Publisher: Prentice Hall PTR
This book provides examples of real audits the author has done in the past. The names of the companies have, of course, been changed. This is what makes this book stand out from the crowd as Linda McCarthy teaches you security awareness by taking examples from real world problems she dealt with. Read on to see what knowledge you can get from this book.
About the author
Linda McCarthy has broken into thousands of systems on corporate intranets to demonstrate how easily an intruder could shut down executive networks, kill manufacturing processes, or even crash worldwide computer operations. She provides consultative services to executive managers to help them understand the levels of risk on their networks. Linda has also taught courses in hardware architecture, system administration, and UNIX security. McCarthy is the Executive Security Advisory, Office of the CTO for Symantec Corporation.
Inside the book
To start off the book we are shown why incident response procedures are of the utmost importance and why you should definitely include them in your security policy. As every example in this book, the first one is very frightening and will certainly make you think. After all the details have been presented, McCarthy gives you good pointers on what you should do. This step-by-step approach will make it easier to see what you are missing. The checklist at the end will help you see if your company is ready to respond to a break-in.
As we move on, we learn more about out-of-the-box security. The story illustrated here involves an ISP and some of the detected problems are: excessive file permissions, old accounts not removed, no security patches and almost non-existent physical security. Installing out-of-the-box systems without configuring security may be fast, but you are just waiting for a catastrophe to happen. The author wisely notes that you shouldn't expect everyone in your organization to be a security expert. Just because you have great coders and engineers it doesn't mean you are secure. McCarthy provides several tips on achieving better security of an out-of-the-box installation as well as a checklist that you can use to determine whether your organization is at risk because of an out-of-the-box installation.
What follows is an example of how poor management, not enough training and faulty communication can result in poor security for your organization. The author suggests that even if you are a Chief Information Officer and you issue an order, you should always make sure things are carried out. If your network is going to be attacked, you are in the spotlight. Simply voicing the importance of security is not enough, you have to take action from the top down, and management cannot be excluded. You have to make sure that everyone takes security seriously and implement training when needed. This time the checklist will help you determine if your company's organization and management levels allow security concerns to be addressed adequately.
When discussing network access, McCarthy notes the importance of building a security architecture before allowing external connections to your network. Once allowed, external connections should be tracked and status reports should be kept safe. If you're in charge of your company's security and you are experiencing problems - get help fast. If your manager doesn't want to provide the funds or the necessary training, maybe you should get another job. If your network gets penetrated you will be blamed. In order to aid you in the discovery on how your company is doing at controlling external connections, there's another handy checklist.
If you think that security is important only at the server level, think again. Imagine someone taking your business plans and ideas from your desktop computer. Couldn't it happen? Do you have any security measures at all? In order to ensure the quality of the overall security architecture, all your employees should have a basic understanding of security. This is where security training comes into the picture. It's wise to invest money into training because it assures you a higher level of security and diminishes the possibility of a break-in. Use the checklist to see how your company is faring in the training department.
Another nightmare example will greet you in the chapter on unplanned security. This is where you'll realize (if you haven't before) how important security really is, as the author deals with personal information on a hospital network that just recently moved systems from one platform to another. McCarthy notes the importance of risk assessment and the creation of new policies and procedures for the new environment. The checklist at the end of the chapter will help you determine whether your company is at risk because it doesn't really understand what the risks are.
The author explains that once you've achieved a level of security you deem to be efficient, it doesn't mean you can put your guard down. You have to realize that security is an ongoing process and that it's made of many layers. The acquisition of a firewall doesn't make you secure. For security to work, every level of management must take responsibility for security. If you want security to be achieved, you also need to clearly define the security roles and responsibilities for your company and the included checklist will help you determine if you managed to do it.
Back to discussion of the importance of security policies. Once written they have to be kept up-to-date since outdated security policies give a false sense of security. You should clearly define the responsibilities within your organization. If no one is officially responsible, nothing will get done. To see if your company is correctly using policies and procedures, check out the checklist.
Moving on, with the help of a case study, we learn that outsourcing operations doesn't mean outsourcing responsibility for security and that security has to be tested. The checklist will help you determine if your company's outsourcing situation and auditing procedures are exposing your network to unnecessary risk.
Next McCarthy illustrates problems related to e-mail. She encourages you to use encryption. This shouldn't be too big of a problem since today's encryption packages are easy to install, maintain and use. Also mentioned are other problems such as spam, viruses, worms, and so on. The author also writes about the legal duties of protecting information and networks.
The last chapter of the book defines the hacker's profile and shows a transcript of an actual break-in. Along with the transcript McCarthy shows us step-by-step what the attacker is doing. In the appendix we find a comprehensive list of addresses of people and products the author recommends and there's also a small list of acronyms and a nice glossary.
My 2 cents
Throughout the book the author underlines the importance of security auditing and keeping up with patches. What you get here is excellent advice packed into a book that's easy to follow and whose examples will certainly stick in your memory.
It's pretty amazing to see how careless people can be when it comes to security. It's somewhat reassuring to know that a book like this one exists; as I really do believe this title can help users become more security conscious. As you read the book, these real life examples that feel like nightmares will wake you up and make you take the steps needed to achieve tighter security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.