book

Network Security Bible, 2nd Edition

Name: Network Security Bible, 2nd Edition
Author: Eric Cole
ISBN: 9780470502495

by Eric Cole

September 2009

Intermediate to advanced

936 pages

25h 49m

English

Wiley

Read now

Unlock full access

Copyright
About the Author
About the Technical Editor
Credits
Acknowledgments
Introduction
The Goal of This BookHow to Use This BookUse as a comprehensive tutorial on the field of network securityUse as a "how to" manual for implementing network securityUse as a Reference Document for the Information and Network Security PractitionerUse as a guide for planning future network security issues and projectsWho Should Read This BookHow This Book Is OrganizedPart I: Network Security LandscapePart II: Security Principles and PracticesPart III: Operating Systems and ApplicationsPart IV: Network Security FundamentalsPart V: CommunicationPart VI: The Security Threat and ResponsePart VII: Integrated Cyber SecurityConventions and FeaturesTips, Notes, and CautionsWhere To Go From Here
I. Network Security Landscape
1. State of Network Security
1.1. Cyber Security1.1.1. Defining risk1.1.2. Background: How did We Get to this Point?1.1.3. Moving beyond reactive security1.1.4. Trends1.1.5. Key characteristics of attacks1.1.5.1. Attacks are growing dramatically1.1.5.2. Threats are more sophisticated1.1.5.3. Knowns outnumbered by unknowns1.1.5.4. Current Approach Ineffective1.2. Summary
2. New Approaches to Cyber Security
2.1. General Trends2.1.1. Overview of security breaches2.1.2. Current state of security2.1.3. Boundless nature of the internet2.1.4. Type of attacks2.1.4.1. Active attacks2.1.4.2. Passive attacks2.1.5. New Way of Thinking2.1.6. Overview of General Security Principles2.2. The Changing Face of Cyber Security2.3. Summary
3. Interfacing with the Organization
3.1. An Enterprise Security Methodology3.1.1. The methodology3.2. Key Questions to Manage Risk3.3. Summary

