Defend I.T.: Security by Example (Paperback)

"Ajay and Scott take an interesting approach in filling Defend I.T. with case studies and using them to demonstrate important security principles. This approach works well and is particularly valuable in the security space, where companies and consultants are often hesitant to discuss true security incidents for potential embarrassment and confidentiality reasons. Defend I.T. is full of engaging stories and is a good read." --Fyodor, author of the Nmap Security Scanner and Insecure.Org "Defend I.T. answers reader demand for scenario-driven examples. Security professionals will be able to look at these case studies and relate them to their own experiences. That sets this book apart." --Lance Hayden, Cisco Systems "This is an exciting book! It's like reading several mysteries at once from different viewpoints, with the added benefit of learning forensic procedures along the way. Readers will benefit from the procedures, and the entertaining presentation is a real plus." --Elizabeth Zinkann, Equilink Consulting The battle between IT professionals and those who use the Internet for destructive purposes is raging--and there is no end in sight.Reports of computer crime and incidents from the CERT Coordination Center at Carnegie Mellon University more than double each year and are expected to rise. Meanwhile, viruses and worms continue to take down organizations for days. Defend I.T.: Security by Example draws on detailed war stories to identify what was done right and what was done wrong in actual computer-security attacks, giving you the opportunity to benefit from real experiences. Approaches to securing systems and networks vary widely from industry to industry and organization to organization. By examining a variety of real-life incidents companies are too embarrassed to publicly share, the authors explain what could have been done differently to avoid the losses incurred--whether creating a different process for incident response or having better security countermeasures in place to begin with.Inside, you'll find in-depth case studies in a variety of categories: *Basic Hacking: Blackhat bootcamp, including mapping a network, exploiting vulnerable architecture, and launching denial-of-service attacks *Current Methods: The latest in malicious deeds, including attacks on wireless networks, viruses and worms, and compromised Web servers *Additional Items on the Plate: Often overlooked security measures such as developing a security policy, intrusion-detection systems, disaster recovery, and government regulations *Old School: Classic means of compromising networks--war dialing and social engineering *Forensics: How to investigate industrial espionage, financial fraud, and network intrusion Aimed at both information-security professionals and network administrators, Defend I. T. shows you how to tap the best computer-security practices and industry standards to deter attacks and better defend networks.

What does a cyber security professional do? This is a question often posed by individuals who have heard a lot about security - especially the need to secure their electronic assets - but who are not entirely clear on what all of that involves.

It involves a variety of things. While those inside the profession recognize this, it is often difficult to explain to people outside the profession (even our wives) what exactly we do. And what exactly needs to be done to secure electronic assets.

I'm sure it is true of many professions that explaining the details of the profession is difficult and it is best done through example. Security is no different. This book hopes to provide some insight into these questions by presenting examples through case studies of what a cyber security professional does.

It is our hope that this collection of case studies can serve as a journey or tour of many of the issues that a cyber security professional will face not only in their career but in their day to day lives.

So, one of the goals of this book is to try to explain to people what we do. But, there are other and more critical goals as well. We do hope to present practical examples of what the kinds of issues a security professional must be prepared to face in the execution of their duties.

How the Book Is Structured The case studies are presented in five categories:

• Section 1: Basic Hacking
• Section 2: Current Methods
• Section 3: Additional Items on the Plate
• Section 4: Old School
• Section 5: Computer Forensics

There is certainly a degree of overlap between these categories. Part I: Basic Hacking covers some of the basic things hackers do when attacking networks, often starting with mapping the network (Chapter 1 Getting to Know the Enemy: Nmap the Target Network). This is often called footprinting. This leads to the next case study (Chapter 2 Home Architecture) discussing a compromised based on an architectural issue. Often during the mapping stage, a vulnerability will become apparent and hackers will use it to compromise the network. When no vulnerability becomes apparent, there are many things hackers can do, one of which is to flood the network with traffic and make it unusable for the legitimate users. This is typically referred to as a denial of service (DoS) attack (Chapter 3 No Service for You!).

Part II: Current Methods covers methods that have received a great deal of attention lately, starting with a discussion of the security of a wireless network (Chapter 4 Look Ma, No Wires) and continuing to a discussion of viruses (Chapters 5 & 6 Virus Outbreak I & II - The Worm). This topic is so important that is was deemed worthy of two chapters. Chapter 5 discusses how architectural choices led to the virus infection and Chapter 6 discusses a case of a large scale worm infection of a distributed network. This part concludes with a case study presenting a web server compromise (Chapter 7 Changing Face). This incident also discusses some of the "business" issues that are involved in performing security consulting.

Part III: Additional Items on the Plate cover topics that one might not initially think falls under the preview of a security professional, but we are called upon to perform these services at times. This starts with conducting a product selection of an intrusion detection system (Chapter 8 Protecting our Borders - Perimeter Defense with an IDS) and includes a case involving disaster recovery (Chapter 9 Disaster All Around), writing the formal Security Policy (Chapter 10 Security is the Best Policy) and ends with a case study detailing a security engagement performed in support of the HIPAA regulation (Chapter 11 Government Regulation).

Part IV: Old School discusses some of the older, but classic and still all too prevalent, means of compromising a network, namely war dialing (Chapter 12 A War Dialing Attack) and social engineering (Chapter 13 A low-tech path into the High-Tech World).

Part V: Computer Forensics presents three separate applications of computer forensics. This, while not a new field, has only recently come into the mainstream and is quickly gaining in popularity and importance. The applications covered are industrial espionage (Chapter 14 Industrial Espionage), investigating financial fraud (Chapter 15 Executive Fraud) and investigating related to a network intrusion (Chapter 16 Cyber Extortion).

The book ends with a Conclusion briefly discussing a few topics that were not included. Our hope is that, the feedback and comments we received on topics included in the book and the Conclusion will guide us in selecting case studies for a 2nd edition - if we are so lucky as to be asked to write one.

Format of the Case Studies While there will be variation from case study to case study, the general format will be as follows:

Case background and description This is a description of the environment as well as the actual security incident that took place. It generally includes a description of the people involved, time frames, issues encountered and any political dynamics that may have existed.

The Response How the compromise was detected and what actions, if any, were taken to solve the problem. This may include everything from disconnecting the target machines, to reloading the OS, performing computer forensics to ascertain the level of compromise, identify root kits and possibly, prosecute the attacker. Some of the cases do not involve actual incidents. In these cases, this section describes the approach taken to resolve the issue or attack the problem.

Lessons LearnedWe will highlight any lessons learned from each case study and identify what was done right, what was done wrong, and how to use this information to better defend ourselves in the future. We will determine what could have been done differently to avoid the losses incurred, whether it involves a different process for incident response or having better security countermeasures in place to begin with.

Along the way, supporting information such as network diagrams, tool screen shots and other illustrations are presented. As appropriate, the cases discuss the tools used as well as some of the sources to research current vulnerabilities and exploits. Technology in general and security specifically is a dynamic industry. What is true today, may not be true tomorrow. And, unfortunately, a "safe" or "secure" system today may be neither "safe" nor "secure" tomorrow. Constant research is crucial to keeping up with the latest technical advances and remaining current with the newest issues. There was a time when all you needed to do to be safe from viruses spread through e-mail was not click-on and execute an e-mail attachment from an unknown party. That certainly is not the case now. With HTML-embedded e-mails, you may not have to download an attachment, the virus can be right in the HTML and when an HTML-enabled e-mail application displays the message, the virus can launch. This is just one example of the evolution of security threats.

AudienceWe hope this book is enjoyed by anyone within the Information Technology field who has an interest in or is entering cyber security. One of the benefits of a case study format is that it can make the security issues discussed real and enable a security administrator or other security professional to relate the events to their own experiences. Through case studies, people can share their own experiences and lessons learned that they may otherwise be reluctant to share for fear of disclosing a weakness about their organization.

Current and aspiring IT security consultants can certainly get the flavor of a security consulting engagement from the case study descriptions. In addition, Information Technology auditors can learn about security issues they will come across during security audits. A better understanding of these issues will enable the IT auditor to audit more effectively.

This book addresses technical and management level concerns and therefore can also be a valuable resource for security officers, CIOs and other technology managers in relating to the technical discussions they will have with their IT staff. Finally, we believe this book is readable and understandable far and wide, any who are curious about the security profession should be able to read this book and get a flavor of what we do.