The Process of Network Security

Might want to browse it first at the local book store but, I wouldn't purchase it...

Rating:
Summary: Network Security 101
Review: For the techno-security newbie. Wadlow covers too much territory at such a high level that it almost reads like an outline. For example, Wadlow's treatment of forensics is particularly disturbing as there is no mention of chain of custody or physical sector backup. If you are looking for technical perspective -- forget it.

Rating:
Summary: Excellent source for understanding the business of security.
Review: Full disclosure: I was one of the technical reviewers for this book. It was a pleasure to review Wadlow's book because it was the first one I've seen that covers security at the process level (thus its title). While there are several good books on security technology, there are few that effectively discuss how to integrate security into your business processes.

Reading this book will help you understand that information security is an on-going process and should be included from the very beginning of any product development cycle. After all, the Internet -- as much as we may feel discomforted by the notion -- no longer operates in its old environment of trust; indeed, it has become a hostile place to do business (sort of like the real world, I guess). Whether you're simply connecting your corporate network to the Internet or are developing the next killer e-commerce app (who isn't?), this book contains valuable information for anyone developing a security architecture and policy.

If your organization hasn't yet considered the importance of a formalized security policy or team of specialists, this book will help you create a policy, get management buy-in, and create appropriate teams for handling security incidents.

Rating:
Summary: Excellent source for understanding the business of security.
Review: Full disclosure: I was one of the technical reviewers for this book. It was a pleasure to review Wadlow's book because it was the first one I've seen that covers security at the process level (thus its title). While there are several good books on security technology, there are few that effectively discuss how to integrate security into your business processes.

Reading this book will help you understand that information security is an on-going process and should be included from the very beginning of any product development cycle. After all, the Internet -- as much as we may feel discomforted by the notion -- no longer operates in its old environment of trust; indeed, it has become a hostile place to do business (sort of like the real world, I guess). Whether you're simply connecting your corporate network to the Internet or are developing the next killer e-commerce app (who isn't?), this book contains valuable information for anyone developing a security architecture and policy.

If your organization hasn't yet considered the importance of a formalized security policy or team of specialists, this book will help you create a policy, get management buy-in, and create appropriate teams for handling security incidents.

Rating:
Summary: Nice addition for security library
Review: I got this book and I am happy that I bought it. Read it twice - gives really practical advise on security issues. It will walk you thru' office politics and gives new perspective on system security. It also helped me with my CISSP study. If you are responsible for your company's IT security, this is a must have book for your security library.
...CISSP, MCSE, CCNA

Rating:
Summary: What you REALLY need to know about computer security!
Review: I teach computer systems management to students here at Harvard University. Every day someone asks me a question that is answered in Mr. Wadlow's book. Here he explains the way to *_think_* about computer security - before you implement any solution. For anyone who has to design a secure computing infrastructure, Mr. Wadlow's book is the book for you! The art of Computing Security has been made clear by Mr. Wadlow's thoughtful discussions of the trade offs. Every manager of computing professionals should read this book. Mr. Wadlow's writing style is entertaining and informative. Spend a morning with this book and your afternoon will be very productive.

Rating:
Summary: What you REALLY need to know about computer security!
Review: I teach computer systems management to students here at Harvard University. Every day someone asks me a question that is answered in Mr. Wadlow's book. Here he explains the way to *_think_* about computer security - before you implement any solution. For anyone who has to design a secure computing infrastructure, Mr. Wadlow's book is the book for you! The art of Computing Security has been made clear by Mr. Wadlow's thoughtful discussions of the trade offs. Every manager of computing professionals should read this book. Mr. Wadlow's writing style is entertaining and informative. Spend a morning with this book and your afternoon will be very productive.

Rating:
Summary: An approach that goes to the essence of proactive security
Review: Mr. Wadlow has written a truly useful book that sorts out the many facets of security and recasts them into a complete and straightforward approach to implementing an effective security organization. The only thing I found wrong with this book is the title because the approach is not confined to network security. This book serves as a model for all IT security, and can be applied to data centers, servers and the other components of a large, complex IT suite.

He starts out with the foundation, writing a security policy, and offers excellent advice on how to go about this important task. Policy writing is an art and a science, and it is apparent that Mr. Wadlow knows his stuff here. An ambiguously worded or unenforceable policy is next to worthless and he shows how to avoid both of those pitfalls.

