book

Defensive Security Handbook, 2nd Edition

by Lee Brotherston, Amanda Berlin, William F. Reyor

June 2024

Intermediate to advanced

362 pages

10h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Our GoalWho This Book Is ForNavigating the BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsAmandaLeeBill
Laying the GroundworkEstablishing TeamsDetermining Your Baseline Security PostureAssessing Threats and RisksIdentify Scope, Assets, and ThreatsAssess Risk and ImpactMitigateMonitorGovernPrioritizingCreating MilestonesUse Cases, Tabletops, and DrillsExpanding Your Team and SkillsetsConclusion
What Is Asset Management?DocumentationEstablishing the SchemaData Storage OptionsData ClassificationUnderstanding Your Inventory SchemaAsset Management Implementation StepsDefining the LifecycleInformation GatheringChange TrackingMonitoring and ReportingAsset Management GuidelinesAutomateEstablish a Single Source of TruthOrganize a Company-wide TeamFind Executive ChampionsKeep on Top of Software LicensingConclusion
LanguageDocument ContentsTopicsStorage and CommunicationConclusion
StandardsProceduresDocument ContentsConclusion
Broken ProcessesBridging the GapBuilding Your Own ProgramEstablish ObjectivesEstablish BaselinesScope and Create Program Rules and GuidelinesProvide Positive ReinforcementDefine Incident Response ProcessesObtaining Meaningful MetricsMeasurementsTracking Success Rate and ProgressImportant MetricsConclusion
ProcessesPre-Incident ProcessesIncident ProcessesPost-Incident ProcessesTools and TechnologyLog AnalysisEDR/XDR/MDR/All the “Rs”Disk and File AnalysisMemory AnalysisPCAP AnalysisAll-in-One ToolsConclusion
Setting ObjectivesRecovery Point ObjectiveRecovery Time ObjectiveRecovery StrategiesTraditional Physical BackupsWarm StandbyHigh AvailabilityAlternate SystemSystem Function ReassignmentCloud Native Disaster RecoveryDependenciesScenariosInvoking a Failover...and BackTestingSecurity ConsiderationsConclusion
Industry Compliance StandardsFamily Educational Rights and Privacy Act (FERPA)Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Sarbanes-Oxley (SOX) ActFrameworksCenter for Internet Security (CIS)Cloud Control Matrix (CCM)The Committee of Sponsoring Organizations of the Treadway Commission (COSO)Control Objectives for Information and Related Technologies (COBIT)ISO-27000 SeriesMITRE ATT&CKNIST Cybersecurity Framework (CSF)Regulated IndustriesFinancialGovernmentHealthcareConclusion

