on March 26, 2003
I find this to be a rather confusing book.
The title suggests I will learn how to conduct my own security audit,
but when I've finished the book, all that seems to remain is how
I install Windows 2000 Server and Linux/Solaris, a number of brief
user guides about various vulnerability scanners, and a short comparison
of them. Where did the audit bits go? Looking for them in the table of
contents produces nothing.
There is a description of what a security audit should include in the
introductory text of Part I. It's almost hidden away -- Part I is
titled "Building a Multisystem Tiger Box", and not even the table of
contents hints that there's more important information here.
The book says a security audit consists of seven phases:
blind testing, knowledegable penetration, Internet security and services,
dial-up audit, local infrastructure audit, WAN audit and reporting.
It comes as a disappointment to find, then, that only
phase 1 (blind testing) and phase 4 (dial-up audit) will be covered.
I hoped I would get pointers where to look for information how to do
the remaining five phases, but it seems to have been omitted.
The dial-up audit, furthermore, seems to have been lost. The only place
where it is mentioned in the book (according to the index) is in this
My personal reaction is of course to retitle the book: "How to
do 1/7ths of a security audit". I feel a bit cheated.
The book goes on to describe how to set up a multi-boot system to use
for security audits (chapters 1-3). As far as I see, it's just basic
installation walkthroughs, without any discussions of why a particular
configuration choice is made, or how it affects the purpose of using
the multi-boot system. Also, very little is said about the problems
involved in multi-booting (such as choosing good partition sizes), and
there is nothing on how much disk is required, though the Solaris
description suggests 5 Gb for Solaris alone. The problem of sharing
information between the different environments is not touched upon either,
but will be encountered very quickly by anyone actually using the system in practice.
Nor is there anything about why Windows 2000 Server is used for the
installation description (what with all the bits about Active Directory, domains,
trust etc.), and there's nothing at all about the problems
and benefits of being able to conduct an audit both entirely outside a Windows
domain, as well as being part of it.
Part II is about using security analysis tools on windows. Again it starts
off with an introductory part (again hidden away to anyone
using the table of contents) describing audits of the SANS Top 20 Vulnerabilities.
I can't imagine why the table of contents does not mention this: it
is important. Some of the suggestions, though, (such as the question of missing
backups) does not really come withing the scope of the book, or even the full
seven phase security audit described earlier: security policies are not
covered. This is rather confusing: it feels as if something was missing from the book.
The main chapters of Part II describe the capabilities of Cerberus
Internet Scanner, CyberCop Scanner, ISS Internet Scanner, Harris STAT,
and TigerSuite 4.0. The descriptions are more of the nature of short
user guides -- it would have been far more useful to have actual
pratical experience from using them.
The last product (TigerSuite 4.0) can hardly be compared with the other
vulnerability scanners, and it's not clear from the description in what way
it may complement them. The only practical application described in that
of tracerouting, but it could easily have been done with already available tools.
Part III does the same, but for Linux, Solaris and Mac OS X. The different chapters
describes various Unix programs: hping2, Nessus, nmap, SAINT, SARA.
As the introductory part gives a list of Linux commands, it appears to
be intended for the novice, but already in the chapter on hping2 the
reader is expected to read and understand substantial material from tcpdump
without any help from the text.
The reason hping2 is included seems to be
on the idea that it can be used for IP spoofing -- indeed, there's a
fairly long description how spoofing was used by Kevin Mitnick to gain access to
another system. But just how this connects with hping2 is not explained.
Part IV is titled "Vulnerability Assessment" and contains one single
chapter in which the result from running the various vulnerability scanners
against a specially designed target network are compared in various tables.
No interpretation is provided, unfortunately.
In addition to the odd lacunas in the table of contents that already have been
mentioned, the text appears to has been badly served by the editor: there are
numerous ambiguities sprinkled around. One if the best can be found on the very
first line of the introduction:
"The objective of this book is to fill a gap found in most books on
security: How security examinations can be conducted via illustrations
and virtual simulations."
Most readers will hopefully be able to figure out what the intended meaning is.
Those 'virtual simulations' (whatever they may be) are found on the CD:
short recorded demo walkthroughs of how to use some of the tools described in
The two stars are mainly for the information on the vulnerability scanners.
Had the book described the pitfalls in using automated tools (such as the
inevitable false positives) and went into the pratical issues around using
the tools it would easily have obtained a third star, provided the title had been
modified to indicate that the book is mainly about tools.
I would recommend the book "Hack I.T. -- security through penetration testing"
by Klevinsky, Laliberte and Gupta instead. It works with a smaller scope -- that
of the penetration test, not the full security audit -- but covers it far better.