Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Book Reviews

Submission + - The Tangled Web

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c6{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c5{height:11pt;direction:ltr}.c1{text-align:justify;direction:ltr}.c2{color:inherit;text-decoration:inherit}.c4{color:#000099;text-decoration:underline}.c0{font-size:12pt}.c3{font-style:italic}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter hereabove the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.

In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applicationsis written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Leehad the vision of a semantic web;namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy(CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheetthat details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applicationsshould be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, it is hopes this is a book they read.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Defense against the Black Arts

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c6{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c3{color:#000099;text-decoration:underline}.c5{height:11pt;direction:ltr}.c1{text-align:justify;direction:ltr}.c2{color:inherit;text-decoration:inherit}.c7{direction:ltr}.c4{font-style:italic}.c0{font-size:12pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book.

According to Wikipedia, black artcan refer to:

art forms by persons of African descent

black magic

optical effect in stage magic


process that is mysterious or difficult to master or describe

Even if one uses the definition in The New Hackers Dictionaryof "a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area", that really does not describe this book.

The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, and rather either to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools.

Defense against the Black Arts is another in the line of hacking overview books that started with the first edition of Hacking Exposed. Like Hacking Exposed, the book walks the reader through the process of how to use hacking tools and how to make sense of their output.

Defense against the Black Artsis written for the reader with a good technical background who is looking for a nuts and bolts approach to ethical hacking. Its 14 chapters provide a comprehensive overview of the topic, with an emphasis on Windows.

But for those looking for an introductory text, this is not the best choice out there. The book is written for the reader that needs little hand-holding. This is in part due to its somewhat rough around the edges text and the use of more advanced hacking tools and techniques.

By page 4, the author has the reading downloading BackTrack Linux. BackTrack is a Ubuntu distro which has a focus on digital forensics and penetration testing. BackTrack is currently in a 5 R1 release, based on Ubuntu 10.04 LTS and Linux kernel BackTrack comes with a significant amount of security and hacking tools preloaded, which the authors reference throughout the book.

After showing how to install BackTrack, chapter 1 shows how to log into Windows without knowing the password. Much of that is around the Kon-Boottool, which allows you to change the contents of the Windows kernel in order to bypass the administrator password. Tools like Kon-Boot though will only work when you have physical access to the machine.

Chapter 3 gets into the details of digital forensics and highlights a number of popular tools for forensic imaging. While the book provides a good overview of the topic, those looking for the definitive text on the topic should read Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.

Chapter 5 deals with web application penetration testing. The authors describe a number of tools that can be used to assess the security of web sites, and offer ways to attempts to manipulate data from a web page or web application.

One is likely hard pressed to find a large web site that will be vulnerable to such web attacks, given that most of them have already checked for those errors via validation control testing. Smaller vendors may not be so proactive, and find out that those $99- items are being sold for .99 cents. With that, the chapter details a number of tools developers can use to test for SQL injection, XSS and other types of web vulnerabilities.

Chapter 8 is about capturing network traffic. There are two perspective to collecting traffic. For the attacker, it is about identifying holes and avenues for attack. For those trying to secure a network, collecting network traffic is an exercise in identifying, thwarting and defending the network against attacks.

Chapter 10 provides a brief overview of Metasploit. For those looking for a comprehensive overview of Metasploit, Metasploit: The Penetration Testers Guideis an excellent resource. This chapter like many of the others provides the reader with detailed step-by-step instructions, including screen prints, on how to use the specific tool at hand.

Chapter 11 provides a long list of attack and defense tools that can be used as a larger part of a penetration tester's toolkit.

Chapter 12 is interesting is that it details how social engineering can be used. The authors show how public domain tools like Google Maps can be used in to mount an attack.

Chapter 13 – Hack the Macs– is one of the shorter chapters in the book and should really be longer. One of the reasons pen testers are increasingly using Macs is that the newer Macs run on the Intel platform, and can run and emulate Windows and Linux. The increasing number of tools for the Mac, and significant Mac vulnerabilities, mean that the Mac will increasingly be used and abused in the future.

Just last week, Dr. Mich Kabaywrote in Macintosh Malware Eruptsthat malware specifically designed for Mac is on the rise. This is based on progressively more and more serious malware for the Mac since 2009 where given that Apple products have been increasing their market share for laptops and workstations but especially for tablets and phones.

The article notes that one of the reasons Mac OS X is perceived as superior to Windows is because of its appearance of having integrated security. But although the design may be sound, the operating system does not prevent people from being swayed into thinking that the malicious software they are downloading is safe. With that, Apple will have to concentrate more on security and vulnerability within their operating system.

