| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
About the Author | |
| |
| |
Introduction | |
| |
| |
| |
Responding to Attacks | |
| |
| |
Incident-Response Nightmare | |
| |
| |
| |
Unauthorized Access | |
| |
| |
| |
Problem Fixed | |
| |
| |
| |
Security Is Breached Again | |
| |
| |
| |
Escalating the Incident | |
| |
| |
| |
Too Late to Gain Evidence | |
| |
| |
| |
Who Was the Bad Guy? | |
| |
| |
Summary: Attacks from the Inside | |
| |
| |
Let's Not Go There... | |
| |
| |
Focus on Prevention | |
| |
| |
Prepare for the Worst | |
| |
| |
React Quickly and Decisively | |
| |
| |
Follow Up | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Out-of-the-Box Security | |
| |
| |
Deal with Security Later | |
| |
| |
| |
False Sense of Security | |
| |
| |
Two Years Later: Noticed the Attack | |
| |
| |
+ Two Weeks: The Hacker's Back | |
| |
| |
+ Three Weeks: Fixing Security | |
| |
| |
The Saga Continues: The Network Remains at Risk | |
| |
| |
Summary: Would You Hire This ISP? | |
| |
| |
Let's Not Go There... | |
| |
| |
Know Your Risks | |
| |
| |
Avoid Out-of-the-Box Installations | |
| |
| |
Test Your Network | |
| |
| |
Know the People Who Know Your Data | |
| |
| |
Assign or Acquire Adequate Funding for Security | |
| |
| |
Don't Export Read/Write Permissions to the World | |
| |
| |
Remove Old Accounts | |
| |
| |
Test Passwords | |
| |
| |
Apply Security Patches | |
| |
| |
Follow Policies and Procedures | |
| |
| |
Work with Experts | |
| |
| |
Use Training | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Executive Support | |
| |
| |
Executive Commitment | |
| |
| |
| |
Unsecured Systems | |
| |
| |
A Year Later: Unauthorized Access Continues | |
| |
| |
Summary: Take an Active Approach | |
| |
| |
Let's Not Go There... | |
| |
| |
Commit to Security from the Top Down | |
| |
| |
Don't Delegate Security | |
| |
| |
Keep Levels of Management to a Minimum | |
| |
| |
Report Back to Executive Management | |
| |
| |
Set Security as a Corporate Goal | |
| |
| |
Provide or Take Training as Required | |
| |
| |
Make Sure That All Managers Understand Security | |
| |
| |
Communicate to Management Clearly | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Network Access | |
| |
| |
Partner Connections | |
| |
| |
| |
Security Architecture | |
| |
| |
A Few Weeks Later: Security Installation Policy | |
| |
| |
The Next Day: Who's Responsible for Security | |
| |
| |
Over the Next 29 Days: A Hacker Gains Control | |
| |
| |
+ One Month: An Unscheduled Security Test | |
| |
| |
| |
Network Maps Tell a Lot | |
| |
| |
| |
Unenforced Policies | |
| |
| |
The Last Audit Day: Taking Responsibility for Security | |
| |
| |
Summary: Keep the Competition Out | |
| |
| |
Let's Not Go There... | |
| |
| |
Use Standard Architecture Designs | |
| |
| |
Track External Connections | |
| |
| |
Take Responsibility for Your Territory | |
| |
| |
Require Approval for External Connections | |
| |
| |
Enforce Policies and Procedures | |
| |
| |
Disable Unnecessary Services | |
| |
| |
Stress the Importance of Training | |
| |
| |
Follow Through | |
| |
| |
Don't Connect Unsecured Systems to the Internet | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Security Training | |
| |
| |
Overlooking Training | |
| |
| |
Initial Contact: Security Testing | |
| |
| |
| |
Gathering Facts | |
| |
| |
| |
Testing the Systems | |
| |
| |
| |
Leaving Security Training out of the Budget | |
| |
| |
Summary: Make Sure You Fund Training | |
| |
| |
Let's Not Go There... | |
| |
| |
Educate Executive Management | |
| |
| |
Protect the Security Training Budget | |
| |
| |
Make Security a Management Requirement | |
| |
| |
Make Training a System Administrator Requirement | |
| |
| |
Attend Security Seminars | |
| |
| |
Have Brown-Bag Lunches | |
| |
| |
Disseminate Security Information | |
| |
| |
Join Security Lists | |
| |
| |
Write White Papers | |
| |
