through Security Awareness
Author: Tyler Justin Speed
Publisher: Auerbach/CRC Press 2012
Price: ~US$61 from Amazon
Provided you are not expecting detailed guidance on how to raise security awareness, this book gives reasonable introductory-level coverage of network/ICT security including a few aspects that are barely mentioned in some similar texts.
Tyler is an Executive Vice President at a US aviation company making engine analyzers which is about all we know about his professional background, except than he has a Masters degree in Information Assurance from Norwich University and is studying for his CISSP.
Scope and purpose
While the cover blurb refers to providing “a high-level overview of how to protect your company’s physical and intangible assets ... [that] explains the best ways to enlist the assistance of your employees as the first line of defense in safeguarding company assets and mitigating security risks”, the book is primarily concerned with network/ICT security: human factors and security awareness are covered but not in much depth.
Emphasizing that the book requires “no previous networking or programming experience” indicates that this is not a detailed, highly technical book but is aimed at relatively non-technical people with an interest and/or responsibilities for IT or information security.
Structure and content
The book is composed of a series of discrete chapters, with little in the way of an obvious sequence, structure or theme. For example, chapter 15 on malware is followed by a chapter on security policy, then a chapter on security analyses and audits, then a chapter on access control. [Aside from the sequence, the coverage bears a passing resemblance to ISO/IEC 27002.]
The level of detail varies between and within chapters - for example, in the chapter on crafting a security policy, there are two and a half pages about physically distributing and updating security policies, followed by just half a page on digital (meaning intranet) distribution. This is despite the author casually mentioning the obvious benefits of the latter over the former.
“Diplomacy”, “Interdepartmental security”, “Physical security” and “Computer and network forensics” are not universally covered by network/ICT security books, making these chapters welcome additions. Emphasizing the human aspects of information security balances out the more IT/technical security content, although arguably leaving the technical side a bit light in places (e.g. there is not much about firewalls, and almost nothing about application security).
Despite the implications of the title, the book’s coverage of security awareness is disappointing, offering very limited advice on how to do awareness. Figure 1.2 “Promoting Security Awareness” identifies “ten steps for promoting security awareness”: it’s a shame the author didn’t materially expand on those. Figure 2.1 identifies just nine 'realms' (topics) of security awareness, recommending nothing specific on awareness of, say, social engineering, email security, backups or business continuity although these topics are covered in later chapters.
Writing style and readability
The information security guidance is a little naive at times, and occasionally off-base. The style is not unlike a summary-level revision manual for CISSP or a similar information security qualification, laying out what ought to happen without much regard to the practicalities. I suspect the author lacks real-world experience of designing, implementing and managing information security. In particular, the final “checklists” chapter consists of three checklists, each a collection of bullet points very similar to a CISSP student's revision notes (only much neater!) ...
While the grammar is fine and the writing style generally inoffensive and accessible, the odd statement sometimes caught my beady eye. For example, the author’s take on nonrepudiation is a new one on me: he defines it as “the creation and follow-through of security controls, policies, and procedures in such a manner as to eliminate the possibility of repudiation of culpability from a malicious user”. More conventional definitions of nonrepudiation tend to refer to being able to prove that someone did something, discounting or reducing the probability of them denying it - for example, maintaining evidence that someone knowingly accepted certain terms and conditions, entered into a binding agreement or authorized a transaction. In any case, nonrepudiation is essentially an integrity issue, and as such is already covered by the ‘CIA triad’.
Here is another example: “When we stop to remember stored data are simply ones and zeros, it is quickly understood that all data are physical.” Binary data are indeed ones and zeros, whether stored or not. However that has no direct bearing on their physicality or tangibility. In some senses, data (and information and knowledge and ideas and ...) are also intangible or ephemeral, distinct from their literal, physical representation as marks on paper, magnetic regions on disk, voltage levels in circuitry and wired networks, chemical levels in the brain, light or RF pulses in fiber optics and radio links, images on screen etc. The author acknowledges this later in a a brief description of intellectual property in the risk management chapter. OK maybe I am reading too much into this to make the point, but I stand by my assertion that the book is superficial in places, and occasionally misguided and perhaps wrong. Sharper editing or co-authorship might have weeded more of these out.
And finally one more example from page 267:
“The security policy is the document to which all security audits must be accountable.”
Audits are activities. Activities are not accountable (you can’t hold an activity to account) but the auditors who perform them may be.
Furthermore, audits are not necessarily policy compliance audits. There are several other kinds of audits.
“The security policy should include an overview of the organization's security philosophy, a formal and complete risk analysis, and a list of all currently implemented security controls.”
Policies do not normally include ‘formal and complete risk analyses’, although they are often risk-based, at least in principle.
Policies do not normally state ‘all currently implemented controls’ but tend to lay out high level control objectives, leaving lower level standards, procedures and guidelines to document the controls.
Policies quite often state controls that are not yet implemented - in other words they indicate management intent, not just record what is already in place.
“These security rules will be the touchstone to measure network security against during the audit process”.
Well, if we are considering a network security audit, then yes the network security controls will be a possible standard for comparison, but IT auditors are also likely to review the stated controls for relevance, applicability and comprehensiveness, as well as compliance.
Other security benchmarks, standards or good practices may also be used as ‘touchstones’.
“If the organization does not have a security policy, the first step of the auditing process must be to create this document.”
No, the role of auditors is not to create policy: that is a management responsibility. Auditors have no formal part of normal operations, in order to maintain their independence and to avoid being tainted by the same thought processes of operational workers.
If there was no security policy, the auditors would most likely raise this as a finding.
There are very few figures in the book, all bar one simply being text boxes that (mostly) repeat content from the surrounding text. Figure 2.1 “Security Awareness Realms”, for instance, is a near duplication of the immediately preceding list of nine “security awareness categories” in the main body. The one and only actual diagram, figure 6.1, is a crude mind map showing a central “Interdepartmental Dependence” blob connected by radial arms to ten distinct departments/functions such as Administration, Marketing, Manufacturing etc. The nature of the interactions and interdependencies is not indicated at all on the diagram. The main text is not much better, for example stating that “The main role of the administrative personnel is to initiate the security policy creation process. Other departments are dependent on the administrative personnel for follow-through by helping with organization-wide implementation of the policy. Administrative personnel are dependent upon other organizations to follow through with created security policies and procedures.” What the author means by ‘follow through’ (a phrase he uses more than once) is not at all clear, and which other organizations administrative personnel depend upon is not stated. The author doesn't even explain what he means by ‘administrative personnel’.
As an introductory or intermediate level text, the book is readable and a worthwhile introduction to the topic, if a bit patchy in its coverage and variable in depth. I would definitely recommend additional reading for information security professionals. For advice on doing security awareness, I unreservedly recommend Rebecca Herold’s “Managing an Information Security and Privacy Awareness and Training Program”. David Lacey’s “Managing the Human Factor in Information Security” is strong on the human and cultural aspects of security, while for network/ICT/technical security I would suggest Ross Anderson’s “Security Engineering” and books by CISCO and Microsoft authors. CISSP/CISM study guides such as Harold Tipton’s “Official (ISC)2 Guide to the CISSP CBK” and ISACA’s “CISM Review Manual” are good all-rounders for students.