Inside Network Security Assessment: Guarding Your IT Infrastructure

Overview

As an IT professional, you need to know how to perform network security assessments. Inside Network Security Assessment: Guarding Your IT Infrastructure is a collection of utilities and templates that will take you through the assessment process. Written by two highly qualified authors with close ties to the International Information Systems Security Certification Consortium, this book was developed with the goal of being a text for the CISSP continuing education class on Network Security Assessment. You will be ...

See more details below
Other sellers (Other Format)
  • All (12) from $1.99   
  • New (5) from $30.99   
  • Used (7) from $1.99   
Sending request ...

Overview

As an IT professional, you need to know how to perform network security assessments. Inside Network Security Assessment: Guarding Your IT Infrastructure is a collection of utilities and templates that will take you through the assessment process. Written by two highly qualified authors with close ties to the International Information Systems Security Certification Consortium, this book was developed with the goal of being a text for the CISSP continuing education class on Network Security Assessment. You will be provided with step-by-step training on assessing security, from paperwork to penetration testing to ethical hacking. You'll save everyone time and money by learning to perform security assessments yourself with the help of Inside Network Security Assessment.

Read More Show Less

Product Details

  • ISBN-13: 9780672328091
  • Publisher: Sams
  • Publication date: 11/21/2005
  • Pages: 312
  • Product dimensions: 6.90 (w) x 8.90 (h) x 0.76 (d)

Meet the Author

Michael Gregg, President of Superior Solutions, Inc, has more than 20 years of experience in the IT field, with expertise in security, networking, and Internet technologies. He holds virtually every major security certification and has been instrumental in developing the Villanova University Online Security Curriculum and the CISSP Certification Training Distance Learning Curriculum. David Kim, President of Security Evolutions, Inc, specializes in IT security consulting, training, and courseware development. He is also the COO of the IISSCC and is responsible for the content and product development for the CISSP and SSCP certification credentials and training materials.
Read More Show Less

Read an Excerpt

IntroductionIntroduction

Welcome, and thank you for purchasing Inside Network Security Assessment. Our goal was to create a practical guide for planning, performing, and reporting on the risk and vulnerability assessment process. This is a critical topic for IT professionals given that a security assessment provides the necessary information and data for organizations to form the foundation for a reliable and secure IT infrastructure.

This book takes a look inside the network vulnerability assessment process. Its purpose is to teach individuals a methodology for network security assessments. For those of you who must manage or outsource these duties, this book will provide you with tips, pointers, and insight into what a vulnerability assessment is all about. This book is broken up into 10 chapters that follow the vulnerability assessment process from creation to finish. It also discusses, in brief, basic risk assessment methodologies. So even if you are not ready for a full-blown vulnerability assessment, you should be able to start adding basic risk assessment methodologies to new projects and the change control process.

The security assessment process incorporates both risk assessment and vulnerability assessment, which includes the science, tools, methodology, and practices involved in finding, analyzing, and assessing risk for known or unknown vulnerabilities and exposures in a given Information Technology (IT) infrastructure. This book examines the entire IT infrastructure, which encompasses all the IT assets commonly found in an IT environment, such as the data, applications, servers, workstations, and network infrastructure (LANs, WANs, and LAN-to-WAN). The term IT infrastructure is generally used to describe the entire landscape of IT assets and elements. The term IT assets is generally used to describe the individual IT assets or elements commonly found in an IT environment.

All organizations need to assess, identify, define, and confirm the minimum level of acceptable security for their organization and IT assets. Until now, organizations needed to spend thousands of dollars on high-priced consultants to perform a variety of assessments. With Inside Network Security Assessment, readers will receive a collection of tools, utilities, templates, and a step-by-step approach for conducting a security assessment process that incorporates both risk assessment and vulnerability assessment.

