Over the last decade, technology adoption has exploded worldwide and corporations have struggled to keep pace. Usability and revenue creation have been the key motivating factors, often ignoring the proactive design and security required for long-term stability. With the increase of breaking news hacks, record-breaking data leaks, and ransomware attacks, it is our job to not only scrape by with default installs but to secure our data and assets to the best of our abilities. There will always be cases where you will walk into an environment that is a metaphorical train wreck with so many fires that you don’t even know where to start. This book will give you what you need to create a solid and secure design for the majority of situations that you may encounter.
Modern attacks can occur for many different motivations and are perpetrated by people ranging from organized crime groups seeking to monetize breaches, through to hacktivists seeking to enact retribution on the organizations they deem to be immoral or counter to public interest. Whatever the motivation and whomever the attacker, a large number of attacks are organized and carried out by skilled individuals, often with funding.
This change in landscape has led to many organizations engaging in a game of InfoSec catch-up, often realizing that their information security program has either not received the executive backing that it required or simply never existed in the first place. These organizations are seeking to correct this and begin along the path to initiating or maturing their information security efforts. There is, however, a problem.
Information security is an industry that is currently undergoing a period of negative unemployment; that is, that there are more open positions than there are candidates to fill those positions. Hiring people is hard, and hiring good people is harder. For those seeking employment, this is can be an advantageous situation; however, it is a high risk for employers seeking to hire someone into an information security position as they would be instilling a certain amount of trust with possible high dollar assets to a new hire.
For this reason, many companies that are only now embarking on their information security program have taken the route to promote someone from another role such as a system administrator or architect to an information security practitioner role. Another common practice is hiring a more junior information security professional into a role than would normally be the case, and expect the newly appointed employee to learn on the job. This situation is precisely what this book is intended to address.
A large number of issues encountered by companies with an immature information security program can be remedied, or at least vastly reduced, with some basic security hygiene. The knee-jerk reaction to the task of inheriting a new and immature security department can be to buy as many devices with pretty blinky LEDs as possible, in the hope that they will remedy issues. Some people would rather pay another company to set up an outsourcing agreement, which can be leveraged in order to assist. Both of these options require money. Many organizations that are new to information security do not have the budget to undertake either of these solutions to the problem—using the tools that are already in the environment may well be all you have.
Our goal is to not only make this a standard that can be applied to most enterprise networks, but also be a little entertaining to read along the way. There are already deep-dive standards out there from a variety of government and private organizations that can drone on and on about the validity of one security measure or the next. We want this to be an informative dialog backed by real-life experiences in the industry. There will be good policy, best practices, code snippets, screenshots, walkthroughs, and snark all mixed in together. We want to reach out to the masses—the net admins who can’t get approval to hire help; directors who want to know they aren’t the only ones fighting the battles that we see day in and day out; and the people who are getting their hands dirty in the trenches and aren’t even close to being ready to start down the path of reading whitepapers and RFCs.
This book is designed to serve as a Security 101 handbook that is applicable to as many environments as possible, in order to drive maximum improvement in your security posture for the minimum financial spend. Types of positions that will be able to take away knowledge and actionable data from this include upper-level CIOs, directors, security analysts, systems administrators, and other technological roles.
We have deliberately written this so that you do not have to adopt an all-or-nothing approach. Each of the chapters can serve as a standalone body of knowledge for a particular area of interest, meaning that you can pick and choose which subjects work for you and your organization, and ignore any that you feel may not apply. The aim is not to achieve compliance with a particular framework or compliance regime, but to improve on the current situation in sensible, pragmatic, manageable chunks.
We have purposefully ordered this book to begin with the fundamentals of starting or redesigning an information security program. It will take you from the skeleton steps of program creation on a wild rollercoaster ride into the depths of more technical topics.
Many people fail to realize that a large amount of work and implementation can be performed in an enterprise before any major capital is spent. A common problem faced in information security is not being able to get buy in from C-level executives. A step in the right direction in getting a security budget would be to prove that you have completed due diligence in your work. A large portion of this book includes steps, tools, processes, and ideas to secure an environment with little-to-no capital.
After the skeleton steps of planning out the new and shiny security program, we move on to creating a base set of policies, standards, and procedures. Doing so early in the stages of your security program will give you a good starting point for growth and maturation. Using policies as a method to communicate expectations allows you to align people across your organization with regard to what is expected of them and their role.
We included user education early on in the book as it is never too early to start teaching employees what to watch out for (and using them as a key role in detection). However, depending on the current strength of your defenses, it should not be a major focus until a strong foundation has been formed. Attackers aren’t going to bother with human interaction if they can just connect remotely without one.
The book then moves on to planning and dealing with breaches, disasters, compliance, and physical security, all of which combine the management and organizational side of information security with the physical tools and infrastructure needed to complete them. Being prepared in the case of any type of physical or technical emergency can mean the difference between a smooth and steady recovery or a complete company failure—and anything in between.
A good, solid ground-up design is just the beginning. Now that we’ve covered part of the design of the overall program, we start to get into more technical categories and security architecture, beginning with the two main categories of operating systems. Both Microsoft and Unix have their pros and cons, but in regards to Microsoft, some of what will be covered is installing the Enhanced Mitigation Experience Toolkit (EMET), Group Policy best practices, and Microsoft SQL security. For Unix, we will cover third-party updates and server/OS hardening, including disabling services, file permissions, host-based firewalls, disk partitions, and other access controls. Endpoint management also falls into this category. A common struggle that we see in corporations includes bring your own device (BYOD) practices and mobile device management (MDM). We will also go into managing and implementing endpoint encryption.
