Maximum Securityby Anonymous, Shipley
Maximum Security, Fourth Edition provides updated, comprehensive, platform-by-platform coverage of security issues, and includes clear, to the point descriptions of the most common techniques hackers use to penetrate systems. This book provides information for security administrators and others interested in computer and network security and provides them/i>
Maximum Security, Fourth Edition provides updated, comprehensive, platform-by-platform coverage of security issues, and includes clear, to the point descriptions of the most common techniques hackers use to penetrate systems. This book provides information for security administrators and others interested in computer and network security and provides them with techniques to take steps to protect their systems.
Anonymous is an experienced computer hacker who specializes in testing security of various networking platforms. He was convicted of a series of financial crimes in the late 1980s and now works as a writer, trainer, and security consultant.
Greg Shipley is CTO for Neohapsis, an information security consultancy. He is a contributing editor with Network Computing magazine.
Jonathan Feldman is a contributing editor with Network Computing magazine, where he writes a column and frequently contributes technical workshops.,/P>
Robert Blader works at the Naval Surface Warfare Center, where he performs intrusion detection, security training, and network forensics. He has contributed to SANS GIAC courses and SysAdmin magazine.
Chad Cook has worked for ten years in security, with emphasis on secure product architecture, network and operating system security, and new security technologies.
David Harley maintains a number of virus and security related information resources and writes regularly for Virus Bulletin.
Joe Jenkins is a system administrator/security consultant with NoWalls, Inc. and writes for magazines such as SecurityFocus.
L.J. Locher is a network adminstrator, programmer, and security consultant who has written articles for Windows 2000 Magazine.
Toby Miller is a security engineer for Advanced Systems Development and is the author of several papers published for SecurityFocus and the SANS Institute.
Brooke Paul works as an information technology and security consultant.
Nicholas Raba is a well-known expert on Macintosh security.
Gregory White is Vice President of profession services at SecureLogix, and is a former professor of computer science at the US Air Force Academy.
Read an Excerpt
Chapter 3: Building a Roadmap for Securing Your EnterpriseThis chapter will arm you with the guidelines necessary to survive the information security onslaught. The odds are stacked in this battle, and not in the favor of the defenders. If there is to be any hope of coming out of the war victorious, you need a serious strategy. This chapter is designed to give you an introduction to that strategy in the form of an information security roadmap.
Proactive Versus Reactive ModelsWe have a saying in the consulting field in regard to IT security spending: "The easiest client to sell security services to is the one that just got attacked." Unfortunately, the statement is as sad as it is true. The simple fact of the matter is that most organizations only react to security threats, and, often times, those reactions come after the damage has already been done. For example, patching your legacy systems after an intruder has already stolen your customer records won't help regain consumer confidence. Starting a log monitoring effort after a contractor has sent your research and development data to an overseas competitor will not bring back your competitive advantage. Convincing executives to encrypt their high-value data after their laptops have already been stolen won't reverse their earlier mistakes.
Although all these tactics are positive and encouraged courses of action, they don't stop the problems before they occur. It is for this reason alone that, when operating in a catch-up mode, security programs will only be marginally successful at best. The key to a successful informa-tion security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you. By defining and organizing the information security effort beforehand, organizations stand a chance against the seemingly endless onslaught of security threats in the world today.
This is, of course, easier said then done. However, if proactive security measures are done right, there is a light at the end of the tunnel. You'll want to perform the following tasks to launch a proactive security program:
- Understand where the corporation's assets reside
- Reduce the number of vulnerability and exposure points
- Secure systems and infrastructure equipment
- Develop, deploy, and enforce security policies
- Develop, deploy, and enforce standardized OS configuration and lock-down documents
- Train administrators, managers, and developers on relevant areas of information security
- Implement an incident-response program
- Implement a threat-identification effort
- Implement a self-audit mechanism
- Educate, educate, educate, and educate
Benchmarking Your Current Security PostureSecurity administration is not about achieving some unobtainable goal of absolute security. Instead, it's about managing risk. There will never be "absolute" security when it comes to computing environments, but there are ways to effectively minimize risk levels through reducing the number of vulnerabilities.
The first thing most people do when they inherit the responsibility of securing an environment is panic. The second thing they usually do is attempt to ascertain the current state of affairs. Understanding the state of the terrain is essential before moves can be made to secure it. This is why most security efforts begin with an assessment of some sort. Whether this assessment comes from an outside third party, or through the use of well-trained internal staff, the follow-ing areas should be investigated:
- The current state of the security policies
- The current state of security on the network
- The current state of the system security
- The current state of security of network applications
- The current state of employee awareness
- The current state of management awareness
- The current state of information security–training efforts
This third edition of Maximum Security can be used to help with many of these needs. For example, Chapter 11 covers the selection of vulnerability assessment tools that can help iden-tify system security holes. Part VI, "Platforms and Security," can help with some of the details surrounding the securing of specific operating systems. Finally, Chapter 26, "Policies, Procedures, and Enforcement," can help with policy definition efforts.
Identifying Digital AssetsWhen presented with the term asset identification, most IT folks think of asset management, or asset tracking, in the literal sense of the term. Although tracking physical assets is important, rarely do organizations take the time to granularly identify or quantify the value associated with their digital assets. For example, an e-commerce delivery system might comprise a dozen Web servers, a few database servers, a merchant gateway, and various pieces of supporting infrastructure equipment. For example, let's say that a sample medium-sized e-commerce deployment runs around $400,000 in hardware. The machines and systems themselves have a book value that is easy enough to calculate. A little bit more difficult to identify might be the costs associated with a site-wide outage. One would have to calculate hourly or daily revenue losses, as well as the costs associated with expenses necessary to respond to the problem, and any other outage-based costs.
Drilling a little deeper into our example, let us also suppose that the customer records and the purchasing trend data for this e-commerce initiative are stored on a single, internal database server. Again, the financial value of the hardware is easy enough to identify and record. But what happens when that server is compromised, and its data is leaked to the public? There will then be some less tangible, but very important items at risk: consumer confidence, industry reputation, and perhaps even legal liability. So the value of the server, and the data on it, might be a lot higher then what was initially thought.
Why does this matter? Back to the concept of managing risks. In an ideal world, every server, network device, and piece of data would be sufficiently protected. Unfortunately, we don't live in that world. Reality states that we have to choose our battles wisely, as there are only a finite number of them that we can fight. By identifying key assets, and protecting those assets first, organizations can maximize the effectiveness of their risk mitigation efforts.
Readers should note that there have been entire books written on asset identification and data value classification, and how they relate to overall risk analysis. Although many of the areas of true risk analysis are outside the scope of this book, there are some basics areas to look at in the IT field that can help you get started. For example, the following areas are often classified as "high value":
- Payroll information
- Research and development data
- Source code
- Marketing strategies
- Financial systems
- Sales information
- Customer data
- Financial reports
- Miscellaneous proprietary data...
Meet the Author
Anonymous is an experienced computer hacker who now works as a writer, trainer, and security consultant in California. He is the author of Maximum Linux Security: A Hacker's Guide to Protecting Your Linux Server and Workstation.
Greg Shipley is the lead security consultant for Chicago-based Neohapsis, Inc. He has extensive network and systems administration experience, and he currently specializes in penetration testing, breaking firewalls, evaluating intrusion detection systems, and performing vulnerability assessment. He is also a contributing editor for Network Computing magazine.
Most Helpful Customer Reviews
See all customer reviews