Foreword

Previous page
Table of content
Next page

Note carefully this book is not like most of the other security books you can buy. You won't find gory details of weaknesses in servers and lists of the IP ports they use, nor will you find annotated virus-source listings. The author did not include a directory of penetration scripts and a companion list of WWW sites from whence you can download them. There are no lurid (and repetitive) first-person stories that illustrate how easy it is to dupe people into disclosing their passwords. So if these are some of the things you're hoping for, then put this book down.

But… be aware that you would be putting down a book that discusses real issues in real security, and provides fundamental and long-lasting lessons including some that everyone involved with computers would be well-advised to learn.

Consider this within a year or so after this book goes to press, e-Commerce on the Internet will pass the $1-trillion-per-year mark. Commercial use of the network wasn't allowed and didn't really start until 1993, so this is an incredible rate of growth. But even as we look at those numbers, we need to realize that it is simply the beginning only a fraction of the world's population is currently 'connected,' and only a fraction of business-to-business (B2B) commerce is online to begin with.

Many people have heard (Gordon) Moore's Law, first articulated in 1965, which predicted that processor performance would double every 18 months. Reality has mirrored this prediction, and is expected to continue doing so for at least another decade. We have seen similar growth in secondary storage use, doubling online capacity approximately every 14 months over the last few years. Communication bandwidth has also seen dramatic increases, as fiber and wireless are ever-growing. Costs for all of these commodities (and they have become commodities indeed) have dropped as the raw measures of total capacity have risen.

As both a cause and effect of the growth in IT infrastructure, critical information is increasingly being placed online. Banks, stock brokerages, accounting and financial firms of all other kinds use computers and networks to carry out their business. Federal and state governments could not function without a network presence. Critical infrastructure, including power and transportation, depends on networked sensors and controls. Law enforcement and defense rely on IT to store their data and support their missions. Health-care records, medical reference, and diagnostics are computerized more and more. And the intellectual property that drives huge portions of our commerce including chip designs, new software, pharmaceutical formulations, oil exploration, music, movies, literature, and more are all online and subject to theft, alteration, and destruction. Arguably, every commercial sector has a critical component in cyberspace (or soon will).

Now, consider the apocryphal quote by the noted bank robber Willie Sutton: When asked why he robbed banks, Sutton allegedly responded, "Because that's where the money is." Where do you think the notable criminals of the future will be focused? The terrorists? The radical activists, vandals, and anarchists? Let's face it information technology will be a target of choice for all manner of attacks. In fact, that future has already arrived, with annual losses from viruses, intrusions, and online fraud estimated by some entities to be in the many tens of millions of dollars annually.

These losses occur largely because of a chronic lack of good information, security tools, and personnel coupled with poorly conceived mass-market products. The typical online system is built from software that was not designed to be secure, intended to be compatible with earlier software that was even less secure, coded by people with no training in assurance, minimally tested, and released to meet marketing deadlines regardless of known flaws. Those same systems are then purchased by people with no background in security, installed as add-ons into an unsecure base, and used by people who seek to find ways around minimal security because it interferes with their online activities. All too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others. It is not surprising that so many computer incidents occur instead, it is surprising there aren't more!

As recently as the the1980s, information security was a very esoteric and limited field in computing, compared to specialties such as graphics, networking, and AI. I remember that there were only a few books on information security (other than cryptography) available to the general computing user of that time. That wasn't really a concern because the general user did not yet face any real IT threats. The Internet and commodity computing have certainly changed that dynamic! Recently, we have seen hundreds of security-related books published. But out of all of those, there are still only a small number that are worth having the remainder are based on rehashes of more studied works, listings of vulnerability exploits that will be stale within a few months, and information on how to apply yet more patches to already unstable infrastructures.

It is against this backdrop that a few experts stand out because they really understand the "big picture" of information security. Linda McCarthy is one such person, and careful reading of this book will illustrate why the first edition of her book has been a mainstay on the shelves of educators and practitioners since it appeared. Rather than address point solutions or temporary patches, Linda has used her experience as a security auditor, consultant, manager, developer, educator, and executive to identify and illustrate underlying structures and attitudes that drive security planning and execution. She knows that computer security does not depend primarily on the computers, but with the people who buy, deploy, and operate those computers. It requires an understanding of the economics, psychology, law, and business practice surrounding the use of computing that determines its overall security in use. In addition to Linda's vignettes in this book, the title itself suggests the proper focus of attention on security: at the top levels of the organization. Information security, when viewed at the proper level, is much more than a "system admin vs. hacker" exercise it is an assurance function that protects the viability of the entire enterprise. As the text illustrates, infosec responsibility and policy must flow from the top, be proactive rather than reactive, and have an on-going commitment of resources. Understanding how to run a vulnerability scanner is simply not sufficient.

As we move forward in the information age, with information security ever more important, we would do well to note that in both we are referring to "information" and not "computer." It is important to all of us that we develop an awareness of how to protect our information resources, whatever they may be. The fundamental focus of our thinking should not be on a particular computer or OS release, but on the underlying structures in which they function the social, economic, and legal structures. We all need to understand that information security would not be a problem if it weren't for the people, and technology alone will never be enough to address the problems people pose to security. The technology is important, certainly, but it is not the only or most significant component. Linda has understood these basic truths for years, and practiced them in her career. Nearly everyone can learn something of value from her experiences, nicely summarized and illustrated in the following chapters.

The first edition of this book is not the only one I have on my bookshelf discussing a deeper view of infosec. However, it is one that I have frequently recommended to students and colleagues who were seeking deeper insight into security, each of whom found it instructive. And that's another way this book is different from those big books listing WWW-based hacking tool sites and dubious advice: This one can fundamentally change the way one thinks about security. So if you were looking for one of those other kinds of security book, my advice is that you don't put this one down....at least, not until you've read it.

Eugene H. Spafford
December 2002


Previous page
Table of content
Next page
IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73
Authors: Linda McCarthy
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Lotus Notes and Domino 6 Development (2nd Edition)
Systematic Software Testing (Artech House Computer Library)
C++ GUI Programming with Qt 3
C & Data Structures (Charles River Media Computer Engineering)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy