Inside the Security Mind: Making the Tough Decisions by Kevin Day

This book is a must-read security text.

Prentice-Hall PTR, 2003

ISBN: 0-13-111829-3

$44.99 US

A representative from a leading Irish security consultancy recently gave the following, idiotic advice on one of Ireland's most-listened to radio phone-in shows: “Install a personal firewall, then sit back and relax—you'll never have to do anything again.” If I had been anywhere near this “expert”, I would have thrown the book I was currently reading at him. My only regret is it does not come in hardback.

Inside the Security Mind: Making the Tough Decisions by Kevin Day is a must-read security text. Unlike IT security how-to books designed to teach the mechanics, Day's book looks at IT security from a higher perspective, with the emphasis firmly on enabling the reader to think with a security mind. Day's goal is to raise consideration and awareness of security to a new level.

Day presents the art of IT security in four virtues, eight rules and eight concepts. Rather than drowning in the details of IT security, Day suggests transcending them. For instance and by way of example, it does not matter that you spent 50 hours configuring your firewall and locking it down tight if a user on your network has a modem set up to accept incoming telephone connections.

The first six chapters contain the bulk of Day's original material. The remaining six chapters are more standard IT security fare, including a discussion of various types of attackers, vulnerabilities, targets and exploits. Chapter 8, “Practical Security Assessments”, presents the Relational Security Assessment Model, a risk/threat assessment model developed at the author's company. This material is written in a style different from the rest of the book, and I would have preferred that this material, which is the driest in the book, be given the same treatment as the rest. The closing chapters of the book present some discussion of how the earlier ideas can be applied in practice.

If you are looking for advice on securing your brand X router, switch or firewall, you will be disappointed. Day's book is about the bigger picture, and in many respects, he succeeds in presenting exactly that.

Unfortunately, excellent presentation of the material is marred by Day's use of the term hacker to refer to the bad guys. On page 124 he writes, “I will make life easy and continue the misuse of this term.” I would have preferred that he set the record straight. There's also a collection of embarrassing typos that should have been caught by somebody before the book went to press. A more extensive index also would be welcome.

These gripes aside, you would be ill-advised to think of yourself as a security expert until you have absorbed this book's message. The first six chapters easily form the basis of an interesting IT security curriculum, so all you academics out there, take note of this title.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

A Step Out Of The Trenches

Stephen Northcutt's picture

I really enjoyed the first six chapters, especially chapter 3 and 4 and I really feel those 122 pages are worth the price of the book and then some. After chapter 6, Inside the Security Mind morphs into yet another everything you already know about information security book.
There is treasure, rare treasure in the front of the book. Kevin Day spares us a review of risk management and TCP and instead lays out the information battlescape better than anyone I have seen in a long time. The only other person to shed light on this concept was Dorothy Denning in her classic, Information Warfare & Security. But where Dorothy while comprehensive, was a bit boring with list after list, Kevin Day takes Inside the Security Mind in an entirely different direction.

His words are like a painter with bold brush strokes; he outlines information security in a way that forces even the most hardened techie to stop and rethink the world we live in. When was the last time when you heard about the four virtues of information security? When was the last time you read about virtue for that matter? Something about the philosophical approach of the first six chapters of the book reminds me of The 48 Laws of Power by Robert Greene, but where Power is amoral and more than a bit dark and frightening, Security Mind grabs the high ground and doesn't let go.

Every security manager and technical administrator can benefit from chapter 4, the eight rules of security. Yes we each knew that information at one time, but are we applying those rules all the time? Kevin outlines the concepts and he has me thinking about my data center architecture and some of the design choices we have made recently.

My advice is to read chapter 3 and 4 at least three times. Within 24 hours most of the knowledge you learned from an initial reading is lost, but if you read it again you start to build knowledge you can use for the long term. I would suggest that chapters 1, 2, 5, 6 are each worth reading twice. The rest of the book is certainly worth reading once, but if you have more than ten security titles on your bookshelf you will read most of the information in the back half of the book before.

If you are considering buying a book titled Inside the Security Mind, you are probably familiar with AF Col. John Boyd's Observation, Orientation, Decision Action (OODA) loops. The diligent reader of Inside the Security Mind has an opportunity to program the orientation segment of their minds. This opportunity does not come along every day! Carpe Diem, Buy em and Read em!

Re: Inside the Security Mind: Making the Tough Decisions by Kevi

Anonymous's picture


"Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
%A Kevin Day
%C One Lake St., Upper Saddle River, NJ 07458
%D 2003
%G 0-13-111829-3
%I Prentice Hall
%O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
%P 309 p.
%T "Inside the Security Mind: Making the Tough Decisions"

I am quite sympathetic to the idea that the realization of a security
mindset or attitude (I frequently refer to it as professional
paranoia) is more important to attaining security than isolated
technical skills. I'm sorry to say that this work is not likely to
help you find, attain, or assess that protection perspective.

Right from the beginning of the book, readers will find a flavour of
eastern philosophy, and even mysticism, to it. There are four
virtues, an eight-fold path, and even repeated injunctions for the
reader to keep an "open mind"--a phrase which those who have conversed
with devotees of the Buddhist faith will find rather familiar.

Unfortunately, chapter one seems to demonstrate that Day is bringing
us only a newage vagueness in his description of the security mind.
We are to rid ourselves of negative thoughts, and follow fundamental
virtues, which we haven't been given yet. Computer security is only a
decade old, we are told in chapter two, and constantly changing, and
expensive, and there are few practitioners, and lots of bad guys out
there, and we are paralyzed by fear--but we have nothing to fear but
fear itself! Chapter three finally lists the four virtues for us:
security is ongoing, a group effort, requires a generic approach, and
is dependent upon education. I don't disagree with any of these
points (other than the philological debate about whether they should
be called virtues), and neither would any other security professional.
However, they don't really provide us with much in the way of help.
Eight security "rules," in chapter four, list principles such as
"least privilege," which are also commonly known in security work.

Chapter five is supposed to tell us how to develop a security mind,
but actually seems to be an exercise in wishful thinking. If the
world were neatly divided into safe and unsafe zones, and if our
systems all worked perfectly and in correspondence with our users'
known requirements, and if everyone that we trusted were completely
competent in regard to their own defence, security would be much
easier. Decision-making is likewise simplistically seen to be
supported by the virtues and rules, in chapter six. There is a
superficial overview of blackhats and vulnerabilities in chapter
seven. Chapter eight has a standard review of risk analysis. Vague
ideas on hiring security, and some thoughts on outsourcing, are in
chapter nine. The author gives his opinion on some security tools in
chapter ten. Chapter eleven is another attempt to prove that the
rules can be used. We are given a final adjuration to change our
attitudes in chapter twelve.

Basically, this book is yet another attempt to write a general
security guide, without first ensuring that the material is
structured, sound, complete, or useful.

copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321

Re: Inside the Security Mind: Making the Tough Decisions by Kevi

barryp's picture

Posting a link to your Amazon "article" would probably have been better (more appropriate). Your view on the book is noted, but I still like it. Granted, the earlier material is better than the later. However, it works well within a classroom setting. Thanks for the comments. --Paul.