Foreword
Now is an excellent time to be working in the field of information security. Over the past ten years, the security field has grown from obscurity to one of the most prominent challenges we face with the Internet for making it a safe place for everyone. Security technology has evolved with the Internet, where in the beginning the only protection on computers was mostly a username and password. Now we have antivirus, firewalls, intrusion detection systems (IDS), intrusion protection systems (IPS), vulnerability scanners, antispam, antispyware, anti-Trojans, security tokens, and Web content filtering. The list continues to grow.
From the beginning of my start in security, we always said, “Security is a journey and not a destination.” This journey continues to lead to a fast-changing path, and quick adoption of new technologies to stay one step against the bad guys. With the explosion of new technologies, the skills required to understand these technologies, as well as how to manage them and apply them, are becoming more critical. Understanding information security and understanding the lessons from this book will help you cope in this exciting field.
When I released the first public vulnerability scanner in 1992 and commercial scanner in 1994, most people had no idea whether they were protected or where they might be vulnerable. Most organizations relied purely on security policy, but lacked any method to measure whether the policy was enforced. This scanner opened up the door for truly understanding which “doors” and “windows” were open on the network. It also enabled security professionals for the first time to quickly analyze their gap in security posture. By pinpointing the security holes, the security professional started to see the world from the view of penetration testing and hacking. Now, in almost any information security class, doing a security scan and audit is just the beginning of the journey.
Understanding information security is not just understanding hacking and penetration testing but learning how to apply your knowledge so that you understand how security is applied in business and government, such as legislation and industry requirements. Industry requirements and legislation around information security were minimal to nonexistent ten years ago. Many companies could easily ignore security by just saying, “We have not been hacked yet, so why do we need it?” Every day, we learn about major security incidents and compromised sites. We see the security implications with privacy and identity theft being disclosed routinely. Security professionals are being asked whether the business or organization is in compliance with the government and industry requirements. These requirements are moving security from a “nice-to-have” to a “must-have.”
It is exciting to see security technology evolve from many stand-alone products into more integrated security platforms that help security professionals take a unified approach to managing security. As new protection technologies emerge, it will be important to figure out how to make them a part of an overall architecture into the grand vision of security. This vision is still evolving, and it is what keeps this field so fun and challenging.
The industry has entered into an era of protecting against vulnerabilities and threats, and is now being adopted to protect to the most granular level of identity. As identity protection has become such a high priority, this opens up many opportunities for InfoSec to protect this valuable information. The identity information is becoming a focus, and how it will be protected across the network, is an exciting new area. This opens up new areas of building more intelligence of firewalls to include not only simple policy rules but also intrusion prevention and granular identity rules. As security tries to keep up with technology change, the security professional will need to explore new areas like WiMax and VoIP. As the overall technology landscape changes, so too must the security professionals. They must always keep on their toes.
As this journey continues, the information security field needs to keep up. Many problems remain unsolved, and many challenges remain unmet. This book contains many approaches and examples of techniques that work today and that will help security professionals to cope in the future. It will help guide information professionals to benefit from lessons learned and enable tomorrow’s security professionals to stand on the shoulders of leading security experts and keep the security journey going.