II. Security Principles and Practices
4. Information System Security Principles
4.1. Key Principles of Network Security4.1.1. Confidentiality4.1.2. Integrity4.1.3. Availability4.1.4. Other Important Terms4.2. Formal Processes4.2.1. The Systems Engineering Process4.2.2. The Information Assurance Technical Framework4.2.2.1. Defense-in-Depth4.2.2.1.1. People4.2.2.1.2. Technology4.2.2.1.3. Operations4.2.2.2. Systems Engineering Processes4.2.3. The Information Systems Security Engineering Process4.2.3.1. Discover Information Protection Needs4.2.3.2. Define System Security Requirements4.2.3.3. Design System Security Architecture4.2.3.4. Develop Detailed Security Design4.2.3.5. Implement System Security4.2.3.6. Assess Information Protection Effectiveness4.2.4. The systems development life cycle4.2.4.1. Initiation4.2.4.2. Development/Acquisition4.2.4.3. Implementation4.2.4.4. Operation/Maintenance4.2.4.5. Disposal4.2.5. Information Systems Security and the SDLC4.2.5.1. Generally accepted principles for securing information technology4.2.5.2. Common Practices for Securing Information Technology4.2.5.3. Engineering Principles for Information Technology Security4.2.5.4. Information System Development Cycle4.3. Risk Management4.3.1. Definitions4.3.1.1. Risk4.3.1.2. Threat4.3.1.3. Threat-source4.3.1.4. Vulnerability4.3.1.5. Impact4.3.2. Risk Management and the SDLC4.3.2.1. Risk Assessment4.3.2.1.1. System Characterization4.3.2.1.2. Threat Identification4.3.2.1.3. Vulnerability Identification4.3.2.1.4. Control Analysis4.3.2.1.5. Likelihood Determination4.3.2.1.6. Impact Analysis4.3.2.1.7. Risk Determination4.3.2.1.8. Control Recommendations4.3.2.1.9. Results Documentation4.3.2.2. Risk Mitigation4.3.2.2.1. Risk Mitigation Options4.3.2.2.2. Categories of Controls4.3.2.3. Evaluation and Assessment4.4. Calculating and Managing Risk4.5. Summary
5. Information System Security Management
5.1. Security Policies5.1.1. Senior Management Policy Statement5.1.1.1. Advisory Policies5.1.1.2. Regulatory Policies5.1.1.3. Informative Policies5.1.1.4. U.S. Government Policy Types5.1.2. Standards, Guidelines, Procedures, and Baselines5.2. Security Awareness5.2.1. Training5.2.2. Measuring Awareness5.3. Managing the Technical Effort5.3.1. Program Manager5.3.2. Program Management Plan5.3.3. Systems Engineering Management Plan5.3.3.1. Statement of Work5.3.3.2. Work Breakdown Structure5.3.3.3. Technical Performance Measurement5.3.3.4. Test and Evaluation Master Plan5.4. Configuration Management5.4.1. Primary Functions of Configuration Management5.4.2. Definitions and Procedures5.4.2.1. Configuration Identification5.4.2.2. Configuration Control5.4.2.3. Configuration status accounting5.4.2.4. Configuration Auditing5.4.2.5. Documentation change control5.5. Business Continuity and Disaster Recovery Planning5.5.1. Business continuity planning5.5.1.1. Business continuity planning goals and process5.5.1.1.1. Scope and Plan Initiation5.5.1.1.2. Business Impact Assessment5.5.1.1.3. Business Continuity Plan Development5.5.1.1.4. Plan approval and implementation5.5.1.2. Roles and responsibilities5.5.2. Disaster recovery planning5.5.2.1. Goals5.5.2.2. Disaster recovery process5.5.2.2.1. Developing the disaster recovery plan5.5.2.2.2. Determining recovery time objectives5.5.2.3. Establishing backup sites5.5.2.4. Plan testing5.5.2.5. Implementing the Plan5.6. Physical Security5.6.1. Controls5.6.1.1. Physical Controls5.6.1.2. Technical Controls5.6.1.2.1. Smart Cards5.6.1.2.2. Biometric Devices5.6.1.3. Administrative Controls5.6.1.3.1. Administrative Personnel Controls5.6.1.3.2. Facility Planning5.6.1.3.3. Facility Security Management5.6.2. Environmental Issues5.6.2.1. Electrical Power5.6.2.2. Humidity5.6.3. Fire Suppression5.6.3.1. Fire Extinguishing Systems5.6.4. Object reuse and data remanence5.7. Legal and Liability Issues5.7.1. Types of Computer Crime5.7.2. Electronic Monitoring5.7.3. Liability5.8. Summary
6. Access Control
6.1. Control Models6.1.1. Discretionary Access Control6.1.2. Mandatory access control6.1.3. Non-discretionary access control6.2. Types of Access Control Implementations6.2.1. Preventive/administrative6.2.2. Preventive/technical6.2.3. Preventive/physical6.2.4. Detective/administrative6.2.5. Detective/technical6.2.6. Detective/physical6.2.7. Centralized/decentralized access controls6.3. Identification and Authentication6.3.1. Passwords6.3.2. Biometrics6.3.3. Single Sign-On6.3.3.1. Kerberos6.3.3.2. SESAME6.3.3.3. KryptoKnight6.4. Databases6.4.1. Relational databases6.4.1.1. Example relational database operations6.4.1.2. Data Normalization6.4.2. Other Database Types6.4.2.1. Object-oriented databases6.4.2.2. Object-relational Databases6.5. Remote Access6.5.1. RADIUS6.5.2. TACACS and TACACS+6.5.3. Password Authentication Protocol6.5.4. Challenge Handshake Authentication Protocol6.6. Summary
7. Attacks and Threats
7.1. Malicious Code7.1.1. Viruses7.2. Review of Common Attacks7.2.1. Denial-of-service (DoS)7.2.2. Back door7.2.3. Spoofing7.2.4. Man in the middle7.2.5. Replay7.2.6. TCP/Hijacking7.2.7. Fragmentation attacks7.2.8. Weak keys7.2.9. Mathematical attacks7.2.10. Social engineering7.2.11. Port scanning7.2.12. Dumpster diving7.2.13. Birthday attacks7.2.14. Password guessing7.2.14.1. Brute force7.2.14.2. Dictionary attack7.2.15. Software exploitation7.2.16. Inappropriate system use7.2.17. Eavesdropping7.2.18. War driving7.2.19. TCP sequence number attacks7.2.20. War-dialing/demon-dialing attacks7.3. External Attack Methodologies Overview7.3.1. Distributed denial-of-service attacks (DDoS)7.3.1.1. TCP SYN flood attacks7.3.1.2. Smurf IP attack7.3.1.3. Ping of Death7.3.1.4. Botnets7.3.2. Targeted hacks/espionage7.3.2.1. Intelligence gathering7.3.2.2. Active scanning7.3.2.3. Exploitation7.3.2.4. Maintaining access7.4. Internal Threat Overview7.4.1. Unintentional filesharing7.4.2. Device loss and theft7.5. Summary
III. Operating Systems and Applications
8. Windows Security