Who Should Read This Book

This is an intermediate-level book for IT security professionals and system and network administrators who need to learn more about the security assessment process. Inside Network Security Assessment provides a step-by-step approach for assessing security, from paperwork to penetration testing to ethical hacking. This book is a valuable reference for individuals who are interested in creating their own methodology for conducting a comprehensive security assessment and in expanding their knowledge of network security tools and techniques to perform such evaluations. Almost every organization needs to evaluate the security of its IT infrastructure and IT assets.

Depending on the scope of the IT infrastructure and the scope of the security assessment, organizations can spend tens or hundreds of thousands of dollars to conduct a security assessment. With proper controls and objectivity, conducting a security assessment with internal IT security staff is a viable solution. To do this, the IT security staff must create their own methodology and implement it in-house.

Why We Created This Book

The world of information security continually evolves. More tools are available to attackers and defenders than ever before. There has also been an onslaught of books, classes, and seminars focused on security testing, tools, and techniques. But we as authors felt that something was missing. Among the wealth of information on tools and the how-to of security testing, very little was being discussed about the mechanics of security testing; therefore, we created this book to inform readers that the creation of a methodology and approach for conducting a security assessment is the critical missing piece. Unlike other books that focus on hacking tools or small segments of the assessment process, this book was designed to offer the reader a comprehensive step-by-step approach for guiding them through the security assessment process.

Overview of the Book's Contents

We would like to introduce this book from a 50,000-foot view. The first two chapters, "Introduction to Assessing Network Vulnerabilities" and "Foundations and Principles of Security," serve as a foundation for later chapters. These chapters introduce basic concepts of everything we will talk about throughout the book. Chapter 3, "Why Risk Assessment," and Chapter 4, "Risk Assessment Methodologies," deal specifically with risk. We examine risk terminology, quantitative risk assessment, qualitative risk assessment, and how risk is analyzed in real life.

Chapters 5 through 10 are designed to guide you through the security assessment process. Chapter 5, "Scoping the Project," presents a discussion of the scoping phase. Topics such as the forces driving the assessment are introduced. Chapter 6, "Understanding the Attacker," discusses who the real threat is. Both inside and outside attacks typically follow a given pattern. These stages of attack are discussed, as are ways to reduce the threat. If the assessment you are performing is being driven because of an attack, you'll find this a particularly valuable chapter.

Chapter 7, "Performing the Assessment," introduces the activities performed during the actual assessment. This might be only a policy review or may involve extensive hands-on testing. If hands-on testing is required, you will need a variety of tools, which are discussed in Chapter 8, "Tools Used for Assessments and Evaluations." Chapter 9, "Preparing the Final Report," introduces you to the report-writing phase. Everything you have done must be documented, and this chapter discusses ways to write a successful report. Finally, Chapter 10, "Post-Assessment Activities," describes what happens next. Post-assessment activities typically involve change. So this chapter delves into the topics of policy change, hardware implementation, and user training.

We have also outfitted the book with five appendixes. Here we provide security assessment resources, sample forms, and information on how to deal with outside consultants should you feel the need to outsource part of this process. Performing a security assessment is a challenging journey, and we hope that our approach to guarding your IT infrastructure makes your path more comfortable.

Conventions Used in This Book

This book follows a few typographical and stylistic conventions:

  • New terms are set in italic the first time they are introduced.
  • Each chapter concludes with key terms that have been introduced within the chapter.
  • Whenever possible, we reference the Common Vulnerabilities and Exposures (CVE) database to enable you to obtain additional information about the vulnerabilities; for example, http://cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0965.
  • This book also contains the following elements for additional information, such as notes, tips, cautions, and sidebars.

Note - Notes provide additional information about a topic.

Tip - Tips provide information that can make a task easier or ease an administrative burden.

Caution - Cautions are items you need to be aware of that may pose a problem or need to be carefully considered.

A Sidebar Looks Like This -

We often use sidebars to present illustrative examples or add greater depth to the material.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Introduction.

1. Introduction to Assessing Network Vulnerabilities.

What Security Is and Isn’t.

Process for Assessing Risk.