Two other important verticals that are often ignored (or not given as much love as they should be) are networking infrastructure and password management. While going over networking infrastructure, we will cover port security, disabling insecure technologies, device firmware, egress filtering, and more. We will cover segmentation, including implementing VLANs with ACLs to ensure the network isn’t flat, delegation of permissions, and Network Access Controls. We will then look into vulnerability scanning and remediation. While most enterprise vulnerability scanners are not free, we talk about them in this chapter to prove their worth by using them for a free trial period (to work toward the purchase of the entire product) or getting the most out of a full version already in the organization.
Many organizations have their own development team; however, traditional training for developers typically focuses on performance optimization, scalability, and interoperability. Secure coding practices have only been included in software development training in relatively recent years. We discuss techniques that can be used to enhance the current situation and reduce the risk often associated with in-house development.
Purple teaming, which is the combination of both offensive (red team) and defensive (blue team) security, can be difficult to implement depending on staffing and corporate policies. It is a relatively new concept that has gained a significant amount of attention over the last couple of years. Chapter 18 covers some basic penetration testing concepts, as well as social engineering and open source intelligence.
Finally, some of the most time-intensive security practices and devices are covered as we go through IDS, IPS, SOC, logging, and monitoring. We have found that many organizations feel as though these technologies are a one-time install or setup procedure and you can walk away feeling protected. It is well worth the time, effort, and investment to have a continually in-progress configuration because your internal environment is always changing, as are the threats you should be concerned about. We won’t be making any specific vendor recommendations, but rather have opted to discuss overall solutions and concepts that should stand the test of time a lot better than a specific vendor recommendation for the current toolset.
Oh, and the Extra Mile...that’s the junk drawer where you will find our bits and pieces of configuration ideas and advice that didn’t really have a home anywhere else.
Now that we have said all that, let’s see what we can do about improving some things.
The following typographical conventions are used in this book:
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by context.
This element signifies a tip or suggestion.
This element signifies a general note.
This element indicates a warning or caution.
Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals.
Members have access to thousands of books, training videos, Learning Paths, interactive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others.
For more information, please visit http://oreilly.com/safari.
Please address comments and questions concerning this book to the publisher:
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://oreil.ly/2mPWM6p.
To comment or ask technical questions about this book, send email to email@example.com.
For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.
Find us on Facebook: http://facebook.com/oreilly
Follow us on Twitter: http://twitter.com/oreillymedia
Watch us on YouTube: http://www.youtube.com/oreillymedia
I have so many people to thank; the plus of writing your own book is being able to keep going and going and going and...you get the idea. First and foremost I want to give special recognition to my three wonderful boys, Michael, James, and Wyatt. They have started to grow into such independent and amazing little men and without their support and understanding of my long hours over these last couple of years, I wouldn’t be where I am today. My mom for her continued support and encouragement, and for cleaning my house when I travel.
My coauthor Lee has been absolutely amazing. We’ve both pulled some crazy long hours to get this done. Reviewing each other’s work and bouncing ideas off of each other makes for a good friendship and working partner. I couldn’t have hoped for a better match. Courtney and the rest of the team at O’Reilly for walking us through this process and answering our stupid questions on a regular basis. They made writing this book a way better experience than I would have ever thought. To Virginia at O’Reilly for doing an incredible final edit. The incredibly intelligent and insightful help from our technical editors, Chris Blow, Mark Boltz-Robinson, Alex Hamerstone, and Steven Maske. Gal Shpantzer for his valuable insight.
I want to thank the coworkers I’ve had over the years and all of the times you’ve been there for me, mistakes and all. The people who I consider my mentors; some I’ve had my entire career, others since starting down the path to information security: Rob Fuller, Bill Gardner, Wolfgang Goerlich, Dave Kennedy, Denao Ruttino, Jayson Street. A special thanks to @_sn0ww for the help with content on physical security and social engineering, and Alan Burchill for his Group Policy knowledge and content. The information security community has helped me to continue to evolve daily while struggling with imposter syndrome and self doubt on a daily basis. You’ve been there for me when I needed you, to lean on, learn from, teach, and relax. While there are too many of you to list, I’ve cherished our in-depth conversations over drinks, hangouts, Facebook, Twitter, basements, and every other platform there is out there. Finally I would like to thank my arms for always being at my side, my legs for supporting me, my hips for not lying, and my fingers for always being able to count on them. Thanks for believing in me.
First of all, I have to thank Amanda for being fantastic to work with throughout the entire process, for all the hard work that she has put into this book, always being a true professional, becoming a good friend, and putting up with my sometimes “fun” calendar.
Courtney Allen for believing in us, endlessly kicking butt on our behalf, getting this whole project started in the first place, providing endless sage advice, and becoming a good friend to both Amanda and myself in the process.
Our technical editors, Chris Blow, Mark Boltz-Robinson, Alex Hamerstone, and Steven Maske, for their feedback and advice.
Virginia Wilson for all of her work to make this happen, invaluable feedback, and huge amounts of reading.
O’Reilly Media for their help and support.
My wife Kirsty, and our children Noah, Amy, and Dylan for being so supportive of everything that I do, having incredible patience, and affording me the time to work on this. Thank you. I love you, x x x.
Ben Hughes, for whom “blame” is perhaps a better word...I jest...sort of :)
There are also a number of other people who make up the exciting Venn Diagram of InfoSec community, colleagues, and friends whom I want to thank for helping me out with this project in terms of emotional support, mentoring, advice, caffeine, and alcohol. To avoid committing some kind of InfoSec name-ordering faux pas, I am going to list these in alphabetical order:
James Arlen, Frederic Dorré, Bill Gambardella, Nick Johnston, Alex Muentz, Brendan O’Connor, Allan Stojanovic, Wade W. Wilson, everyone at DFIRWL, and the 487 other people that I have inevitably failed to mention.