8.1. Windows Security at the Heart of the Defense8.1.1. Who would target an organization?8.1.2. Be afraid...8.1.3. Microsoft recommendations8.2. Out-of-the-Box Operating System Hardening8.2.1. Prior to system hardening8.2.2. The general process of system hardening8.2.3. Windows vulnerability protection8.2.3.1. Off-the-shelf Products8.2.3.2. Academic technologies/ideas8.2.3.2.1. Rearranging stack data locations8.2.3.2.2. Adding System Calls to the Operating System8.2.3.2.3. Use of Canary Values to Indicate Changes8.2.3.2.4. Use of safer library calls8.2.4. Windows 2003 New Installation Example8.2.5. Windows Quick-start Hardening Tips8.2.5.1. Apply patches and service packs8.2.5.2. Remove file and print sharing8.2.5.3. Port Blocking8.2.5.4. Implement strong passwords8.2.5.5. Disable unneeded services8.2.5.6. Remove Unneeded Windows Components8.2.5.7. Run Security Template8.2.6. Specifics of system hardening8.2.6.1. Do not use AUTORUN8.2.6.2. File permissions8.2.6.3. The Registry8.2.6.4. File allocation table security8.2.6.5. User groups rights8.2.6.6. Create or edit user level accounts8.2.6.7. Use good passwords8.2.7. Securing the Typical Windows Business Workstation8.2.8. Securing the Typical Windows Home System8.3. Installing Applications8.3.1. Antivirus protection8.3.2. Personal firewalls8.3.3. Secure Shell8.3.4. Secure FTP8.3.5. Pretty Good Privacy8.4. Putting the Workstation on the Network8.4.1. Test the hardened workstation8.4.2. Physical security8.4.3. Architecture8.4.4. Firewall8.4.5. Intrusion detection systems8.5. Operating Windows Safely8.5.1. Separate risky behavior8.5.2. Physical security issues8.5.2.1. Secure the workstation when not in use8.5.2.2. Keep strangers off your systems8.5.3. Configuration issues8.5.3.1. Use antivirus protection8.5.3.2. Limit user rights8.5.3.3. Manage user accounts8.5.4. Configuration Control8.5.4.1. Control users on the system8.5.4.2. Use digital certificate technology8.5.4.3. Know the software running on the workstation8.5.5. Operating issues8.5.5.1. Adhere to policies8.5.5.2. Minimize use of administrator account8.5.5.3. Enforce good data handling8.5.5.4. Avoid Viruses, Worms, and Trojan Horses8.5.5.5. Use Good Passwords8.5.5.6. Limit the use of NetBIOS8.5.5.7. Avoid NULL sessions8.5.5.8. Conduct frequent backups8.6. Upgrades and Patches8.6.1. Keep current with microsoft upgrades and patches8.6.2. Keep Current with Application Upgrades and Patches8.6.3. Keep current with antivirus signatures8.6.4. Use the Most Modern Windows Version8.7. Maintain and Test the Security8.7.1. Scan for vulnerabilities8.7.2. Test questionable applications8.7.3. Be sensitive to the performance of the system8.7.4. Replace old Windows systems8.7.5. Periodically re-evaluate and rebuild8.7.6. Monitoring8.7.7. Logging and auditing8.7.8. Clean up the system8.7.9. Prepare for the eventual attack8.8. Attacks Against the Windows Workstation8.8.1. Viruses8.8.2. Worms8.8.3. Trojan horses8.8.4. Spyware and ad support8.8.5. Spyware and 'Big Brother'8.8.6. Physical attacks8.8.7. TEMPEST attacks8.8.8. Back Doors8.8.9. Denial-of-service attacks8.8.10. File extensions8.8.11. Packet sniffing8.8.12. Hijacking and session replay8.8.13. Social engineering8.9. Summary
9. UNIX and Linux Security
9.1. The Focus of UNIX/Linux Security9.1.1. UNIX as a target9.1.1.1. Open source9.1.1.2. Easy-to-obtain operating system9.1.1.3. Network and development tools9.1.1.4. Information Exchange9.1.2. UNIX/Linux as a poor target9.1.2.1. Many versions and builds9.1.2.2. Expert users9.1.2.3. Scripts not as easily run9.1.2.4. File ownership9.1.3. Open source issues9.2. Physical Security9.2.1. Limiting access9.2.2. Detecting hardware changes9.2.3. Disk partitioning9.2.4. Prepare for the eventual attack9.3. Controlling the Configuration9.3.1. Installed packages9.3.2. Kernel configurations9.3.2.1. Kernel options9.3.2.2. Kernel Modules9.3.2.3. System calls9.3.2.4. /proc File System9.4. Operating UNIX Safely9.4.1. Controlling processes9.4.1.1. Services to avoid9.4.1.2. Useful Services9.4.1.3. Uncommon services9.4.1.4. Detecting services9.4.1.4.1. The ps command9.4.1.4.2. The netstat Command9.4.1.4.3. The nmap Command9.4.1.5. Processes controlling processes9.4.1.5.1. The init process9.4.1.5.2. The xinetd process9.4.1.5.3. The chkconfig command9.4.1.5.4. The service command9.4.2. Controlling users9.4.2.1. File permissions9.4.2.2. Set UID9.4.2.3. Chroot9.4.2.4. Root access9.4.3. Encryption and certificates9.4.3.1. GNU Privacy Guard9.4.3.2. The Secure Shell program9.5. Hardening UNIX9.5.1. Configuration items9.5.2. TCP wrapper9.5.3. Checking strong passwords9.5.4. Packet filtering with iptables9.5.4.1. Blocking incoming traffic9.5.4.2. Blocking outgoing traffic9.5.4.3. Logging blocked traffic9.5.4.4. Advanced blocking techniques9.6. Summary
10. Web Browser and Client Security
10.1. Web Browser and Client Risk10.1.1. Privacy vs. security10.1.2. Web browser convenience10.1.3. Web browser productivity and popularity10.1.4. Web browser evolution10.1.5. Web browser risks10.1.6. Issues working against the attacker10.2. How a Web Browser Works10.2.1. HTTP, the browser protocol10.2.2. Cookies10.2.3. Maintaining state10.2.4. Caching10.2.5. Secure Socket Layer/ Transport Layer Security10.2.5.1. A typical SSL session10.2.5.2. SSL performance issues10.3. Web Browser Attacks10.3.1. Hijacking attack10.3.2. Replay attack10.3.3. Browser parasites10.4. Operating Safely10.4.1. Keeping current with patches10.4.2. Avoiding viruses10.4.3. Using secure sites10.4.4. Securing the network environment10.4.5. Using a secure proxy10.4.6. Avoid using private data10.4.7. General recommendations10.5. Web Browser Configurations10.5.1. Cookies10.5.2. Plugins10.5.2.1. ActiveX10.5.2.2. Java10.5.2.3. JavaScript10.5.3. Netscape-specific issues10.5.3.1. Encryption10.5.3.2. Netscape cookies10.5.3.3. History and cache10.5.4. Internet Explorer-specific issues10.5.4.1. General settings10.5.4.2. Security settings10.5.4.2.1. Internet10.5.4.2.2. Local intranet10.5.4.2.3. Trusted sites10.5.4.2.4. Restricted sites10.5.4.3. Privacy settings10.5.4.4. Content settings10.5.4.5. Advanced settings10.5.4.6. Encryption10.6. Summary