Four Ways in Which You Can Respond to Risk.

Network Vulnerability Assessment.

Types of Network Vulnerability Assessments.

What Procedures Govern the Vulnerability Assessment?

The Role of Policies in the Vulnerability Assessment.

What Drives the Assessment?

Managing a Vulnerability Assessment.

Building Cooperation with Other Departments.

Importance of Setting and Maintaining a Schedule for Assessments.

Summary.

Key Terms.

2. Foundations and Principles of Security.

Basic Security Principles.

Security Requires Information Classification.

Governmental Information Classification System.

Commercial Information Classification System.

Classification Criteria.

The Policy Framework.

Types of Policies.

Defining Appropriate Policy.

Deploying Policy.

Policy Life Cycle.

The Role Authentication, Authorization, and Accountability Play in a Secure Organization.

Authentication.

Authorization.

Accountability.

Encryption.

Security and the Employee (Social Engineering).

Summary.

Key Terms.

3. Why Risk Assessment.

Risk Terminology.

Laws, Mandates, and Regulations.

Health Insurance Portability and Accountability Act (HIPAA).

Gramm-Leach-Bliley-Act (GLBA).

Federal Information Security Management Act (FISMA).

Sarbanes-Oxley Act (SOX).

Risk Assessment Best Practices.

Understanding the IT Security Process.

The Goals and Objectives of a Risk Assessment.

Security Process Definition.

Goals and Objectives of a Risk and Vulnerability Assessment.

Summary.

Key Terms.

4. Risk-Assessment Methodologies.

Risk-Assessment Terminology.

Risk-Management and Risk-Assessment Requirements.

Defense-in-Depth Approach for Risk Assessments.

Risk Analysis Approach for Risk Assessments.

Asset Valuation Approach for Risk Assessments.

Quantitative and Qualitative Risk-Assessment Approaches.

Quantitative Risk-Assessment Approach.

Qualitative Risk-Assessment Approach.

Best Practices for Quantitative and Qualitative Risk Assessment.

Quantitative Risk-Assessment Best Practices.

Qualitative Risk-Assessment Best Practices.

Choosing the Best Risk-Assessment Approach.

Common Risk-Assessment Methodologies and Templates.

Summary.

Key Terms.

5. Scoping the Project.

Defining the Scope of the Assessment.

Driving Events.

Initial Meeting.

Becoming the Project Manager.

Staffing the Assessment Team.

Kickoff Meeting .

Building the Assessment Timeline.

Reviewing Critical Systems and Information.

Information Criticality Matrix.

Systems Criticality Matrix.

Compiling the Needed Documentation.

Making Sure You Are Ready to Begin.

Summary.

Key Terms.

6. Understanding the Attacker.

Who Are the Attackers?

Attacker Types and Their Characteristics.

Who Are the Greatest Threat?

Insecure Computing Habits Are a Threat.

Disgruntled Employees Are a Threat.

What Do Attackers Do?

Four Kinds of Attacks.

Things That Attackers Attack.

Goals and Motivations of the Attacker.

Attackers Conduct Their Own Risk Analysis.

How Do Attackers Attack?

Tools That Attackers Use During the Stages of an Attack.

Reducing the Risk of an Attack.

How to Respond to an Attack.

Summary.

Key Terms.

7. Performing the Assessment.

Introducing the Assessment Process.

Level I Assessments.

Reviewing the Documentation.

Interviewing Process Owners and Employees.

System Demonstrations.

Level II Assessments.

Vulnerability Scans.

Level II Assessment Caveats.

Level III Assessments.

Vulnerability Exploitation.

Summary.

Key Terms.

8. Tools Used for Assessments and Evaluations.

A Brief History of Security Tools.

Putting Together a Toolkit.

Information-Gathering Tools and Techniques.

Scanning Tools.

Enumeration Tools.

Wireless Tools.

Password Auditing Tools.

Vulnerability Scanning Tools.

