book

Defensive Security Handbook, 2nd Edition

by Lee Brotherston, Amanda Berlin, William F. Reyor

June 2024

Intermediate to advanced

362 pages

10h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Our GoalWho This Book Is ForNavigating the BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsAmandaLeeBill
Laying the GroundworkEstablishing TeamsDetermining Your Baseline Security PostureAssessing Threats and RisksIdentify Scope, Assets, and ThreatsAssess Risk and ImpactMitigateMonitorGovernPrioritizingCreating MilestonesUse Cases, Tabletops, and DrillsExpanding Your Team and SkillsetsConclusion
What Is Asset Management?DocumentationEstablishing the SchemaData Storage OptionsData ClassificationUnderstanding Your Inventory SchemaAsset Management Implementation StepsDefining the LifecycleInformation GatheringChange TrackingMonitoring and ReportingAsset Management GuidelinesAutomateEstablish a Single Source of TruthOrganize a Company-wide TeamFind Executive ChampionsKeep on Top of Software LicensingConclusion
LanguageDocument ContentsTopicsStorage and CommunicationConclusion
StandardsProceduresDocument ContentsConclusion
Broken ProcessesBridging the GapBuilding Your Own ProgramEstablish ObjectivesEstablish BaselinesScope and Create Program Rules and GuidelinesProvide Positive ReinforcementDefine Incident Response ProcessesObtaining Meaningful MetricsMeasurementsTracking Success Rate and ProgressImportant MetricsConclusion
ProcessesPre-Incident ProcessesIncident ProcessesPost-Incident ProcessesTools and TechnologyLog AnalysisEDR/XDR/MDR/All the “Rs”Disk and File AnalysisMemory AnalysisPCAP AnalysisAll-in-One ToolsConclusion
Setting ObjectivesRecovery Point ObjectiveRecovery Time ObjectiveRecovery StrategiesTraditional Physical BackupsWarm StandbyHigh AvailabilityAlternate SystemSystem Function ReassignmentCloud Native Disaster RecoveryDependenciesScenariosInvoking a Failover...and BackTestingSecurity ConsiderationsConclusion
Industry Compliance StandardsFamily Educational Rights and Privacy Act (FERPA)Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Sarbanes-Oxley (SOX) ActFrameworksCenter for Internet Security (CIS)Cloud Control Matrix (CCM)The Committee of Sponsoring Organizations of the Treadway Commission (COSO)Control Objectives for Information and Related Technologies (COBIT)ISO-27000 SeriesMITRE ATT&CKNIST Cybersecurity Framework (CSF)Regulated IndustriesFinancialGovernmentHealthcareConclusion