11. Web Security
11.1. What Is HTTP?11.2. How Does HTTP Work?11.2.1. HTTP implementation11.2.2. Persistent connections11.2.3. The client/server model11.2.4. Put11.2.5. Get11.2.6. HTML11.3. Server Content11.3.1. CGI scripts11.3.2. PHP pages11.4. Client Content11.4.1. JavaScript11.4.2. Java11.4.2.1. The sandbox and security11.4.2.2. Types of Java Permissions11.4.3. ActiveX11.5. State11.5.1. What is state?11.5.2. How does it relate to HTTP?11.5.3. What applications need state?11.5.4. Tracking state11.5.5. Cookies11.5.5.1. How do they work?11.5.5.2. Cookie security11.5.5.3. Where are the cookies stored?11.5.6. Web bugs11.5.7. URL tracking11.5.8. Hidden frames11.5.9. Hidden fields11.6. Attacking Web Servers11.6.1. Account harvesting11.6.1.1. Enumerating directories11.6.1.2. Investigative searching11.6.1.3. Faulty authorization11.6.2. SQL injection11.7. Web Services11.7.1. Web service standards and protocols11.7.2. Service transport11.7.3. XML messaging11.7.4. Service description11.7.5. Service discovery11.8. Summary
12. Electronic mail (E-mail) Security
12.1. The E-mail Risk12.1.1. Data vulnerabilities12.1.2. Simple e-mail vs. collaboration12.1.2.1. Attacks involving malcode12.1.2.2. Privacy data12.1.2.3. Data integrity12.1.2.3.1. E-mail man-in-the-middle attacks12.1.2.3.2. E-mail replay attack12.1.2.4. The bottom line12.1.3. Spam12.1.3.1. Spam DoS12.1.3.2. Blacklisting12.1.3.3. Spam filters12.1.4. Maintaining e-mail confidentiality12.1.5. Maintaining e-mail integrity12.1.6. E-mail availability issues12.2. The E-mail Protocols12.2.1. SMTP12.2.2. POP/POP312.2.3. IMAP12.3. E-mail Authentication12.3.1. Plain login12.3.2. Login authentication12.3.3. APOP12.3.4. NTLM/SPA12.3.5. +OK logged onPOP before SMTP12.3.6. Kerberos and GSSAPI12.4. Operating Safely When Using E-mail12.4.1. Be paranoid12.4.2. Mail client configurations12.4.3. Application versions12.4.4. Architectural considerations12.4.5. SSH tunnel12.4.5.1. Establish SSH session12.4.5.2. Configure e-mail clients12.4.5.3. SSH advantages and disadvantages12.4.6. PGP and GPG12.5. Summary
13. Domain Name System
13.1. DNS Basics13.2. Purpose of DNS13.2.1. Forward lookups13.2.2. Reverse lookups13.2.3. Handling Reverse Lookups13.2.4. Alternative approaches to name resolution13.3. Setting Up DNS13.4. Security Issues with DNS13.4.1. Misconfigurations13.4.2. Zone transfers13.4.2.1. Historical problems13.4.2.2. Specifying transfer sites13.4.2.3. TSIG for requiring certificates13.4.2.4. DNS Security Extensions13.4.2.5. Zone transfer alternatives13.4.3. Predictable query Ids13.4.4. Recursion and iterative queries13.5. DNS Attacks13.5.1. Simple DNS attacks13.5.2. Cache poisoning13.6. Designing DNS13.6.1. Split DNS13.6.2. Split-split DNS13.7. Master Slave DNS13.8. Detailed DNS Architecture13.9. DNS SEC13.9.1. Trust anchors and authentication chains13.9.2. The DNS SEC lookup process13.9.3. Advantages of DNS SEC13.9.4. Disadvantages or shortfalls13.9.5. How do we implement DNS SEC?13.9.6. Scalability of DNS SEC with current internet standards13.10. Summary
14. Server Security
14.1. General Server Risks14.2. Security by Design14.2.1. Maintain a security mindset14.2.1.1. Risk-based security controls14.2.1.2. Defense in depth14.2.1.3. Keep it simple (and secure)14.2.1.4. Respect the adversary14.2.1.5. Security awareness14.2.1.6. Business impact14.2.2. Establishing a secure development environment14.2.2.1. Management14.2.2.2. Configuration Control Board14.2.2.3. Network support for development14.2.3. Secure development practices14.2.3.1. Handling data14.2.3.2. Keeping code clean14.2.3.3. Choosing the language14.2.3.4. Input validation and content injection14.2.3.4.1. Cross-site scripting14.2.3.4.2. SQL injection14.2.3.4.3. Stored procedures14.2.3.4.4. Dynamic scripting14.2.3.4.5. Screen for all unusual input14.2.3.5. Use encryption14.2.4. Test, test, test14.3. Operating Servers Safely14.3.1. Controlling the server configuration14.3.1.1. Physical security of the system14.3.1.2. Minimizing services14.3.1.3. System backups14.3.2. Controlling users and access14.3.3. Passwords14.3.4. Monitoring, auditing, and logging14.4. Server Applications14.4.1. Data sharing14.4.1.1. FTP servers14.4.1.2. LDAP14.4.2. Peer to peer14.4.3. Instant messaging and chat14.5. Multi-Level Security and Digital Rights Management14.5.1. Background14.5.2. The challenges of information control14.5.3. Building systems for information control14.6. Summary
IV. Network Security Fundamentals
15. Network Protocols
15.1. Protocols15.2. The Open Systems Interconnect Model15.3. The OSI Layers15.3.1. The Application layer15.3.2. The Presentation layer15.3.3. The Session layer15.3.4. The Transport layer15.3.5. The Network layer15.3.6. The Data Link layer15.3.7. The Physical layer15.4. The TCP/IP Model15.5. TCP/IP Model Layers15.6. Internet Protocol15.6.1. History of the Internet Protocol15.6.2. CIDR15.6.3. NAT15.6.4. IPv6 solution15.6.4.1. IPv6 multicast15.6.4.2. IPv6 anycast15.6.4.3. IPv6 address autoconfiguration15.6.4.4. IPv6 transition15.6.4.5. IPv6 header15.6.5. IPv7 and IPv8 solutions15.7. VoIP15.7.1. Using VoIP15.7.1.1. ATA15.7.1.2. IP phones15.7.1.3. Computer to computer15.7.2. The standard phone system: Circuit switching15.7.3. VoIP uses packet switching15.7.4. Deciding to use VoIP15.7.5. Security issues15.7.6. Risk factors15.7.7. Network design15.7.8. Use of softphones vs. hardware phones15.7.9. Voice and data crossover requirements15.7.10. VoIP server environments15.7.11. VoIP protocols15.7.11.1. Session-Initiated Protocol15.7.11.2. H.32315.8. Summary
16. Wireless Security