I liked the chapter titled "Who is Attacking You?" because it forces you to carefully consider threats and exposures, which is the first step towards crafting a plan for dealing with them. I also liked the chapter on the security design process because it is methodical and repeatable. One of the difficulties in developing an encompassing security approach is driving the stake into the ground, and the process given shows just where to drive it and how to proceed from there. This is a good prelude to the chapter on building a security team, which proposes a sensible structure and completely addresses requirements.

The chapters on the technical aspects, such as fortifying network components, physical security, and network monitoring and auditing are true best practices and can be modified to fit other areas of IT (as mentioned at the beginning of this review).

As a consultant I particularly liked the chapter that addresses quantifying the value of security. However, this is not only for consultants - security is expensive and requires both dedication and resources, both of which are costly. This material goes a long way towards building a compelling business case for an effective security posture and for proving its ongoing value to management who might think of it as a necessary evil that sucks up more budget share than it is worth. When faced with the wild world of attackers and the internal bean counters it is sometimes difficult to determine who the real enemy is :-)

The book ends with excellent chapters on preparing for an attack, handling it and analyzing the aftermath for lessons learned and future preventive measures to incorporate. Overall, this section is the life cycle of an incident and should be carefully read.

I obviously like this book a lot. I think it provides a structure and method for designing and implementing a sound and effective security strategy. Moreover, the approach can easily be expanded to encompass off of IT, making this book all the more valuable. I strongly recommend and would give it more than 5 stars if I could.

Rating:
Summary: A really good starting point for network security
Review: The problem with most introductory books is that they are written in an overly simplistic and long-winded style. The Process of Network Security is different in that respect, and it is indeed an effective introduction to the world of network security.

What differentiates this book from other introductory texts is that author Thomas Wadlow treats information systems security not as a set of different technologies, but rather as an integrated process. By viewing security as an evolving process, a network manager can create a security methodology that can develop into a strong foundation for the company's information security program.

The book is written for network managers and systems administrators who have been give different security responsibilities within their organizations and provides them with a comprehensive overview of the critical aspects involved with information systems security. While it is, of course, impossible to build security systems that are absolutely secure, the book demonstrates that a thorough process incorporating good designs can isolate security so that problems in one specific area aren't catastrophic to the entire system.

Wadlow is an industry veteran, and his experience shines throughout the book. The work covers all the major aspects of information security, including security team building, network monitoring, intrusion detection, and damage control. For those wanting a taste of what information security is all about, in a book written in a real-world format for an intelligent reader, this book is an excellent choice.

This review of mine originally appears at http://www.securitymanagement.com/library/000905.html

Rating:
Summary: Deserves to become a classic
Review: Wadlow's new book is full of sage and useful guidance for medium to large organizations that are completely dependent upon the Internet. Intended mainly for the chief security officer, or the administrator responsible for information protection, this book is not so much about technology as it is about how to apply technology. It clearly describes how to effectively configure and administer your information systems and your staff in order to prevent security incidents and, when the inevitable does happen, to recover as quickly and completely as possible.

With 20 years of relevant experience, the author has done some deep thinking on this subject. As an example, he lists 27 different job functions performed by the security team. Will any organization actually have 27 different security specialists? No, but any security manager would be well-advised to review that list to ensure that all necessary functions are covered by somebody.

Wadlow provides helpful ideas on creating an effective security policy-even when management hasn't bought into the idea yet, and has sound advice on both hiring and firing staff. Read the chapters "Preparing for an Attack" and "Handling an Attack" before its too late. Chapters on auditing, log file analysis, and forensics all provide concrete guidance on these difficult processes.

The book is filled with helpful analogies that are useful in developing an understanding of the nature of network security. One of the biggest difficulties in training people to become effective in the security arena is in developing the mindset-an innate understanding of information security dynamics. You need a grasp of the big picture to have that intuitive realization that without a constant proactive security effort, you are actually moving backwards. It is a process and Wadlow presents it in a clear and compelling fashion.

If you want to think securely-if information security is part of your current or future responsibilities and you'd like a more mature concept of what that entails, then you will find this book invaluable.