The following excerpt about information security is from Defeating the Hacker: A Non-technical Guide to Computer Security.
I guess I should begin by explaining how I got here. My credentials, if you like. After all, if you're going to take advice on such a serious subject as information security then it's only fair that I spell out why you should trust me.
First, I like to think that an ex-hacker is the best person to explain the risks that hackers pose, and the tricks that they use.
Second, I have no vested interests other than the desire for you to buy this book and, hopefully, recommend it to others. I don't sell security products, or get paid for those that I recommend. The advice contained in these pages is given because I believe it to be the truth. Which, you may be surprised to know, isn't always the case when you read product reviews in magazines. These publications are funded by advertising, so the subjects they cover and the type of products they review (and, very occasionally, the opinions of the reviewers) are dictated by the list of advertisers that the magazine wishes to attract.
You may also have seen adverts in the computer press which show pictures of a stressed IT manager or security guy relaxing on a beach somewhere, safe in the knowledge that product X, which he's just purchased, is taking care of security, and he doesn't have to worry about it any more. I hate to tell you this, but the real world really isn't like that. Despite what the glossy adverts tell you, you can't buy peace of mind. You still need to worry. But at least this book will help you to prioritize your worrying, and to direct your efforts into fixing the most important problems first.
Ideally, you already have a dedicated IT security person on your payroll and he or she will know all about the topics which follow. But my experience is that most small and medium companies don't have any in-house IT security staff at all, and the responsibility is given to someone who already has another role and doesn't really have time to do both. So security only gets his attention when something goes wrong. If this is the case in your company, then this book is for you. My hope is that it will help to answer most of your questions about where the risks lie and what to do about them.
This is not a book aimed at users or administrators on one particular hardware platform, but more a collection of useful advice that is applicable to information security in all environments. In a nutshell – if you use computers to store or process information then this book will help you prevent that information from falling into the wrong hands or being tampered with. Because most small and medium companies don't have domain-based networks, most of this book is designed for people looking after networks that don't use domains.
Like all facets of the IT world, security is a constantly changing subject. There's a continual cat-and-mouse tussle between the good guys and the bad guys. In an ideal world, the good guys would always be one step ahead of the baddies, and thus our computers would always be secure. But sadly it doesn't work like that. Most of the time, the IT security industry (and especially those involved in producing antivirus software) is playing catch-up, fixing holes and blocking viruses that have already been exploited and unleashed. This means that the dedicated IT security manager can never afford to stand still and glory in the knowledge that the battle has finally been won. It will never be won. The best we can do is to hold the attackers at bay, but even this cannot be achieved without constant expenditure of both time and money.
And yet, despite what the sales departments of security companies will tell you, it's perfectly possible to improve your company's IT security without throwing huge amounts of money at the problem. In many cases, knowledge and procedures are what's required, rather than expensive hardware or software or annual maintenance agreements. Hopefully this book will help you.
Because things change so quickly in this field, use the Web to keep yourself up to date with developments. One useful online resource is www.itsecurity.com, which publishes useful free advice, and also allows you to put questions to the resident panel of security specialists (including myself). It's free of charge, too. There are many other great sites too, which I shall point out as we go along.
This book has its own presence on the Web at www.defeatingthehacker.com. There you'll find a clickable collection of all the links mentioned in the pages that follow, plus a discussion forum where you can seek advice and opinions from fellow participants including the author.
In my 20 years as a writer and commentator on IT security issues, on both sides of the fence, I've accumulated thousands of tips and dozens of anecdotes. I've tried to include as many of them as possible within these pages, but there is no implication that you must take every piece of advice on board right away. To do so will take you many years, and lots of it won't be relevant to your organization or financially viable. But by reading the book there will, I hope, be many topics which ring particular alarm bells for you and which will alert you to a problem within your own company that needs to be solved sooner rather than later. To help you, each chapter ends with a set of five action points – I call them the Fundamental Five. If you do nothing else, at least consider these as demanding your immediate attention. In most cases, it will simply be a case of you saying 'yes, we've got that in hand'.
- Read more excerpts from data management books in our Chapter Download Library.