16.1. Electromagnetic Spectrum16.2. The Cellular Phone Network16.3. Placing a Cellular Telephone Call16.3.1. Cellular network evolution and transition to 4G16.3.2. System infrastructure16.3.3. Location discovery and handoff16.3.4. Synergy between local area and cellular networks16.3.5. Fault tolerance and network security16.4. Wireless Transmission Systems16.4.1. Time Division Multiple Access16.4.2. Frequency Division Multiple Access16.4.3. Code Division Multiple Access16.4.4. Wireless transmission system types16.4.4.1. Advanced Mobile Phone System16.4.5. Global System for Mobile Communications16.4.5.1. Cellular Digital Packet Data16.4.5.2. Personal Digital Cellular16.4.5.3. Total Access Communication System16.4.5.4. Nordic Mobile Telephone16.4.5.5. International Mobile Telephone Standard 200016.4.5.6. Universal Mobile Telecommunications Systems16.5. Pervasive Wireless Data Network Technologies16.5.1. Spread spectrum16.5.2. Spread spectrum basics16.5.2.1. Direct sequence spread spectrum16.5.2.2. Frequency Hopping Spread Spectrum16.5.2.3. Orthogonal Frequency Division Multiplexing16.6. IEEE Wireless LAN Specifications16.6.1. The PHY layer16.6.2. The MAC layer16.7. IEEE 802.1116.7.1. Wireless channels16.7.2. Deployment and management16.7.3. Operational features16.8. IEEE 802.11 Wireless Security16.8.1. The wireless network security stack16.8.1.1. Physical security and Wired Equivalent Privacy16.8.1.2. Extensible Authentication Protocol16.8.1.3. Key management16.8.1.4. Lightweight Extensible Authentication Protocol16.8.1.5. Tunneled TLS and Protected Extensible Authentication Protocol16.8.1.6. Wireless WAN security16.8.2. WEP16.8.2.1. WEP open authentication16.8.2.2. WEP shared key authentication16.8.3. WEP security upgrades16.8.3.1. 802.1X authentication16.8.3.2. Temporal Key Integrity Protocol16.8.3.3. Per-packet mixing function16.8.3.4. IV sequencing discipline16.8.3.4.1. Message Integrity Codes against forgery16.8.3.5. Rekeying against key reuse16.8.4. 802.11i16.8.4.1. AES Counter and Cipher-Block Chaining modes16.8.4.2. Application of AES in 802.11i16.8.4.3. Additional 802.11i capabilities16.8.4.4. Tools for testing and security wireless16.9. Bluetooth16.10. Wireless Application Protocol16.11. Future of Wireless16.11.1. Broadband wireless–Wimax16.11.2. WiMax and 3G cellular technologies16.11.3. Beyond the future: IEEE 802.2016.12. Summary
17. Network Architecture Fundamentals
17.1. Network Segments17.1.1. Public networksxs17.1.2. Semi-private networks17.1.3. Private networks17.2. Perimeter Defense17.3. Network Address Translation17.4. Basic Architecture Issues17.5. Subnetting, Switching, and VLANs17.6. Address Resolution Protocol and Media Access Control17.7. Dynamic Host Configuration Protocol and Addressing Control17.8. Zero Configuration Networks17.8.1. Details of zero configuration networks17.8.2. What is required for zero configuration networks?17.8.3. When should zero configuration networks be used?17.8.4. When should zero configuration networks not be used?17.8.5. Security issues with zero configuration networks17.8.6. Ways to exploit zero configuration networks17.9. System Design and Architecture Against Insider Threats17.9.1. Architecture and design17.10. Common Attacks17.11. Summary
18. Firewalls
18.1. Firewalls18.1.1. Packet-filtering firewalls18.1.2. Stateful packet filtering18.1.3. Proxy firewalls18.1.4. Disadvantages of firewalls18.2. Firewall rules18.2.1. Tiered architecture18.2.2. Multiple entry points18.2.3. Automated modification of rules18.2.4. Products for Managing Multiple Heterogeneous Rulesets18.2.5. Policy conflict examples in tiered architectures18.3. The Use of Personal Firewalls18.3.1. Corporate vs. home firewalls18.3.2. Iptables18.3.2.1. Blocking incoming traffic18.3.2.2. Blocking outgoing traffic18.3.2.3. Logging blocked traffic18.3.2.4. Advanced blocking techniques18.4. Summary
19. Intrusion Detection/Prevention
19.1. Intrusion Detection Systems19.1.1. Types of intrusion detection systems19.1.1.1. Host-based intrusion detection systems19.1.1.2. Network-based intrusion detection systems19.1.1.3. Intrusion prevention systems19.1.2. Methods and modes of intrusion detection19.1.2.1. Anomaly detection19.1.2.2. Pattern matching or misuse detection19.1.2.3. Detection issues19.2. Responses to Intrusion Detection19.3. Emerging Technologies in Intrusion Detection Systems19.3.1. Packet inspection methods19.3.2. Current packet inspection methods19.3.3. Emerging packet inspection methods19.3.3.1. Standards compliance19.3.3.2. Protocol anomaly detection19.3.3.3. Detecting malicious data19.3.3.4. Controlling operations19.3.3.5. Content matching19.3.4. Emerging security architecture and hardware19.3.5. Next generation packet inspection19.3.5.1. What's next in anomaly detection?19.3.5.2. Intrusion prevention19.4. Summary
V. Communication
20. Secret Communication
20.1. What is Cryptography?20.1.1. Why is crypto important?20.1.1.1. When is crypto good?20.1.1.2. When is crypto bad?20.1.2. Goals of Cryptography20.1.2.1. Confidentiality20.1.2.2. Integrity20.1.2.3. Availability20.1.3. Sub-goals20.1.3.1. Authentication20.1.3.2. Non-repudiation20.2. General Terms20.3. Principles of Cryptography20.3.1. You can't prove something is secure, only that it's not secure20.3.2. Algorithms and implementations aren't the same20.3.3. Never trust proprietary algorithms20.3.4. Strength of algorithm is based on secrecy of the key, not the algorithm20.3.5. Cryptography is more than SSL20.3.6. Cryptography must be built in – like electricity20.3.7. All cryptography is crackable; it's just a matter of time20.3.8. Secure today does not mean secure tomorrow20.4. Historic Cryptography20.4.1. Substitution ciphers20.4.1.1. Vigenere cipher20.4.1.2. XOR and random number generators20.4.2. Ciphers that shaped history20.5. The Four Cryptographic Primitives20.5.1. Random number generation20.5.1.1. Algorithms for pseudorandom number generation20.5.1.2. Using user input to generate numbers20.5.1.3. Whitening functions20.5.1.4. Cast Introduction20.5.2. Symmetric Encryption20.5.2.1. Stream ciphers20.5.2.2. Block ciphers20.5.2.3. Sharing keys20.5.3. Asymmetric encryption (two-key encryption)20.5.3.1. Using a