You are previewing Defend I.T.: Security by Example.
O'Reilly logo
Defend I.T.: Security by Example

Book Description

"Ajay and Scott take an interesting approach in filling Defend I.T. with case studies and using them to demonstrate important security principles. This approach works well and is particularly valuable in the security space, where companies and consultants are often hesitant to discuss true security incidents for potential embarrassment and confidentiality reasons. Defend I.T. is full of engaging stories and is a good read."

--Fyodor, author of the Nmap Security Scanner and Insecure.Org

"Defend I.T. answers reader demand for scenario-driven examples. Security professionals will be able to look at these case studies and relate them to their own experiences. That sets this book apart."

--Lance Hayden, Cisco Systems

"This is an exciting book! It's like reading several mysteries at once from different viewpoints, with the added benefit of learning forensic procedures along the way. Readers will benefit from the procedures, and the entertaining presentation is a real plus."

--Elizabeth Zinkann, Equilink Consulting

The battle between IT professionals and those who use the Internet for destructive purposes is raging--and there is no end in sight. Reports of computer crime and incidents from the CERT Coordination Center at Carnegie Mellon University more than double each year and are expected to rise. Meanwhile, viruses and worms continue to take down organizations for days.

Defend I.T.: Security by Example draws on detailed war stories to identify what was done right and what was done wrong in actual computer-security attacks, giving you the opportunity to benefit from real experiences. Approaches to securing systems and networks vary widely from industry to industry and organization to organization. By examining a variety of real-life incidents companies are too embarrassed to publicly share, the authors explain what could have been done differently to avoid the losses incurred--whether creating a different process for incident response or having better security countermeasures in place to begin with.

Inside, you'll find in-depth case studies in a variety of categories:

  • Basic Hacking: Blackhat bootcamp, including mapping a network, exploiting vulnerable architecture, and launching denial-of-service attacks

  • Current Methods: The latest in malicious deeds, including attacks on wireless networks, viruses and worms, and compromised Web servers

  • Additional Items on the Plate: Often overlooked security measures such as developing a security policy, intrusion-detection systems, disaster recovery, and government regulations

  • Old School: Classic means of compromising networks--war dialing and social engineering

  • Forensics: How to investigate industrial espionage, financial fraud, and network intrusion

  • Aimed at both information-security professionals and network administrators, Defend I.T. shows you how to tap the best computer-security practices and industry standards to deter attacks and better defend networks.