PhysicalRestrict AccessVideo SurveillanceAuthentication MaintenanceSecure MediaDatacentersOperational AspectsIdentifying Visitors and ContractorsPhysical Security TrainingConclusion
Quick WinsUpgradeThird-Party PatchesOpen SharesActive Directory Domain ServicesForestsDomainsDomain ControllersOrganizational UnitsGroupsAccountsGroup Policy Objects (GPOs)Conclusion
Keeping Up-to-DateThird-Party Software UpdatesCore Operating System UpdatesHardening a Unix Application ServerDisable ServicesSet File PermissionsUse Host-Based FirewallsManage File IntegrityConfigure Separate Disk PartitionsUse chrootSet Up Mandatory Access ControlConclusion
Keeping Up-to-DateMicrosoft WindowsmacOSUnix DesktopsThird-Party UpdatesHardening EndpointsDisable ServicesUse Desktop FirewallsImplement Full-Disk EncryptionUse Endpoint Protection ToolsMobile Device ManagementEndpoint VisibilityCentralizationConclusion
Introduction to Databases and Their Importance in Information SecurityDatabase ImplementationsCommon Database Management SystemsA Real-World Case Study: The Marriott BreachDatabase Security Threats and VulnerabilitiesUnauthorized AccessSQL InjectionData LeakageInsider ThreatsDefense EvasionDatabase Security Best PracticesData EncryptionAuthentication and Authorization MechanismsSecure Database Configuration and HardeningDatabase Management in the CloudHands-on Exercise: Implementing Encryption in a MySQL Database (Operation Lockdown)Conclusion
Types of Cloud Services and Their Security ImplicationsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)The Shared Responsibility ModelCommon Cloud Security Mistakes and How to Avoid ThemMisconfigurationsInadequate Credential and Secrets ManagementOverpermissioned Cloud ResourcesPoor Security HygieneFailing to Understand the Shared Responsibility ModelCloud Security Best PracticesStart with Secure Architectural PatternsProperly Manage SecretsEmbrace Well-Architected FrameworksContinue Following Security Best PracticesExercise: Gaining Security Visibility into an AWS EnvironmentConfigure an SNS Email NotificationEnable GuardDutySet Up EventBridge to Route Alerts to EmailTestingConclusion
Identity and Access ManagementPasswordsPassword BasicsEncryption, Hashing, and SaltingPassword ManagementAdditional Password SecurityCommon Authentication ProtocolsNTLMKerberosLDAPRADIUSDifferences Between ProtocolsProtocol SecurityChoosing the Best Protocol for Your OrganizationMulti-Factor AuthenticationMFA WeaknessesWhere It Should Be ImplementedConclusion
Device HardeningFirmware/Software PatchingServicesSNMPEncrypted ProtocolsManagement NetworkHardware DevicesBastion HostsRoutersSwitchesWireless DevicesDesignEgress FilteringIPv6: A Cautionary NoteTACACS+Networking AttacksARP Cache Poisoning and MAC SpoofingDDoS AmplificationVPN AttacksWirelessConclusion
Network SegmentationPhysicalLogicalPhysical and Logical Network ExampleSoftware-Defined NetworkingApplication SegmentationSegmentation of Roles and ResponsibilitiesConclusion
Authenticated Versus Unauthenticated ScansVulnerability Assessment ToolsOpen Source ToolsVulnerability Management ProgramProgram InitializationBusiness as UsualRemediation PrioritizationRisk AcceptanceConclusion
Language SelectionAssemblyC and C++GoRustPython/Ruby/PerlPHPSecure Coding GuidelinesTestingAutomated Static TestingAutomated Dynamic TestingPeer ReviewSoftware Development LifecycleConclusion
Open Source IntelligenceTypes of Information and AccessModern OSINT ToolsPurple TeamingA Purple Teaming ExampleConclusion
Role in Information SecurityExploring IDS and IPS TypesNetwork-Based IDSsHost-Based IDSsIPSsNGFWsIDSs and IPSs in the CloudAWSAzureGCPWorking with IDSs and IPSsManaging False PositivesWriting Your Own SignaturesIDS/IPS PositioningEncrypted ProtocolsConclusion
Security Information and Event ManagementWhy Use a SIEMScope of CoverageDesigning the SIEMLog Analysis and EnrichmentSysmonGroup PolicyAlert Examples and Log Sources to Focus OnAuthentication SystemsApplication LogsCloud ServicesDatabasesDNSEndpoint Protection SolutionsIDSs/IPSsOperating SystemsProxy and Firewall LogsUser Accounts, Groups, and PermissionsTesting and Continuing ConfigurationAligning with Detection Frameworks, Compliance Mandates, and Use CasesMITRE ATT&CKSigmaComplianceUse Case AnalysisConclusion
Email ServersDNS ServersSecurity Through ObscurityUseful ResourcesBooksBlogsPodcastsWebsites
Live Phishing Education SlidesYou’ve Been Hacked!What Just Happened, and Why?Social Engineering 101(0101)So It’s OK That You Were Exploited (This Time)No Blame, No Shames, Just...A Few Strategies for Next TimeBecause There Will Be a Next TimeIf Something Feels FunnyIf Something Looks FunnyIf Something Sounds FunnyFeels, Looks, or Sounds Funny—Call the IT Help DeskWhat If I Already Clicked the Link or Opened the Attachment?What If I Didn’t Click the Link or Attachment?Your IT Team Is Here for You!Phishing Program Rules

Content preview from Defensive Security Handbook, 2nd Edition

Chapter 15. Authentication

Authentication is a cornerstone of information security and one of the few subjects that will impact almost everyone. From protecting access to email to state secrets and now even being able to start and drive cars, authentication is ingrained in almost everything we do. In this chapter, we’ll look at some high-level concepts around access and authentication and dig into how some of them work.

Identity and Access Management

Identity and access management (IAM) is a term that collectively describes the processes, policies, and products used to manage access for user identities/entities in an environment. The rest of this chapter is divided into three main sections, covering passwords, authentication protocols, and MFA; however, you can think of both passwords and MFA as subcategories of the broader IAM category. We’ll also cover encryption, hashing, and salting, as those usually come up in relation to protecting passwords.

There are a handful of common best practices when it comes to IAM. While the individual cloud providers all provide their own specific technical guidance, the following concepts are universal regardless of whether you’re operating systems on premises, in the cloud, or as SaaS:

Least privilege: We’ve talked about the principle of least privilege a few times already. As a reminder, this is the concept of granting users and endpoints (collectively called an identity or entity) access to only the applications, endpoints, files, etc., ...