Security concepts are organized based on business needs, as opposed to technological
similarity. We’ve tried to focus on how these concepts relate in terms of
practical business functionality. For example, network monitoring is discussed in
Part 1, "Managing Security" rather than in a section on intrusion detection. For
people with a technical background, this method of organization may seem strange.
But one of our goals is to change the way people think about security. As we’ll say
many times throughout the book, security is not a technological issue; it’s a business
As an end-to-end experience, we’ve organized the chapters into parts based on
a managerial view of security. We can best explain our view with an analogy to building
and securing a house:
If it were possible to talk about information security in a straightforward manner,
there’d be no need for the map in the back of this book. Actually, there’d be little
need for the book, since linear concepts are often easy to understand. Alas,
information security is a like a bowl of pasta. Twirl one strand and next thing you
know you’ve got half the bowl wrapped around your fork. You can’t talk about one security
topic without talking about three or four others… and talking about those
means talking about three or four more… you get the picture.
- A house sits on a parcel of land. Securing the land is the first and most
critical step to securing the house. An alarm system won’t help if the house
is demolished by a natural disaster, or if it’s located in such a bad
neighborhood that the police barely take the time to respond! These are
examples of management level issues, and they are dealt with in the first few
chapters of the book.
- The foundation of the house represents the network design. A network built
with security in mind makes every other aspect of security much easier. A
poorly built network can collapse on itself, and is very hard to secure afterthe-
fact. The house itself represents the information that moves around the
network. That’s why the bulk of the book deals with information security.
- The security systems on the house are the finishing touches. Alarm systems,
automatic lights, and insurance all contribute in the event that everything
else falls apart. This is equivalent to ensuring availability and intrusion
detection, found at the end of the book.
Challenging as it was, we tried to make each chapter stand on its own without
relying on the knowledge found in other chapters. As a result, a technology or conxviii
cept is not mentioned in passing unless it has been previously given a clear explanation.
That said, understanding the surrounding concepts always helps, which is why
each chapter contains a section that links to related chapters ("Making the
Connections"). In a similar vein, each part also starts with a "Connecting the
Chapters" section that shows how the part’s chapters interrelate.
How the Chapters are Organized
Each part of the book has a title that describes a business-level need. Examples
of part titles are “Managing Security,” “Accessing Information,” and “Storing
Information.” The chapters within each part discuss technology concepts related to
the business need.
Every part begins with a quick reference page. On the page is a “Summary” that
describes the business need and how security fits into the picture. The page also
highlights some “Key Points” made throughout the part’s introduction and shows
how the part’s chapters interrelate (“Connecting the Chapters”). After the reference
page, the introduction explores general security issues faced when servicing the
Within the chapters, we’ve tried to organize things consistently. The following
six sections can be found in almost every chapter, in this order:
Technology Overview: This covers the basics—what the technology or concept
is all about and how it functions in a business environment.
How it Works: Without getting too technical, we try to describe the way in
which the technology or concept works in practice.
Security Considerations: This is where we talk about the security problems
caused by the technology or concept. In chapters that describe networking topics,
we focus on security issues inherent in whatever’s being covered. In security topic
chapters, we look at the limitations of the given security technology/concept and
how they can be overcome.
Making the Connection: Here we tie concepts to other chapters in the book.
In general, reading the connected chapters will improve your overall understanding
of any particular security topic. In a few cases, making the connection is critical to
completely understanding the chapter at hand.
Best Practices: We’ve collected some tips and suggestions based on our experience
and the experience of others in the security field. These are techniques that
can improve the effectiveness of a security technology or prevent failures.
Final Thoughts: This is where we summarize key issues or mention anything
that didn’t fit in one of the other sections. If we’ve got nothing else to say, we might
just blab for a few paragraphs to fill up space.