相關主題
商品描述
The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system.
The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart.
That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor."
In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force--if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device.
A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement--e.g., no apparent gaps in the defence--is the justification for this book.
The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.
商品描述(中文翻譯)
本書的相關統計數據顯示,僅有二十九%的年度整體損失是由純粹的電子攻擊所造成。其餘的人為和物理攻擊則佔據了七十一%。因此,顯而易見的是,有效的網路保護需要一個適當量身定制且協同的電子、人為和物理安全控制系統。
問題在於,業界並不這樣看待。在過去的三十年中,網路保護被視為純粹的電子計算機問題。這種思維在高級社會工程和其他類型的非電子攻擊出現之前或許是有道理的。但現在,內部盜竊或網路釣魚等攻擊造成的重大損失已經發生,任何僅依賴電子解決方案的網路防禦幾乎注定會失敗。因為現代的對手是聰明的。
這就是為什麼偵查是駭客的第一原則。在任何攻擊開始之前,目標是識別防禦中不足夠安全或缺乏適當控制的地方。因此,從實際角度來看,投資於複雜的電子解決方案是浪費時間。因為這只會鼓勵你的對手嘗試其他方法。Saltzer 和 Schroeder 將這種現象稱為「工作因子」。
從實際角度來看,工作因子原則意味著駭客會遵循最小阻力的路徑。因此,攻擊是否優雅或是暴力破解並不重要——只要成功突破防護即可。因此,如果有強大的電子元素保護你的系統,入侵者將簡單地轉向社會工程、顛覆內部人員、訪問未監控的端點,或僅僅是竊取設備等攻擊方式。
適當的防禦需要所有堡壘的牆壁都存在並且設計和實施得當。因此,強大的人為和物理控制也必須整合到解決方案中。這一要求——例如,防禦中沒有明顯的漏洞——正是本書的理由。
本書將介紹整體安全的基本原則。整體安全基於開發一個完整的協同控制架構,專門針對特定保護目標的實際關切進行量身定制。這是一個戰略性偵查設計和實施過程,而不是單純專注於部署電子控制。
作者簡介
Dan Shoemaker has 15 prior books with McGraw Hill, Cengage and T&F - Distinguished Visitor of the IEEE and Member of the Editorial Board of Computers and Security. National Chair of Workforce Training and Education for the Software Assurance Initiative at the Department of Homeland Security (DHS). Professor and Director of the National Security Agency Center of Academic Excellence in Cyber Defence Education (CAE/CDE) Graduate Program at The University of Detroit Mercy. 50 years of experience in the profession.
Amir Jabri is a seasoned information security and technology leader with over two decades of experience designing cybersecurity and technology strategies for highly regulated industries including aerospace, healthcare, semiconductors, and government. He holds a Master's in Information Assurance and a Bachelor's in Information Technology with a security focus, complemented by elite certifications such as CISSP, CISM, and CRISC. Amir excels in risk management, cloud technology and security across AWS, Azure, incident response, governance and compliance frameworks like NIST and ISO 27001, mentoring teams to enable secure digital transformation. LinkedIn: https: //www.linkedin.com/in/amirjabri
作者簡介(中文翻譯)
丹·舒梅克(Dan Shoemaker)曾與麥格勞-希爾(McGraw Hill)、Cengage 和 T&F 出版過 15 本書籍,是 IEEE 的傑出訪客及《Computers and Security》期刊的編輯委員會成員。擔任國土安全部(DHS)軟體保證倡議的全國勞動力培訓與教育主席。現任底特律慈悲大學(The University of Detroit Mercy)國家安全局(NSA)網路防禦教育卓越中心(CAE/CDE)研究生項目的教授及主任,擁有 50 年的專業經驗。
阿米爾·賈布里(Amir Jabri)是一位資深的信息安全和技術領導者,擁有超過 20 年的經驗,專注於為高度受監管的行業(包括航空航天、醫療保健、半導體和政府)設計網路安全和技術策略。他擁有信息保證碩士學位和以安全為重點的信息技術學士學位,並持有 CISSP、CISM 和 CRISC 等高級認證。阿米爾在風險管理、雲技術及安全(包括 AWS 和 Azure)、事件響應、治理及合規框架(如 NIST 和 ISO 27001)方面表現出色,並指導團隊以促進安全的數位轉型。LinkedIn: https://www.linkedin.com/in/amirjabri