certificate authority20.5.3.2. Using a web of trust20.5.4. Digital signatures20.5.5. Hash functions20.5.5.1. Keyed hash functions20.6. Putting These Primitives Together to Achieve CIA20.7. The Difference Between Algorithm and Implementation20.7.1. Difference between cryptographic primitives and protocols20.8. Proprietary Versus Open Source Algorithms20.9. Attacks on Hash Functions20.9.1. Attacks on MD420.9.2. Attacks on MD520.9.3. Attacks on SHA-020.9.4. Attacks on SHA-120.9.5. The future of hash functions20.10. Quantum Cryptography20.10.1. Quantum bits and quantum computation20.10.1.1. Secure communication channel20.10.1.2. Fast factoring of large composites20.10.2. Passwords are obsolete20.10.3. Pass phrases20.10.3.1. Secure tokens20.10.3.2. Biometrics20.10.4. Malicious uses of encryption20.10.4.1. Blackmail (encrypting a hard disk, then paying for it to be decrypted)20.10.4.2. Encryption in worms20.11. Summary
21. Covert Communication
21.1. Where Hidden Data Hides21.2. Where Did It Come From?21.3. Where Is It Going?21.4. Overview of Steganography21.4.1. Why do we need steganography?21.4.2. Pros of steganography21.4.3. Cons of steganography21.4.4. Comparison to other technologiesxs21.4.4.1. Trojan horses21.4.4.2. Covert channels21.4.4.3. Easter eggs21.5. History of Steganography21.5.1. Using steganography in the fight for the Roman Empire21.5.2. Steganography during war21.5.2.1. Hiding within ships21.5.2.2. Using steganography in conjunction with the environment21.6. Core Areas of Network Security and Their Relation to Steganography21.6.1. Confidentiality21.6.2. Integrity21.6.3. Availability21.6.4. Additional goals of steganography21.6.4.1. Survivability21.6.4.2. No detection21.6.4.3. Visibility21.7. Principles of Steganography21.8. Steganography Compared to Cryptography21.8.1. Protecting your ring example21.8.2. Putting all of the pieces together21.9. Types of Steganography21.9.1. Original classification scheme21.9.1.1. Insertion-based Steganography21.9.1.2. Algorithmic-based steganography21.9.1.3. Grammar-based steganography21.9.2. New classification scheme21.9.2.1. Insertion21.9.2.2. Substitution21.9.2.3. Generation21.9.3. Color tables21.10. Products That Implement Steganography21.10.1. S-Tools21.10.2. Hide and Seek21.10.3. Jsteg21.10.4. EZ-Stego21.10.5. Image Hide21.10.6. Digital Picture Envelope21.10.7. Camouflage21.10.8. Gif Shuffle21.10.9. Spam Mimic21.11. Steganography Versus Digital Watermarking21.11.1. What is digital watermarking?21.11.2. Why do we need digital watermarking?21.11.3. Properties of digital watermarking21.12. Types of Digital Watermarking21.12.1. Invisible watermarking21.12.2. Visible watermarking21.13. Goals of Digital Watermarking21.14. Digital Watermarking and Stego21.14.1. Uses of digital watermarking21.14.2. Removing digital watermarks21.15. Summary
22. Applications of Secure/Covert Communication
22.1. E-mail22.1.1. POP/IMAP protocols22.1.2. Pretty Good Privacy22.1.3. Kerberos22.2. Authentication Servers22.3. Working Model22.4. Public Key Infrastructure22.4.1. Public and private keys22.4.1.1. Confidentiality22.4.1.2. Digital signature22.4.1.3. Non-repudiation22.4.2. Key management22.4.3. Web of trust22.5. Virtual Private Networks22.5.1. Design issues22.5.2. IPSec-based VPN22.5.3. IPSec header modes22.5.3.1. Authentication Header22.5.3.2. Encapsulating Security Payload22.5.4. PPTP/PPP-based VPNs22.5.5. Secure Shell22.6. Secure Sockets Layer/Transport Layer Security22.7. SSL Handshake22.8. Summary
VI. The Security Threat and Response
23. Intrusion Detection and Response
23.1. Intrusion Detection Mechanisms23.1.1. Antivirus approaches23.1.1.1. Virus scanners23.1.1.2. Virus prevention23.1.2. Intrusion detection and response23.1.2.1. Network-based IDSs23.1.2.2. Host-based IDSs23.1.2.3. Signature-based IDSs23.1.2.4. Statistical anomaly-based IDSs23.1.3. IDS issues23.2. Honeypots23.2.1. Purposes23.2.1.1. Preventing attacks23.2.1.2. Detecting attacks23.2.1.3. Responding to attacks23.2.2. Honeypot categories23.2.2.1. Low-interaction honeypots23.2.2.2. High-interaction honeypot23.2.3. When to use a honeypot23.2.4. When not to use a honeypot23.2.5. Current solutions23.2.5.1. Honeyd23.2.5.2. Honeynet Project23.3. Incident Handling23.3.1. CERT/CC practices23.3.1.1. Establishing response policies and procedures23.3.1.2. Preparing to respond to intrusions23.3.1.3. Analyzing all available information23.3.1.4. Communicating with all parties23.3.1.5. Collecting and protecting information23.3.1.6. Applying short-term containment solutions23.3.1.7. Eliminating all means of intruder access23.3.1.8. Returning systems to normal operation23.3.1.9. Identifying and implementing security lessons learned23.3.2. Internet Engineering Task Force guidance23.3.3. Layered security and IDS23.3.4. Computer Security and Incident Response Teams23.3.4.1. CERT/CC23.3.4.2. FedCIRC23.3.4.3. FIRST23.3.5. Security incident notification process23.3.6. Automated notice and recovery mechanisms23.4. Summary
24. Digital Forensics
24.1. Computer Forensics Defined24.2. Traditional Computer Forensics24.2.1. Evidence collection24.2.2. Chain of evidence/custody24.2.3. Acquisitions24.2.3.1. Mirror image24.2.3.2. Forensic duplication24.2.3.3. Live acquisition24.2.3.4. Acquisition storage media24.2.3.5. Volatile information24.2.3.6. Analysis24.2.3.7. Limited examination24.2.3.8. Partial examination24.2.3.9. Full examination24.2.3.10. Documentation24.2.3.11. Evidence retention24.2.3.12. Legal closure24.2.3.13. Civil24.2.3.14. Criminal24.3. Proactive Forensics24.3.1. Methods of proactive forensics24.3.2. An ideal proactive forensics system24.4. Future Research Areas24.5. The Forensic Life Cycle24.6. Summary
25. Security Assessments, Testing, and Evaluation
