book

Defensive Security Handbook, 2nd Edition

by Lee Brotherston, Amanda Berlin, William F. Reyor

June 2024

Intermediate to advanced

362 pages

10h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Our GoalWho This Book Is ForNavigating the BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsAmandaLeeBill
Laying the GroundworkEstablishing TeamsDetermining Your Baseline Security PostureAssessing Threats and RisksIdentify Scope, Assets, and ThreatsAssess Risk and ImpactMitigateMonitorGovernPrioritizingCreating MilestonesUse Cases, Tabletops, and DrillsExpanding Your Team and SkillsetsConclusion
What Is Asset Management?DocumentationEstablishing the SchemaData Storage OptionsData ClassificationUnderstanding Your Inventory SchemaAsset Management Implementation StepsDefining the LifecycleInformation GatheringChange TrackingMonitoring and ReportingAsset Management GuidelinesAutomateEstablish a Single Source of TruthOrganize a Company-wide TeamFind Executive ChampionsKeep on Top of Software LicensingConclusion
LanguageDocument ContentsTopicsStorage and CommunicationConclusion
StandardsProceduresDocument ContentsConclusion
Broken ProcessesBridging the GapBuilding Your Own ProgramEstablish ObjectivesEstablish BaselinesScope and Create Program Rules and GuidelinesProvide Positive ReinforcementDefine Incident Response ProcessesObtaining Meaningful MetricsMeasurementsTracking Success Rate and ProgressImportant MetricsConclusion
ProcessesPre-Incident ProcessesIncident ProcessesPost-Incident ProcessesTools and TechnologyLog AnalysisEDR/XDR/MDR/All the “Rs”Disk and File AnalysisMemory AnalysisPCAP AnalysisAll-in-One ToolsConclusion
Setting ObjectivesRecovery Point ObjectiveRecovery Time ObjectiveRecovery StrategiesTraditional Physical BackupsWarm StandbyHigh AvailabilityAlternate SystemSystem Function ReassignmentCloud Native Disaster RecoveryDependenciesScenariosInvoking a Failover...and BackTestingSecurity ConsiderationsConclusion
Industry Compliance StandardsFamily Educational Rights and Privacy Act (FERPA)Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Sarbanes-Oxley (SOX) ActFrameworksCenter for Internet Security (CIS)Cloud Control Matrix (CCM)The Committee of Sponsoring Organizations of the Treadway Commission (COSO)Control Objectives for Information and Related Technologies (COBIT)ISO-27000 SeriesMITRE ATT&CKNIST Cybersecurity Framework (CSF)Regulated IndustriesFinancialGovernmentHealthcareConclusion