    Table of Contents

    1. Copyright
      1. Dedication
    2. Preface
      1. How the Book Is Structured
      2. Format of the Case Studies
      3. Audience
      4. Acknowledgments
    3. About the Authors
      1. Primary Authors
        1. Lead Author: Ajay Gupta, CISSP
        2. Scott Laliberte, CISSP, CISM
      2. Contributing Authors
        1. Lance Hawk
        2. Rodrigo Branco
        3. David Taylor, CISSP
        4. Nelson Neves
        5. Eric Hodge
        6. Christopher Brown
        7. Kumar Upadhyay
    4. Introduction
      1. Disclaimers
    5. I. Basic Hacking
      1. 1. Getting to Know the Enemy: Nmap the Target Network
        1. 1.1. Network Architecture
        2. 1.2. Port Scans
        3. 1.3. OS Identification
          1. 1.3.1. Additional OS Identification Tools
        4. 1.4. Partial Picture
        5. 1.5. Hiding
        6. 1.6. Lessons Learned
      2. 2. Home Architecture
        1. 2.1. Introduction
        2. 2.2. Background
        3. 2.3. The Incident
          1. 2.3.1. The Monthly Bill
          2. 2.3.2. The E-mail
          3. 2.3.3. The Investigation
          4. 2.3.4. The Disclosure
          5. 2.3.5. The Investigation at REM
        4. 2.4. Incident Reconstruction
        5. 2.5. Repercussions
          1. 2.5.1. The Hacker
        6. 2.6. Aspen’s Response
        7. 2.7. Lessons Learned
          1. 2.7.1. Access Logs
          2. 2.7.2. Responding to Changing Usage Patterns
          3. 2.7.3. User Names and Passwords
          4. 2.7.4. Architecture
            1. 2.7.4.1. Network Segmentation
            2. 2.7.4.2. Maintenance Windows
            3. 2.7.4.3. Dual-Homed Hosts
      3. 3. No Service for You!
        1. 3.1. The Discovery
        2. 3.2. The Response
        3. 3.3. The Process
          1. 3.3.1. DoS Root Kit
          2. 3.3.2. DDoS IRC Bots
        4. 3.4. Lessons Learned
        5. 3.5. References
    6. II. Current Methods
      1. 4. Look, Ma, No Wires!
        1. 4.1. Introduction
        2. 4.2. Background
        3. 4.3. The Project
        4. 4.4. Existing Security
        5. 4.5. Recommendations
        6. 4.6. The End State
      2. 5. Virus Outbreak I
        1. 5.1. Introduction
        2. 5.2. How Did You Get In?
        3. 5.3. How Much Have We Lost?
        4. 5.4. Lessons Learned
      3. 6. Virus Outbreak II: The Worm
        1. 6.1. Introduction
        2. 6.2. Background
        3. 6.3. The Worm Infection
          1. 6.3.1. Diagnosis
          2. 6.3.2. Plan of Attack
          3. 6.3.3. Count Your Losses
            1. 6.3.3.1. Lost Productivity
            2. 6.3.3.2. Time Spent Rebuilding Machines
            3. 6.3.3.3. Lost Data
            4. 6.3.3.4. Loss of Machines
            5. 6.3.3.5. Loss of Software and Software Licenses
            6. 6.3.3.6. Loss of Image and Public Trust
        4. 6.4. Lessons Learned
          1. 6.4.1. System Backups
          2. 6.4.2. Constant Monitoring
          3. 6.4.3. Contingency Plans
          4. 6.4.4. Corrective Actions
            1. 6.4.4.1. Web-Based E-mail
            2. 6.4.4.2. Hot Network Jacks
      4. 7. Changing Face
        1. 7.1. Introduction
        2. 7.2. The Assessment
        3. 7.3. Lessons Learned
          1. 7.3.1. And What Did the Consultant Learn?
    7. III. Additional Items on the Plate
      1. 8. Protecting Borders: Perimeter Defense with an IDS
        1. 8.1. Background
        2. 8.2. The Company
        3. 8.3. Developing Requirements
        4. 8.4. Market Research
        5. 8.5. Pilot Testing
          1. 8.5.1. Test Plans
        6. 8.6. Implementation on Production
        7. 8.7. Implementation Follow-up
        8. 8.8. Lessons Learned
      2. 9. Disaster All Around
        1. 9.1. Introduction
        2. 9.2. Disaster Strikes
        3. 9.3. Analyzing the Incident
          1. 9.3.1. The Negatives
          2. 9.3.2. The Positives
        4. 9.4. The Solution
          1. 9.4.1. IT Risk Assessment
          2. 9.4.2. Agency Tasks
            1. 9.4.2.1. Legal
            2. 9.4.2.2. Finance
            3. 9.4.2.3. Public Relations
            4. 9.4.2.4. Human Resources
            5. 9.4.2.5. Information Technology
        5. 9.5. Lessons Learned
      3. 10. Security Is the Best Policy
        1. 10.1. Introduction
        2. 10.2. The Company