The book ends with about 30 pages on wireless hacking. The chapter provides an overview of some of the weaknesses in Wi-Fi technology and how they can be exploited. The chapter focuses on the airmon tool, part of BackTrack that you can use to set your wireless adapter into monitor mode, to see all of the traffic traversing the wireless network.

Overall, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against Itis a really good reference for someone experienced in the topic who wants to improve their expertise.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - The CER® Oracle Secure Coding Standard for Ja 1

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c4{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c6{height:11pt;direction:ltr}.c0{text-align:justify;direction:ltr}.c3{color:#000099;text-decoration:underline}.c1{color:inherit;text-decoration:inherit}.c2{font-size:12pt}.c5{font-style:italic}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws.

Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely.

With that, The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits.

The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.

The first 100 pages of the book are available here. After read it, you will be likely to want to see the next 650 pages.

This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.

Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attritions.

This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.

The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favoured; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.

Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more noncompliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.

Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.

Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.

Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.

The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.

The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.

Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.

The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.

Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multithreaded Java programs. The chapters don't assume that the reader has any familiarity with multithreaded programming.

The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.

A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.

Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.

For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Securing the Clicks Network Security in the Age of

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c7{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c0{font-size:12pt;font-weight:bold}.c6{color:#000099;text-decoration:underline}.c2{color:inherit;text-decoration:inherit}.c3{text-align:justify;direction:ltr}.c5{direction:ltr}.c4{font-style:italic}.c1{font-size:12pt}.c8{height:11pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

In the book Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks, it states that businesses that take days to respond to social media issues are way behind the curve. Social media operates in real-time, and responses need to be almost as quick.

In a valuable new book on the topic, Securing the Clicks Network Security in the Age of Social Media, Gary Bahadur, Jason Inasi and Alex de Carvalho provide the reader with a comprehensive overview on how not to be a victim of social media based security problems.

Social media is now mainstream in corporate America, and even though it is hot, the security and privacy issues around it are even hotter. In the past, many firms simply said no to social media at the corporate level. But as Natalie Petouhoffof Weber Shandwickhas observed, that will no longer work, as "social media isn't a choice anymore; it's a business transformation tool".

The main security and privacy issue around social media is that users will share huge amounts of highly confidential personal and business information with people they perceive to be legitimate. Besides that, issues such as malware, vulnerabilities (cross site scripting, cross site request forgery, etc.), corporate espionage, phishing, spear phishing and more; are just a few of the many security risks around social media that need to be taken into consideration.

In the book, the authors detail a framework for analyzing the corporate threats that arise from social media. The book uses the H.U.M.O.R methodology (Human resources, Utilization of resources and assets, Monetary considerations, Operations management, Reputation management) a matrix that outlines a systematic approach for developing the necessary security plans, policies and processes to mitigate social media risks.

At 325 pages, the books 5 parts and 18 chapters provide the reader with a comprehensive overview of all of the critical areas around social media secure, that can be used to safeguard its assets and digital rights, in addition to defending their reputation from social network-based attacks. The book covers all of the core topic areas, from assessing social media security, to monitoring in the social media landscape, threat assessments, reputation management: strategy and collaboration and more; the authors provide the reader with an enlightening overview of all of the core areas.

In chapter 1, the authors astutely note that no company today is immune to the many threats posted by a single individual, let alone a socially engaged and networked population. No firm should engage in social media before they fully understand the security and privacy risks that are being introduced. This book not only effectually does that; it also provides an all-inclusive framework around social media security.

As to the notion of the inherent security risks around social media, this was recently proven when Chris Hadnagy(author of Social Engineering: The Art of Human Hacking, reviewed here) and James O'Gorman detailed in their Social Engineering Capture the Flagresults from Defcon 19observed that information leakage via social media is a difficult problem to solve due to how it is used and the frequency it is used in today's society. Having access to social media from computers and cell phones means that people can update their accounts instantaneously, from anywhere. The ease of which an employee can share data can contribute heavily to information leakage.

Chapter 4 on threat assessments provides an exhaustive list of the different types of attackers and threat vectors that need to be considered when using social media. The attacks in the social media space are often different from typical IT attackers. As to threat vectors, there are a number of different vectors, both internal and external that can impact an organization. The chapter lists those vectors and details them.