PhysicalRestrict AccessVideo SurveillanceAuthentication MaintenanceSecure MediaDatacentersOperational AspectsIdentifying Visitors and ContractorsPhysical Security TrainingConclusion
Quick WinsUpgradeThird-Party PatchesOpen SharesActive Directory Domain ServicesForestsDomainsDomain ControllersOrganizational UnitsGroupsAccountsGroup Policy Objects (GPOs)Conclusion
Keeping Up-to-DateThird-Party Software UpdatesCore Operating System UpdatesHardening a Unix Application ServerDisable ServicesSet File PermissionsUse Host-Based FirewallsManage File IntegrityConfigure Separate Disk PartitionsUse chrootSet Up Mandatory Access ControlConclusion
Keeping Up-to-DateMicrosoft WindowsmacOSUnix DesktopsThird-Party UpdatesHardening EndpointsDisable ServicesUse Desktop FirewallsImplement Full-Disk EncryptionUse Endpoint Protection ToolsMobile Device ManagementEndpoint VisibilityCentralizationConclusion
Introduction to Databases and Their Importance in Information SecurityDatabase ImplementationsCommon Database Management SystemsA Real-World Case Study: The Marriott BreachDatabase Security Threats and VulnerabilitiesUnauthorized AccessSQL InjectionData LeakageInsider ThreatsDefense EvasionDatabase Security Best PracticesData EncryptionAuthentication and Authorization MechanismsSecure Database Configuration and HardeningDatabase Management in the CloudHands-on Exercise: Implementing Encryption in a MySQL Database (Operation Lockdown)Conclusion
Types of Cloud Services and Their Security ImplicationsSoftware as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)The Shared Responsibility ModelCommon Cloud Security Mistakes and How to Avoid ThemMisconfigurationsInadequate Credential and Secrets ManagementOverpermissioned Cloud ResourcesPoor Security HygieneFailing to Understand the Shared Responsibility ModelCloud Security Best PracticesStart with Secure Architectural PatternsProperly Manage SecretsEmbrace Well-Architected FrameworksContinue Following Security Best PracticesExercise: Gaining Security Visibility into an AWS EnvironmentConfigure an SNS Email NotificationEnable GuardDutySet Up EventBridge to Route Alerts to EmailTestingConclusion
Identity and Access ManagementPasswordsPassword BasicsEncryption, Hashing, and SaltingPassword ManagementAdditional Password SecurityCommon Authentication ProtocolsNTLMKerberosLDAPRADIUSDifferences Between ProtocolsProtocol SecurityChoosing the Best Protocol for Your OrganizationMulti-Factor AuthenticationMFA WeaknessesWhere It Should Be ImplementedConclusion
Device HardeningFirmware/Software PatchingServicesSNMPEncrypted ProtocolsManagement NetworkHardware DevicesBastion HostsRoutersSwitchesWireless DevicesDesignEgress FilteringIPv6: A Cautionary NoteTACACS+Networking AttacksARP Cache Poisoning and MAC SpoofingDDoS AmplificationVPN AttacksWirelessConclusion
Network SegmentationPhysicalLogicalPhysical and Logical Network ExampleSoftware-Defined NetworkingApplication SegmentationSegmentation of Roles and ResponsibilitiesConclusion
Authenticated Versus Unauthenticated ScansVulnerability Assessment ToolsOpen Source ToolsVulnerability Management ProgramProgram InitializationBusiness as UsualRemediation PrioritizationRisk AcceptanceConclusion
Language SelectionAssemblyC and C++GoRustPython/Ruby/PerlPHPSecure Coding GuidelinesTestingAutomated Static TestingAutomated Dynamic TestingPeer ReviewSoftware Development LifecycleConclusion
Open Source IntelligenceTypes of Information and AccessModern OSINT ToolsPurple TeamingA Purple Teaming ExampleConclusion
Role in Information SecurityExploring IDS and IPS TypesNetwork-Based IDSsHost-Based IDSsIPSsNGFWsIDSs and IPSs in the CloudAWSAzureGCPWorking with IDSs and IPSsManaging False PositivesWriting Your Own SignaturesIDS/IPS PositioningEncrypted ProtocolsConclusion
Security Information and Event ManagementWhy Use a SIEMScope of CoverageDesigning the SIEMLog Analysis and EnrichmentSysmonGroup PolicyAlert Examples and Log Sources to Focus OnAuthentication SystemsApplication LogsCloud ServicesDatabasesDNSEndpoint Protection SolutionsIDSs/IPSsOperating SystemsProxy and Firewall LogsUser Accounts, Groups, and PermissionsTesting and Continuing ConfigurationAligning with Detection Frameworks, Compliance Mandates, and Use CasesMITRE ATT&CKSigmaComplianceUse Case AnalysisConclusion
Email ServersDNS ServersSecurity Through ObscurityUseful ResourcesBooksBlogsPodcastsWebsites
Live Phishing Education SlidesYou’ve Been Hacked!What Just Happened, and Why?Social Engineering 101(0101)So It’s OK That You Were Exploited (This Time)No Blame, No Shames, Just...A Few Strategies for Next TimeBecause There Will Be a Next TimeIf Something Feels FunnyIf Something Looks FunnyIf Something Sounds FunnyFeels, Looks, or Sounds Funny—Call the IT Help DeskWhat If I Already Clicked the Link or Opened the Attachment?What If I Didn’t Click the Link or Attachment?Your IT Team Is Here for You!Phishing Program Rules

Content preview from Defensive Security Handbook, 2nd Edition

Chapter 18. Vulnerability Management

Contrary to what some vendors’ marketing materials would have us believe, a huge proportion of successful breaches do not occur because of complex zero-day vulnerabilities lovingly handcrafted by artisanal exploit writers. Although such attacks do happen, a lack of patching, failure to follow good practices for configuration, or neglect to change default passwords is to blame for a far larger number of successful attacks against corporate environments. Even those capable of deploying tailor-made exploits against your infrastructure will typically prefer to make use of these types of vulnerabilities.

Vulnerability management is the term used to describe the overall program of activities that oversees everything from vulnerability scanning and detection right through to remediation. An effective vulnerability management program raises the security of your network by identifying, assessing, and addressing potential flaws.

Vulnerability assessment is a different discipline from penetration testing, typically carried out by different people; however, the two terms are often used interchangeably by those who are not aware of the differences. Unlike penetration testing, vulnerability assessment is automated or semiautomated, continuous, and less focused on bespoke systems and applications. Vulnerability assessment tools generally search for flaws such as missing patches, outdated software, common configuration errors, and default passwords. Vulnerability ...