        3. 10.3. The Call
          1. 10.3.1. The Interviews
          2. 10.3.2. Evaluating the Interviews
          3. 10.3.3. The Initial Writing
            1. 10.3.3.1. Password Policy
            2. 10.3.3.2. Acceptable-Use Policy
            3. 10.3.3.3. Data Classification Policy
            4. 10.3.3.4. Access Control Policy
          4. 10.3.4. The Review Stage
        4. 10.4. You Have a Policy . . . Now What?
          1. 10.4.1. Policy Awareness
      4. 11. HIPAA: Security by Regulation
        1. 11.1. Introduction
        2. 11.2. The Assessment
          1. 11.2.1. The Client
          2. 11.2.2. The External Review
          3. 11.2.3. The Internal Review
        3. 11.3. Analysis
        4. 11.4. Consequences
        5. 11.5. The Solution
        6. 11.6. Conclusion
    8. IV. Old School
      1. 12. A War-Dialing Attack
        1. 12.1. War Dialing
        2. 12.2. The Attack
        3. 12.3. Lessons Learned
          1. 12.3.1. Restricting Access
            1. 12.3.1.1. Source Phone Number
            2. 12.3.1.2. Dial-Back
            3. 12.3.1.3. Multifactor Authentication
          2. 12.3.2. Implementing User Privileges
          3. 12.3.3. Maintaining Logs
          4. 12.3.4. Creating a Demilitarized Zone
          5. 12.3.5. Installing Digital Lines
          6. 12.3.6. Placing Controls on Vendor Accounts
      2. 13. A Low-Tech Path into the High-Tech World
        1. 13.1. Introduction
        2. 13.2. Doing Your Homework
        3. 13.3. The Hack
        4. 13.4. The Fallout
        5. 13.5. Lessons Learned
    9. V. Computer Forensics
      1. 14. Industrial Espionage
        1. 14.1. Spies All around Us
        2. 14.2. The Investigation
          1. 14.2.1. Acquire Evidence
          2. 14.2.2. Authenticate the Evidence
          3. 14.2.3. Analyze the Evidence
          4. 14.2.4. Archive the Evidence
        3. 14.3. Lessons Learned
        4. 14.4. Intellectual Asset Protection
          1. 14.4.1. Additional Intellectual Asset Considerations
        5. 14.5. Chain of Custody
        6. 14.6. Federal Guidelines of Computer Evidence Admissibility
      2. 15. Executive Fraud
        1. 15.1. Introduction: The Whistle-Blower
        2. 15.2. Preparation
          1. 15.2.1. The Nature and Source of the Allegation
        3. 15.3. Evidence Collection and Chain of Custody
          1. 15.3.1. Take Your Hands off That Keyboard and Slowly Back Away
        4. 15.4. Drive Imaging
        5. 15.5. Review of the Logical File Structure
        6. 15.6. Review of Unallocated Space and File Slack
        7. 15.7. Smoking Gun
        8. 15.8. Reporting
        9. 15.9. Lessons Learned
      3. 16. Cyber Extortion
        1. 16.1. Introduction
        2. 16.2. To Press or Not to Press Charges
        3. 16.3. The Investigation
          1. 16.3.1. Acquire Evidence
          2. 16.3.2. Authenticate the Evidence
          3. 16.3.3. Analyze the Evidence
          4. 16.3.4. Archive the Evidence and Results
        4. 16.4. Lessons Learned
        5. 16.5. What Would Be Done Differently Today?
          1. 16.5.1. Hardware
          2. 16.5.2. Software
      4. Conclusion
        1. Further Investigations
        2. Public Key Infrastructure
          1. User Roles
          2. Components
          3. Scalability
          4. In-House versus Outsourcing
          5. Cross-certification
        3. Identity Management
        4. Single Sign-On
          1. Return on Investment
          2. Log-in Time Reduction
            1. Help Desk Call Reduction
            2. Additional Savings
        5. Biometrics
        6. Secure Architecture
        7. Firewalls and VPNs
        8. The Home User
        9. Identity Theft
        10. Keeping Up with the Latest Trends
      5. Recommended Reading
        1. General Topics
        2. Nmap
        3. Secure Architecture
        4. Denial of Service
        5. Wireless
        6. Viruses
        7. Web Security
        8. Intrusion Detection Systems
        9. Disaster Recovery
        10. Security Policy
        11. HIPAA
        12. War Dialing
        13. Social Engineering
        14. Computer Forensics
        15. Public Key Infrastructure
        16. Identity Management
        17. Biometrics
        18. Firewalls and VPNs
        19. Home Security
        20. Identify Theft