before, during, and after the battle is complete.

Today, too many battles have been lost while following the commonly adopted guns and swords of information security. Too much blood has been spilled and too many retreats have been sounded in the chambers of our corporate lords. The first line of this book states, "The time has come for a different way of thinking about information security." What we are about to look into is not really "new" at all, but time honored practices of the ages, simply presented in a new and effective way.

Who Should Read this Book?

Inside the Security Mind was written in such a manner that anyone with the most basic IT knowledge will be able to read it. This was done with great care as I truly believe that everyone associated with technology within an organization should read this book. The chapters build upon constant and universally applicable rules of security that everyone should know and practice. Rather than having to spend years in study or practicing in the industry, however, the reader has only to grasp the concepts presented here. That is the goal of this book, to provide the reader with tools to think like a security expert and to correct the many flaws that currently plague the information security world. As such, I highly encourage the following people to read this book:

IT Managers. This book is designed to help the reader make good, effective, and consistent security decisions without a great deal of study. Today, security should be a concern for all IT-related managers and directors, and for many who are not directly related to IT. Even if you are not responsible for any specific security practice, it is important to protect your department, facility, or corporation from the many security and availability threats in the world. The majority of successful security attacks over the past few years could have been prevented if the local staff only had been aware of security. When the concepts contained herein are understood and practiced, you will become "security aware" without having to take a class or learn how to install a firewall. I highly encourage those in charge of any aspect of IT to read this book and recommend it to your IT employees.

Technical Gurus. As has become obvious over the years, every piece of information technology is in need of security focus. It is impossible to implement a server, router, application, VPN, or wireless extension without affecting the security of the rest of the organization. As such, anyone dealing with technology should have security awareness while performing their daily duties. This book is designed to create a high degree of such awareness and provide tools and techniques that can be applied to every type of technology, whether designing, developing, or implementing it. In the final sections, we will explore several technologies that require the most security care, and we will discuss how to safely implement them. Going far beyond this, however, the guidelines given throughout the book can and should be applied to all technologies. After reading this book, the next time you hook up a router, install a server, or bring up a new WAN link, you will know where to look for the security implications and how they should be addressed, regardless of the specific technology.

Up-and-Coming Security Practitioners. The concepts presented in this book represent the heart and soul of information security. Anyone desiring to be a security professional should become thoroughly familiar with them. So put down that firewall manual, take a break from configuring the IDS sensor, and venture to read what security is all about. This book is probably the quickest way to advance to the next level in your security abilities.

Seasoned Professional Security Practitioners. This will be a great book for building on concepts you probably already have in your head. I have found it of great use to have the concepts that are normally flitting about in the back of the mind, laid out in plain sight. Beyond this, Inside the Security Mind provides a great structure for you to build security practices, and is quite helpful in conveying security concepts to your managers, directors, employees, and clients.

How to Read this Book

As you have no doubt concluded, this is probably not going to be your everyday IT reading experience. The style of this book was not adopted just to be cute and friendly, but rather to set the proper mood. In a moment, you will turn to Chapter 1, and you will not find a formal textbook on information security, but a true-to-life guide on surviving in the IT industry. This book requires only that the reader proceed with an open mind and an expectation of something pleasantly different. I would not be surprised if there are sections within this book that contradict the practices you have read or seen in the past, and perhaps, at the conclusion of the book, we will all agree on why.

The book flows linearly with each concept building upon the concepts presented before it. In the beginning, we will cover The Virtues of Security, basic understandings of how security should be embraced within an organization. We will then build upon those virtues to derive The Eight Rules of Security, practical concepts that can be easily applied in just about every situation. Next, you will find higher concepts that build upon the rules, and then, finally, a plethora of practical applications where all of this information is synthesized into real-world uses.

As you can probably guess, this is not a book with which one should skip back and forth through the pages searching for a specific topic. In order to fully understand the recommendations on protecting your VPNs, for example, you must first understand the virtues, rules, and concepts that the recommendation has been built upon. As such, I would highly recommend reading Inside the Security Mind in its entirety, even the sections that may not seem to directly apply to your environment. Sections within this book that deal with specific technologies actually apply universally and will often yield information to help apply the same concepts elsewhere.

This brings me to my next point. When reading this book it is crucial to not get to side-tracked with any specific technologies mentioned. While we will certainly delve into specific areas to help hone in the concepts, all sections are built upon the same reasoning, understanding, and philosophy. Thus, while I am saying "a server", it is also applicable to a router, room, application, network, and employee. Our goal here is far more than simply implementing a firewall and monitoring our intrusion detection system.

Making the Tough Decisions

The main goal of this book is to arm you with the ability to make good security decisions in all situations either simple or complex. Because the human thought process is a vastly complex beast, I have attempted to isolate the major points that should always flash through the mind when making a decision. After we have journeyed through the virtues, rules, and higher practices, you will find a short chapter describing how to use this information to make a good security decision. This section is a synthesis of everything that came before it, and is a good example of how one should think with a security mind. If you follow this section with an open mind, you may find that all of your security problems follow a similar flow. You will surely notice that some of the comments I make do not apply in every situation, but the heart of the process is extremely effective in recognizing and solving security problems.

Beginning at the End

As a final thought before venturing on I believe it would be helpful to understand the ultimate purpose of this reading. So, if I may, I invite you to take a glimpse at the conclusion that it may stay in your mind during the gap between page turns.

"To date, security has been a goal unachieved by many organizations. For some, information security appears to be a large, untamable beast that they simply hope will not bite them. As we have seen, though, security is not a monster, but rather a series of interrelated core concepts surrounded by an infinite number of possibilities. By taking our eyes off the infinite possibilities and focusing on the core concepts presented in this book, security becomes a much easier matter to comprehend and deal with. Placing proper focus on daily practices allows organizations to break away from the traditional security nightmares and makes security a natural extension of everyday actions."

"When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security. In this infinitely dynamic world of IT, practicing such higher principles of security is the only chance we have to defend ourselves against enemies. If organizations continue to embrace new security technologies without developing a higher understanding of security, the enemies will simply be required to develop new and more clever technologies with which to attack us. However, when organizations begin to develop a security mind, they will begin to transcend such common "thrust and parry tactics," and through these efforts, emerge from the war victorious."