Linda McCarthy: IT Security
IT Security: Risking the Corporation
Prentice Hall PTR | ISBN 013101112X | CHM | Pages 272 | 1.06 MB
Reading this book should scare you to the ends of your toenails. It is largely a recapitulation of security audits done by McCarthy with some other instances of security breaches added in to further emphasize an already well made point. Namely, that computer security, even among many of the heavy hitters, is very unorganized and inadequate. The author was able to sit down at terminals and obtain read/write access to some of the most sensitive data of the companies that she was auditing.
The culprits are generally a listing of the usual suspects. Lack of security training, lack of time to apply known security patches, the mistaken belief that "it is not my job", arrogance in believing that one knows how to repair all problems, trusting outdated security software such as firewalls, the unwarranted trusting of other systems and lack of sufficient management direction.
Solutions are easy to find and are essentially the inverse of all the usual suspects. To expect untrained personnel to be able to implement complex security policies is unrealistic and the cost of training is dwarfed by the expense of repairing a security breach. It is the job of employees to rigorously enforce the security procedures, which includes the trusting of no one until they are proven to be worthy of trust. And then, you only allocate the minimum amount of privilege needed for them to complete their tasks. I personally have no time for people in IT who think they know everything and I am not alone in thinking that it is the most dangerous of all the security mistakes that can be made.
The game of computer security is one where the stakes rise higher with every passing day. With our increasing dependence on computers to manage everything from our credit cards to our public utilities, it is probably only a matter of time before a major security breach occurs which takes down a large part of the American economy or even causes a large number of deaths. One of the most frightening stories is how a hacker managed to access the controls to the flood gates at a Canadian dam. If they had been able to use this knowledge to open them, entire towns could have been flooded.
Implementing effective security features is not an option and as the author points out, failure to do so could leave you open to liability charges. Therefore, if you are involved in setting down the security policies for your company, you must read this book. It will show you how things are being done wrong, which is the first step in doing them right.