| |
Write for Newsletters | |
| |
| |
Develop Tools into Products | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Unplanned Security | |
| |
| |
Transition Plan | |
| |
| |
| |
Testing Security | |
| |
| |
Understanding Risk | |
| |
| |
| |
Physical Security | |
| |
| |
| |
Getting Past Physical Controls | |
| |
| |
| |
Unauthorized Access | |
| |
| |
| |
Personal Information at Risk | |
| |
| |
Summary: Plan Outsourcing Carefully | |
| |
| |
Let's Not Go There... | |
| |
| |
Assess Risks | |
| |
| |
Classify Systems | |
| |
| |
Forbid Out-of-the-Box Installations | |
| |
| |
Don't Be Too Trusting | |
| |
| |
Learn from the Past | |
| |
| |
Target Budget Cuts | |
| |
| |
Conduct Security Testing | |
| |
| |
Hold Management Accountable | |
| |
| |
Don't Set Yourself Up | |
| |
| |
Include Training in Budgets | |
| |
| |
Keep Score | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Maintaining Security | |
| |
| |
Responsible for Security | |
| |
| |
| |
Keeping The Bad Guys Out | |
| |
| |
| |
Firewall Administrator | |
| |
| |
Temporary Security | |
| |
| |
Management and Security | |
| |
| |
Being Serious about Supporting Security | |
| |
| |
My Last Day: Attitudes Can Tell A Lot | |
| |
| |
Summary: Ask Not What Your Company's Security Can Do for You | |
| |
| |
Let's Not Go There... | |
| |
| |
Define Roles and Responsibilities | |
| |
| |
Develop Firewall Policies and Procedures | |
| |
| |
Feed Your Firewall | |
| |
| |
Read Your Audit Logs | |
| |
| |
Use Detection Software | |
| |
| |
Respond Quickly! | |
| |
| |
Require Proof of Security | |
| |
| |
Conduct Audits | |
| |
| |
Get Educated | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Internal Network Security | |
| |
| |
Unsafe Network | |
| |
| |
In the Beginning: Bypassing the Corporate Network | |
| |
| |
| |
Collecting Evidence | |
| |
| |
| |
System Administrators Versus the Security Team | |
| |
| |
Who Owns Security | |
| |
| |
Transferring Responsibility | |
| |
| |
Summary: Security Is the Casualty of War | |
| |
| |
Let's Not Go There... | |
| |
| |
Put Someone in Charge of Policies and Procedures | |
| |
| |
Delineate Cross-Organizational Security Support | |
| |
| |
Don't Wait for Miracles | |
| |
| |
Question Processes | |
| |
| |
Know When to Cry "Uncle" | |
| |
| |
Be Responsible | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Outsourcing Security | |
| |
| |
Forget Security? | |
| |
| |
| |
Taking a Look at Security Controls | |
| |
| |
| |
Network Connections | |
| |
| |
Amazing Security Mistakes | |
| |
| |
Untrained and Inexperienced Support | |
| |
| |
| |
Does Management Understand? | |
| |
| |
Summary: Outsourced Systems Must Be Secured | |
| |
| |
Let's Not Go There... | |
| |
| |
Conduct Security Assessments | |
| |
| |
Do It Right | |
| |
| |
Do It Regularly | |
| |
| |
Fix the Problems You Find | |
| |
| |
Don't Use the Sink-or-Swim Approach | |
| |
| |
Checklist | |
| |
| |
Final Words | |
| |
| |
| |
Unsecure Email | |
| |
| |
Email or See Mail? | |
| |
| |
Personal Data Accessed | |
| |
| |
Summary: You Have the Right to Waive Your Right to Privacy | |
| |
| |
Let's Not Go There... | |
| |
| |
Use Encryption! | |
| |
| |
Encourage Your Company to Encrypt | |
| |
| |
Add Encryption to Your Security Budget | |
| |
| |
Watch for Other Email Hazards | |
| |
| |
Final Words | |
| |
| |
| |
Looking Back: What's Next? | |
| |
| |
Risking the Corporation | |
| |
| |
Legal Duties to Protect Information and Networks | |
| |
| |
Business Initiatives and Corporate Goals | |
| |
| |
Threats Require Action | |
| |
| |
| |
A Hacker's Walk Through the Network | |
| |
| |
A Hacker's Profile | |
| |
| |
The Real Hackers | |
| |
| |
About Those Tools | |
| |
| |
Walking with the Hacker | |
| |
| |
What the Hacker Was Doing... | |
| |
| |
Conclusion | |
| |
| |
| |
A People and Products to Know | |
| |
| |
Acronyms | |
| |
| |
Glossary | |
| |
| |
Index | |