Chapter 9 – monetary considerations – strategy and collaboration– is a fascinating chapter in that it notes that in many firms, IT security budgets have not yet clearly defined the line item for social media security. In addition, trying to retrofit the IT security budget by assuming that tools already purchased for data loss prevention will also cover social media security concerns will likely be inadequate.

Chapter 11 deals with reputation management – which has the goal to build and protect a positive Internet-based reputation, and not let it get subterfuged via social media. This is a significant issue as the risk to a firm's reputation is significant and growing with the increased use of social networks.

One very helpful feature of the book that effectively brings home the message is numerous real-world case studies in every chapter. One fascinating example in chapter 13 is about the Cooks Source infringement controversyand the nature of how notto respond to a social media issue.

The book also lists numerous amounts of tools. Chapter 13 has a comprehensive list of monitoring tools and the appendix has a list of nearly 100 tools for activity tracking, analytics, geolocation, plagiarism checking and more. These lists are extremely helpful, and the reader can start using many of these tools to get an initial pulse on the level of security around how their firm uses social media.

Chapter 14 provides excellent guidance on how to execute social media security on a limited budget. The authors suggest the use of free or inexpensive software and other resources that can be used to help a company monitor the impact of their social media infrastructure. The chapter also details how social media security can be executed on a bugger budget, via the use of more sophisticated tools that can be used to secure manage the data flows within an organization.

It will not be long until Facebook has its 1 billionth user. Given that a New York court recently referred to a user's reasonable expectation of privacy on sites like Facebook and MySpace as wishful thinking, the importance of Securing the Clicks Network Security in the Age of Social Mediacan't be overemphasized.

For those firms that are looking to securely use social media, and not get abused by it, this book should be required reading.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Digital Evidence and Computer Crime 1

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c5{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c3{color:#000099;text-decoration:underline}.c2{color:inherit;text-decoration:inherit}.c1{text-align:justify;direction:ltr}.c0{font-size:12pt}.c4{font-style:italic}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly.

For those looking for an authoritative guide, Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.

Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.

In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.

Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.

Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciencescreated a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.

In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.

Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.

Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidenceas one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.

The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.

Chapter 9 — Modus Operandi — by Brent Turveyis a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.

Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.

Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.

Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.

Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.

A better title for Digital Evidence and Computer Crimemight be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.

The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.

The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.

This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.

With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics, Digital Evidence and Computer Crimeis an equally serious book.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Ghost in the Wires

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c0{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c4{color:#000099;text-decoration:underline}.c5{height:11pt;direction:ltr}.c3{color:inherit;text-decoration:inherit}.c1{text-align:justify;direction:ltr}.c6{font-style:italic}.c2{font-size:12pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

What's the difference between Kevin Mitnick and Barak Obama? Due to Mitnick, jobs were actually created. During the 1990's when Mitnick was on the run, a cadre of people were employed to find him and track him down. Anyone who could have an angle on Mitnick was sought after by the media to provide a sound bite on the world's most dangerous computer hacker. Just one example is John Markoff, who became a star a journalist for his work at The New York Times, and a follow-up book and series of articles based on Mitnick.

In Ghost in the Wires: My Adventures as the Worlds Most Wanted Hacker, the first personal account of what really happened; Mitnick says most of the stories around him were the result of the myth of Kevin Mitnick, and nothing more. In the book, he attempts to dispel these myths and set the record straight.

Some of the myths were that he was responsible for the phone of actress Kristy McNicholto be disconnected, and perhaps the most preposterous of them all, that he could whistle into a telephone and launch missiles from NORAD. The latter myth was responsible for him spending a year in solitary confinement. Mitnick notes that he thinks it was the federal prosecutor who got that idea from the movie WarGames.

But no one really knew Mitnick or what he was about. Left on his own, he would likely have been harmless. All he wanted to do was get into corporate sites, download code, play with the code and then move on to the next target. It is undeniable that Mitnick committed crimes; but not reasonable for the FBI to have made him a top priority for capture.

Perhaps the most widely stated myth about him is that he was strictly a social engineer without significant technical experience. While it was his gift of social engineering that facilitated his ability to get a significant amount of information from unsuspecting individuals; in many places in the book, Mitnick details many technical Unix exploits that he carried out. The book makes it clear that Mitnick had the deep technical skills necessary to execute on the information he illicitly obtained.

While the book does have a lot of technical details, it mainly is about the human side of Mitnick. Chapter 1 is appropriately titled Rough Startand he details his early days of growing up in the Los Angeles area.

These formative years as a hyperactive child, growing up with a single mom who had boyfriends that abused him and one who worked in law enforcement that molested him; may have been what led Mitnick to find solace behind a keyboard.