PhysicalRestrict AccessVideo SurveillanceAuthentication MaintenanceSecure MediaDatacentersOperational AspectsIdentifying Visitors and ContractorsPhysical Security TrainingConclusion
Quick WinsUpgradeThird-Party PatchesOpen SharesActive Directory Domain ServicesForestsDomainsDomain ControllersOrganizational UnitsGroupsAccountsGroup Policy Objects (GPOs)Conclusion
Keeping Up-to-DateThird-Party Software UpdatesCore Operating System UpdatesHardening a Unix Application ServerDisable ServicesSet File PermissionsUse Host-Based FirewallsManage File IntegrityConfigure Separate Disk PartitionsUse chrootSet Up Mandatory Access ControlConclusion
Keeping Up-to-DateMicrosoft WindowsmacOSUnix DesktopsThird-Party UpdatesHardening EndpointsDisable ServicesUse Desktop FirewallsImplement Full-Disk EncryptionUse Endpoint Protection ToolsMobile Device ManagementEndpoint VisibilityCentralizationConclusion
Introduction to Databases and Their Importance in Information SecurityDatabase ImplementationsCommon Database Management SystemsA Real-World Case Study: The Marriott BreachDatabase Security Threats and VulnerabilitiesUnauthorized AccessSQL InjectionData LeakageInsider ThreatsDefense EvasionDatabase Security Best PracticesData EncryptionAuthentication and Authorization MechanismsSecure Database Configuration and HardeningDatabase Management in the CloudHands-on Exercise: Implementing Encryption in a MySQL Database (Operation Lockdown)Conclusion
Types of Cloud Services and Their Security ImplicationsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)The Shared Responsibility ModelCommon Cloud Security Mistakes and How to Avoid ThemMisconfigurationsInadequate Credential and Secrets ManagementOverpermissioned Cloud ResourcesPoor Security HygieneFailing to Understand the Shared Responsibility ModelCloud Security Best PracticesStart with Secure Architectural PatternsProperly Manage SecretsEmbrace Well-Architected FrameworksContinue Following Security Best PracticesExercise: Gaining Security Visibility into an AWS EnvironmentConfigure an SNS Email NotificationEnable GuardDutySet Up EventBridge to Route Alerts to EmailTestingConclusion
Identity and Access ManagementPasswordsPassword BasicsEncryption, Hashing, and SaltingPassword ManagementAdditional Password SecurityCommon Authentication ProtocolsNTLMKerberosLDAPRADIUSDifferences Between ProtocolsProtocol SecurityChoosing the Best Protocol for Your OrganizationMulti-Factor AuthenticationMFA WeaknessesWhere It Should Be ImplementedConclusion
Device HardeningFirmware/Software PatchingServicesSNMPEncrypted ProtocolsManagement NetworkHardware DevicesBastion HostsRoutersSwitchesWireless DevicesDesignEgress FilteringIPv6: A Cautionary NoteTACACS+Networking AttacksARP Cache Poisoning and MAC SpoofingDDoS AmplificationVPN AttacksWirelessConclusion
Network SegmentationPhysicalLogicalPhysical and Logical Network ExampleSoftware-Defined NetworkingApplication SegmentationSegmentation of Roles and ResponsibilitiesConclusion
Authenticated Versus Unauthenticated ScansVulnerability Assessment ToolsOpen Source ToolsVulnerability Management ProgramProgram InitializationBusiness as UsualRemediation PrioritizationRisk AcceptanceConclusion
Language SelectionAssemblyC and C++GoRustPython/Ruby/PerlPHPSecure Coding GuidelinesTestingAutomated Static TestingAutomated Dynamic TestingPeer ReviewSoftware Development LifecycleConclusion
Open Source IntelligenceTypes of Information and AccessModern OSINT ToolsPurple TeamingA Purple Teaming ExampleConclusion
Role in Information SecurityExploring IDS and IPS TypesNetwork-Based IDSsHost-Based IDSsIPSsNGFWsIDSs and IPSs in the CloudAWSAzureGCPWorking with IDSs and IPSsManaging False PositivesWriting Your Own SignaturesIDS/IPS PositioningEncrypted ProtocolsConclusion
Security Information and Event ManagementWhy Use a SIEMScope of CoverageDesigning the SIEMLog Analysis and EnrichmentSysmonGroup PolicyAlert Examples and Log Sources to Focus OnAuthentication SystemsApplication LogsCloud ServicesDatabasesDNSEndpoint Protection SolutionsIDSs/IPSsOperating SystemsProxy and Firewall LogsUser Accounts, Groups, and PermissionsTesting and Continuing ConfigurationAligning with Detection Frameworks, Compliance Mandates, and Use CasesMITRE ATT&CKSigmaComplianceUse Case AnalysisConclusion
Email ServersDNS ServersSecurity Through ObscurityUseful ResourcesBooksBlogsPodcastsWebsites
Live Phishing Education SlidesYou’ve Been Hacked!What Just Happened, and Why?Social Engineering 101(0101)So It’s OK That You Were Exploited (This Time)No Blame, No Shames, Just...A Few Strategies for Next TimeBecause There Will Be a Next TimeIf Something Feels FunnyIf Something Looks FunnyIf Something Sounds FunnyFeels, Looks, or Sounds Funny—Call the IT Help DeskWhat If I Already Clicked the Link or Opened the Attachment?What If I Didn’t Click the Link or Attachment?Your IT Team Is Here for You!Phishing Program Rules

Content preview from Defensive Security Handbook, 2nd Edition

Chapter 3. Policies

Policies are one of the less glamorous areas of information security. They are, however, very useful and can form the cornerstone of security improvement work in your organization. In this chapter we will discuss why writing policies is a good idea, what they should contain, and the choice of language to use.

Why are policies so important? There are a range of reasons:

Consistency: Having clear policies in place should vastly reduce concerns about inconsistent approaches from day to day or between members of staff. A written set of policies reduces the need to make judgment calls, which can lead to inconsistent application of rules.
Distribution of knowledge: It’s all well and good for you to know what the policy is with regard to not sharing passwords with others, but if the rest of the organization is unaware of that policy, then it’s not providing you much benefit. Policy documents disseminate information for others to consume.
Setting expectations: Policies set rules and boundaries. When you have clearly defined rules, it becomes equally clear when someone breaks those rules. This enables appropriate action to be taken. Departments like HR find it difficult to reprimand someone because it “feels like” they may have done something wrong; identifying and dealing with contraventions is easier when the rules are well defined.
Regulatory compliance and audit: Many industries are regulated or pseudoregulated, and many have auditors. The existence ...