25.1. Information Assurance Approaches and Methodologies25.1.1. The Systems Security Engineering Capability Maturity Model25.1.2. NSA Infosec Assessment Methodology25.1.3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)25.1.4. Federal Information Technology Security Assessment Framework25.2. Certification and Accreditation25.2.1. NIACAP25.2.1.1. The Four Phases of NIACAP25.2.1.2. Roles of NIACAP25.2.2. DITSCAP25.2.2.1. The four phases of DITSCAP25.2.2.2. Roles of DITSCAP25.3. DIACAP25.3.1.25.3.1.1. The five phases of DIACAP25.3.1.2. DIACAP challenges25.3.2. Comparison and inclusion of other vehicles25.4. Federal Information Processing Standard 10225.5. OMB Circular A-13025.6. The National Institute of Standards and Technology Assessment Guidelines25.6.1. SP 800-1425.6.2. SP 800-2725.6.3. SP 800-3025.6.3.1. Risk Assessment25.6.3.2. Risk mitigation25.6.3.3. Evaluation and assessment25.6.3.4. Residual risk25.6.4. SP 800-6425.7. Penetration Testing25.7.1. Internal penetration test25.7.2. External penetration test25.7.3. Full knowledge test (white-box test)25.7.4. Partial knowledge test (gray-box test)25.7.5. Zero knowledge test (black-box test)25.7.6. Closed-box test25.7.7. Open-box test25.8. Auditing and Monitoring25.8.1. Auditing25.8.1.1. Standards25.8.1.2. The audit process25.8.2. Monitoring25.9. Summary
VII. Integrated Cyber Security
26. Validating Your Security
26.1. Overview26.1.1. Penetration test26.1.2. Security assessment26.2. Current State of Penetration Testing26.2.1. Current penetration testing flow26.2.2. Automated vulnerability scanners vs. manual penetration testing26.3. Formal Penetration Testing Methodology26.3.1. Pre-attack phase26.3.1.1. Defining scope of assessment26.3.1.2. Discovery/information gathering26.3.1.3. Enumeration/scanning26.3.1.4. Vulnerability mapping26.3.2. Attack phase26.3.2.1. Gaining access26.3.2.2. Escalating privileges26.3.2.3. Repeating steps26.3.3. Post-attack phase26.3.3.1. Restoring compromised systems26.3.3.2. Analyzing results26.3.3.3. Compiling data into comprehensive report26.4. Steps to Exploiting a System26.4.1. Passive reconnaissance26.4.2. Active reconnaissance26.4.3. Exploiting the system26.4.3.1. Gaining access26.4.3.1.1. Operating system attacks26.4.3.1.2. Application-level attacks26.4.3.1.3. Scripts and sample program attacks26.4.3.1.4. Misconfiguration attacks26.4.3.2. Elevating privileges26.4.3.3. Denial of service26.4.4. Uploading programs26.4.5. Keeping access: Back doors and Trojans26.4.6. Covering one's tracks26.5. Summary
27. Data Protection
27.1.27.1.1. Identifying and classifying sensitive data27.1.2. Creating a data usage policy27.1.3. Controlling access27.1.4. Using encryption27.1.5. Hardening endpoints and network infrastructure27.1.6. Physically securing the work environment27.1.7. Backing up data27.1.8. Improving education and awareness27.1.9. Enforcing compliance27.1.10. Validating processes27.2. Endpoint Security27.2.1. Hardening the OS baseline27.2.1.1. Windows27.2.1.2. Linux27.2.2. Patch management27.2.3. Automated tools27.2.3.1. Antivirus27.2.3.2. Personal firewall27.2.3.3. Host IDS/IPS27.2.3.4. Anti-spyware/adware tools27.2.3.5. Centralized security management console27.2.4. Client access controls27.2.5. Physical security27.2.6. Vulnerability assessments27.2.7. Endpoint policy management/enforcement27.2.7.1. User education27.2.7.2. Remote access27.2.7.3. Virtual machines27.2.7.4. NAC27.3. Insider Threats and Data Protection27.4. Summary
28. Putting Everything Together
28.1. Critical Problems Facing Organizations28.1.1. How do I convince managers that security is a problem and that they should spend money on it?28.1.2. How do I keep up with the increased number of attacks?28.1.3. How do you make employees part of the solution and not part of the problem?28.1.4. How do you analyze all the log data?28.1.5. How do I keep up with all of the different systems across my enterprise and make sure they are all secure?28.1.6. How do I know if i am a target of corporate espionage or some other threat?28.1.7. Top 10 common mistakes28.2. General Tips for Protecting a Site28.2.1. Defense in Depth28.2.2. Principle of least privilege28.2.3. Know what is running on your system28.2.4. Prevention is ideal, but detection is a must28.2.5. Apply and test patches28.2.6. Regular checks of systems28.3. Security Best Practices28.3.1. Create security policy statements28.3.2. Create and update the network diagram28.3.3. Place systems in appropriate areas28.3.4. Protect internal servers from outbound communications28.3.5. Assess the infrastructure28.3.6. Protect the perimeter28.3.7. Create a strong password policy28.3.8. Create good passwords28.3.9. Audit passwords28.3.10. Use strong authentication28.3.11. Remove service accounts28.3.12. Create a patching policy28.3.13. Perform regular vulnerability assessments28.3.14. Enable logging28.3.15. Review logs28.3.16. Use multiple detection methods28.3.17. Monitor outgoing communications28.3.18. Perform content inspection28.3.19. Control and monitor remote access28.3.20. Use defense in depth28.3.21. Secure communications28.3.22. Back up frequently and regularly28.3.23. Protect sensitive information28.3.24. Create and test a disaster recovery plan28.3.25. Control and monitor the physical space28.3.26. Educate users28.3.27. Don't forget about the code28.3.28. Secure UNIX systems28.3.29. Install only essential services28.3.30. Deploy single-use servers28.3.31. Perform configuration management28.3.32. Use firewalls and IDS beyond the perimeter28.3.33. Question trust relationships28.3.34. Use antivirus software28.3.35. Protect system accounts28.3.36. Name servers securely28.4. Summary
29. The Future
29.1. Approaching the Problem29.1.1. Organizational approach29.1.2. Maintaining a solid cyber-security stance29.2. Mission Resilience29.2.1. Risk29.2.2. Threats29.2.2.1. Confidentiality29.2.2.2. Integrity29.2.2.3. Availability29.2.3. Vulnerabilities29.2.4. Probability29.2.5. Impact29.2.6. Countermeasures29.2.7. Risk analysis29.2.7.1. Qualitative29.2.7.2. Quantitative29.2.7.3. Presenting your results29.3. Limiting Failure Points29.3.1. Increasing redundancy29.3.2. Controlling and limiting access29.4. Summary