Automated Exploit and Assessment Tools.

Determining What Tools to Use.

What¿s the Best Platform to Install Your Tools On.

Additional Items for the Toolkit.

Summary.

Key Terms.

9. Preparing the Final Report.

Preparing for Analysis.

Ranking Your Findings.

Impact Rating.

Probability Scale.

Determining Raw Risk.

Control Level.

Calculating the Risk Score.

Building the Final Report.

Contents of a Good Report.

Notice.

Executive Summary.

Introduction.

Statement of Work.

Analysis.

Findings.

Conclusions.

Determining the Next Step.

Audit and Compliance.

Summary.

Key Terms.

10. Post-Assessment Activities.

IT Security Architecture and Framework.

Goals and Objectives.

Terminology.

Defining the Structure and Hierarchy.

Hierarchical IT Security Architecture and Framework.

Sample IT Security Architecture and Framework.

Roles, Responsibilities, and Accountabilities.

Seven Areas of Information Security Responsibility.

Security Incident Response Team (SIRT).

SIRT Response Procedures.

Security Workflow Definitions.

Security Workflow Procedures.

Vulnerability Management.

Enterprise Vulnerability Management.

Training IT Staff and End Users.

Summary.

Key Terms.

A. Security Assessment Resources.

Security Standards.

Common Criteria (CC) for IT Security Evaluation.

FIPS PUB 140-1 and 140-2.

ISO17799.

GAO Risk Assessment Process.

OSSTMM.

DoD Rainbow Series.

NIST.

General Security Websites.

Security Tool Websites.

B. Security Assessment Forms.

Information Request Form.

Document Tracking Form.

Critical Systems and Information Forms.

Level II Assessment Forms.

C. Security Assessment Sample Report.

Notice.

Executive Summary.

Introduction.

Statement of Work.

Analysis.

Recommendations.

Conclusions.

D. Dealing with Consultants and Outside Vendors.

Procurement Terminology.

Typical RFP Procurement Steps.

Procurement Best Practices.

E. SIRT Team Report Format Template.

SIRT Incident Report.

Index.

Read More Show Less

Preface

Introduction

Welcome, and thank you for purchasing Inside Network Security Assessment. Our goal was to create a practical guide for planning, performing, and reporting on the risk and vulnerability assessment process. This is a critical topic for IT professionals given that a security assessment provides the necessary information and data for organizations to form the foundation for a reliable and secure IT infrastructure.

This book takes a look inside the network vulnerability assessment process. Its purpose is to teach individuals a methodology for network security assessments. For those of you who must manage or outsource these duties, this book will provide you with tips, pointers, and insight into what a vulnerability assessment is all about. This book is broken up into 10 chapters that follow the vulnerability assessment process from creation to finish. It also discusses, in brief, basic risk assessment methodologies. So even if you are not ready for a full-blown vulnerability assessment, you should be able to start adding basic risk assessment methodologies to new projects and the change control process.

The security assessment process incorporates both risk assessment and vulnerability assessment, which includes the science, tools, methodology, and practices involved in finding, analyzing, and assessing risk for known or unknown vulnerabilities and exposures in a given Information Technology (IT) infrastructure. This book examines the entire IT infrastructure, which encompasses all the IT assets commonly found in an IT environment, such as the data, applications, servers, workstations, and network infrastructure (LANs, WANs, and LAN-to-WAN). The term IT infrastructure is generally used to describe the entire landscape of IT assets and elements. The term IT assets is generally used to describe the individual IT assets or elements commonly found in an IT environment.

All organizations need to assess, identify, define, and confirm the minimum level of acceptable security for their organization and IT assets. Until now, organizations needed to spend thousands of dollars on high-priced consultants to perform a variety of assessments. With Inside Network Security Assessment, readers will receive a collection of tools, utilities, templates, and a step-by-step approach for conducting a security assessment process that incorporates both risk assessment and vulnerability assessment.

