Inside Network Security Assessment: Guarding Your IT Infrastructure
Michael Gregg, David Kim
$788Hibernate: A Developer's Notebook
$930GNU/Linux Application Programming (Paperback)
As an IT professional, you need to know how to perform network security assessments. Inside Network Security Assessment: Guarding Your IT Infrastructure is a collection of utilities and templates that will take you through the assessment process. Written by two highly qualified authors with close ties to the International Information Systems Security Certification Consortium, this book was developed with the goal of being a text for the CISSP continuing education class on Network Security Assessment. You will be provided with step-by-step training on assessing security, from paperwork to penetration testing to ethical hacking. The supporting website will also provide you with access to a variety of tools, checklists, and templates to make your job even easier. You'll save everyone time and money by learning to perform security assessments yourself with the help of Inside Network Security Assessment.
Table of Contents
1. Introduction to Assessing Network Vulnerabilities.
What Security Is and Isn’t.
Process for Assessing Risk.
Four Ways in Which You Can Respond to Risk.
Network Vulnerability Assessment.
Types of Network Vulnerability Assessments.
What Procedures Govern the Vulnerability Assessment?
The Role of Policies in the Vulnerability Assessment.
What Drives the Assessment?
Managing a Vulnerability Assessment.
Building Cooperation with Other Departments.
Importance of Setting and Maintaining a Schedule for Assessments.
2. Foundations and Principles of Security.
Basic Security Principles.
Security Requires Information Classification.
Governmental Information Classification System.
Commercial Information Classification System.
The Policy Framework.
Types of Policies.
Defining Appropriate Policy.
Policy Life Cycle.
The Role Authentication, Authorization, and Accountability Play in a Secure Organization.
Security and the Employee (Social Engineering).
3. Why Risk Assessment.
Laws, Mandates, and Regulations.
Health Insurance Portability and Accountability Act (HIPAA).
Federal Information Security Management Act (FISMA).
Sarbanes-Oxley Act (SOX).
Risk Assessment Best Practices.
Understanding the IT Security Process.
The Goals and Objectives of a Risk Assessment.
Security Process Definition.
Goals and Objectives of a Risk and Vulnerability Assessment.
4. Risk-Assessment Methodologies.
Risk-Management and Risk-Assessment Requirements.
Defense-in-Depth Approach for Risk Assessments.
Risk Analysis Approach for Risk Assessments.
Asset Valuation Approach for Risk Assessments.
Quantitative and Qualitative Risk-Assessment Approaches.
Quantitative Risk-Assessment Approach.
Qualitative Risk-Assessment Approach.
Best Practices for Quantitative and Qualitative Risk Assessment.
Quantitative Risk-Assessment Best Practices.
Qualitative Risk-Assessment Best Practices.
Choosing the Best Risk-Assessment Approach.
Common Risk-Assessment Methodologies and Templates.
5. Scoping the Project.
Defining the Scope of the Assessment.
Becoming the Project Manager.
Staffing the Assessment Team.
Kickoff Meeting .
Building the Assessment Timeline.
Reviewing Critical Systems and Information.
Information Criticality Matrix.
Systems Criticality Matrix.
Compiling the Needed Documentation.
Making Sure You Are Ready to Begin.
6. Understanding the Attacker.
Who Are the Attackers?
Attacker Types and Their Characteristics.
Who Are the Greatest Threat?
Insecure Computing Habits Are a Threat.
Disgruntled Employees Are a Threat.
What Do Attackers Do?
Four Kinds of Attacks.
Things That Attackers Attack.
Goals and Motivations of the Attacker.
Attackers Conduct Their Own Risk Analysis.
How Do Attackers Attack?
Tools That Attackers Use During the Stages of an Attack.
Reducing the Risk of an Attack.
How to Respond to an Attack.
7. Performing the Assessment.
Introducing the Assessment Process.
Level I Assessments.
Reviewing the Documentation.
Interviewing Process Owners and Employees.
Level II Assessments.
Level II Assessment Caveats.
Level III Assessments.
8. Tools Used for Assessments and Evaluations.
A Brief History of Security Tools.
Putting Together a Toolkit.
Information-Gathering Tools and Techniques.
Password Auditing Tools.
Vulnerability Scanning Tools.
Automated Exploit and Assessment Tools.
Determining What Tools to Use.
What’s the Best Platform to Install Your Tools On.
Additional Items for the Toolkit.
9. Preparing the Final Report.
Preparing for Analysis.
Ranking Your Findings.
Determining Raw Risk.
Calculating the Risk Score.
Building the Final Report.
Contents of a Good Report.
Statement of Work.
Determining the Next Step.
Audit and Compliance.
10. Post-Assessment Activities.
IT Security Architecture and Framework.
Goals and Objectives.
Defining the Structure and Hierarchy.
Hierarchical IT Security Architecture and Framework.
Sample IT Security Architecture and Framework.
Roles, Responsibilities, and Accountabilities.
Seven Areas of Information Security Responsibility.
Security Incident Response Team (SIRT).
SIRT Response Procedures.
Security Workflow Definitions.
Security Workflow Procedures.
Enterprise Vulnerability Management.
Training IT Staff and End Users.
A. Security Assessment Resources.
Common Criteria (CC) for IT Security Evaluation.
FIPS PUB 140-1 and 140-2.
GAO Risk Assessment Process.
DoD Rainbow Series.
General Security Websites.
Security Tool Websites.
B. Security Assessment Forms.
Information Request Form.
Document Tracking Form.
Critical Systems and Information Forms.
Level II Assessment Forms.
C. Security Assessment Sample Report.
Statement of Work.
D. Dealing with Consultants and Outside Vendors.
Typical RFP Procurement Steps.
Procurement Best Practices.
E. SIRT Team Report Format Template.
SIRT Incident Report.