Content preview from Network Security Bible, 2nd Edition

Chapter 24. Digital Forensics

IN THIS CHAPTER

Understanding what digital forensics is
Methods and types of forensics
Proper handling of evidence
Analysis of digital evidence
Legal issues involving forensics

Computers and networks are being used in almost every area of our business and life. Therefore more and more crimes are computer-based. In order to understand what has happened during a computer crime, fix the vulnerability, and possibly prosecute, it's critical to understand how to find and deal with evidence. The process of understanding and finding evidence is at the core of digital forensics and will be examined in this chapter.

Society today is more reliant on electronic information than ever before, but with this reliance comes the possibility of disaster. Most people think of a disaster as something in nature — a hurricane, earthquake, or tornado. But ask any CEO about the ramifications of a data loss or the inability to access data and you'll find they consider those to be disasters as well.

Most enterprises can't afford to have a disaster related to their data. The bottom line and customer confidence are real concerns and must be planned for in the case of a disaster. Most businesses plan for ordinary hack attacks and true natural disasters, but few are prepared for the meltdown of a critical system that's not backed up in real time. Nor are they prepared for that visit from the local FBI agent as a result of criminal activity being conducted on their networks.

Computer forensics ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470502495Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Security Bible, 2nd Edition

by Eric Cole

Chapter 24. Digital Forensics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.