Who Should Read This Book

This is an intermediate-level book for IT security professionals and system and network administrators who need to learn more about the security assessment process. Inside Network Security Assessment provides a step-by-step approach for assessing security, from paperwork to penetration testing to ethical hacking. This book is a valuable reference for individuals who are interested in creating their own methodology for conducting a comprehensive security assessment and in expanding their knowledge of network security tools and techniques to perform such evaluations. Almost every organization needs to evaluate the security of its IT infrastructure and IT assets.

Depending on the scope of the IT infrastructure and the scope of the security assessment, organizations can spend tens or hundreds of thousands of dollars to conduct a security assessment. With proper controls and objectivity, conducting a security assessment with internal IT security staff is a viable solution. To do this, the IT security staff must create their own methodology and implement it in-house.

Why We Created This Book

The world of information security continually evolves. More tools are available to attackers and defenders than ever before. There has also been an onslaught of books, classes, and seminars focused on security testing, tools, and techniques. But we as authors felt that something was missing. Among the wealth of information on tools and the how-to of security testing, very little was being discussed about the mechanics of security testing; therefore, we created this book to inform readers that the creation of a methodology and approach for conducting a security assessment is the critical missing piece. Unlike other books that focus on hacking tools or small segments of the assessment process, this book was designed to offer the reader a comprehensive step-by-step approach for guiding them through the security assessment process.

Overview of the Book's Contents

We would like to introduce this book from a 50,000-foot view. The first two chapters, "Introduction to Assessing Network Vulnerabilities" and "Foundations and Principles of Security," serve as a foundation for later chapters. These chapters introduce basic concepts of everything we will talk about throughout the book. Chapter 3, "Why Risk Assessment," and Chapter 4, "Risk Assessment Methodologies," deal specifically with risk. We examine risk terminology, quantitative risk assessment, qualitative risk assessment, and how risk is analyzed in real life.

Chapters 5 through 10 are designed to guide you through the security assessment process. Chapter 5, "Scoping the Project," presents a discussion of the scoping phase. Topics such as the forces driving the assessment are introduced. Chapter 6, "Understanding the Attacker," discusses who the real threat is. Both inside and outside attacks typically follow a given pattern. These stages of attack are discussed, as are ways to reduce the threat. If the assessment you are performing is being driven because of an attack, you'll find this a particularly valuable chapter.

Chapter 7, "Performing the Assessment," introduces the activities performed during the actual assessment. This might be only a policy review or may involve extensive hands-on testing. If hands-on testing is required, you will need a variety of tools, which are discussed in Chapter 8, "Tools Used for Assessments and Evaluations." Chapter 9, "Preparing the Final Report," introduces you to the report-writing phase. Everything you have done must be documented, and this chapter discusses ways to write a successful report. Finally, Chapter 10, "Post-Assessment Activities," describes what happens next. Post-assessment activities typically involve change. So this chapter delves into the topics of policy change, hardware implementation, and user training.

We have also outfitted the book with five appendixes. Here we provide security assessment resources, sample forms, and information on how to deal with outside consultants should you feel the need to outsource part of this process. Performing a security assessment is a challenging journey, and we hope that our approach to guarding your IT infrastructure makes your path more comfortable.

Conventions Used in This Book

This book follows a few typographical and stylistic conventions:

  • New terms are set in italic the first time they are introduced.
  • Each chapter concludes with key terms that have been introduced within the chapter.
  • Whenever possible, we reference the Common Vulnerabilities and Exposures (CVE) database to enable you to obtain additional information about the vulnerabilities; for example, http://cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0965.
  • This book also contains the following elements for additional information, such as notes, tips, cautions, and sidebars.

Note - Notes provide additional information about a topic.



Tip - Tips provide information that can make a task easier or ease an administrative burden.



Caution - Cautions are items you need to be aware of that may pose a problem or need to be carefully considered.



A Sidebar Looks Like This -

We often use sidebars to present illustrative examples or add greater depth to the material.


© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)