Mitnick writes how his first hack and entry into the world of dumpster diving was to forge bus transfers so he could ride around Los Angeles to occupy his time while his mother was at work.

In numerous places, Mitnick sincerely expresses his contrition for the pain he subjected his mother, grandmother, aunt, wife and others to.

Above and beyond his rough start, Mitnick also notes how he had his share of bad luck. He writes that too many times when he was growing up, including having to deal with various probation officers, unexplained failures in technology anywhere would be attributed to him. When the phone of his probation officers went dead, he was assumed to be the culprit.

The reality is that the world did not know what to make of Mitnick or what to do with him. It is pretty clear from the book and from every other account what Mitnick was never it in for the money. He simply was a hacker whose goal was to gain root, and nothing more. Such a notion was incredulous to law enforcement, and even to Ivan Boeskywho Mitnick met in prison. When he briefly sat with Boesky on a prison bench, he writes that when Boesky found out he did it for the hacking thrill, Boesky replied that "you're in prison and you didn't make any money. Isn't that stupid?".

It is worthy to point out that Mitnick's escapades were radically different from that of Frank Abagnale, whom Mitnick is often compared to. In Catch Me If You Can: The True Story of a Real Fake, Abagnale writes that he impersonated an airline pilot, masqueraded as the supervising resident of a hospital, practiced law without a license, passed himself off as a college sociology professor and cashed over $2.5 million in forged checks; all before he was twenty-one. For those myriad offenses, Abagnale served five years in prison, roughly the same amount of time that Mitnick served.

In chapter 31, it details how Mitnick's world turned upside down and the myth of Kevin Mitnick went took hold with the now infamous Markoff 1994 New York Times article Cyberspaces Most Wanted: Hacker Eludes F.B.I. Pursuit. Mitnick writes that the article is what put the myth of Kevin Mitnick into overdrive, and would later embarrass the FBI into making the search for him a top priority. It also provided a fictional image that would later influence prosecutors and judges into treating him as a danger to national security.

Mitnick's eventual capture is detailed in chapter 35 — Game Over. He notes that Assistant US attorney Kent Walker made a secret arrangement to provide Tsutomu Shimomura with confidential trap-and-race information as well as confidential information from Mitnick's FBI file. This was done so Shimomura could intercept Mitnick's communications without a warrant, under the premise that Shimomura was not assisting the agency, rather he was working for the ISP.

Mitnick writes that he was never charged with hacking Shimomura, as it would have exposed the gross misconduct of the FBI, who apparently violated Federal wiretapping statues in the rush to track him down.

Overall, Ghost in the Wires: My Adventures as the Worlds Most Wanted Hackeris a most interesting read. While the book does goes into technical details of how Mitnick carried out his attacks, editor William Simonprovides the editorial assistance needed and makes the book extremely readable and enjoying. Muck of the books readability is due to Simon, and Mitnick acknowledges this.

When a convicted felon writes a book emotions run high. In some ways, Mitnick's story is that of redemption. He did wrongs, paid his dues and is trying to move forward. Something like that should be admired. Never does Mitnick downplay his guilt or make Dan White-like excuses.

Redemption displays itself in that we live in a society where a mayorcan be convicted of illegal drug possession, failure to file tax returns and pay taxes, and despite a history of political and legal controversies, remain a figure of enormous popularity and influence on the local political scene of Washington D.C., and a former governorcan be involved in a prostitution scandal, forced to resign, and then later join CNN as a political analyst.

But some people will never let a person like Mitnick let go of the past. In his reviewof the book, Rich Jaroslovsky, a technology columnist for Bloomberg News shows no sympathy for Mitnick when he pretentiously writes that "genius comes in many forms. Kevin Mitnick has at least two, neither particularly admirable".

The book ends with Mitnick's release from prison and provides the reader with a fascinating story of one of the most recognized information security personalities. Ghost in the Wiresis an interesting account of one of the most well-known information security personalities.

Mitnick's years on the run were simply a media circus and the years after his parole found the terms of his probation so restricted that he could not touch a keyboard. Ghost in the Wires: My Adventures as the Worlds Most Wanted Hackeris an autobiography long in coming and worth the wait.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Surveillance or Security?: The Risks Posed by New

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c5{width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c3{color:inherit;text-decoration:inherit}.c2{text-align:justify;direction:ltr}.c4{color:#000099;text-decoration:underline}.c6{direction:ltr}.c1{font-style:italic}.c0{font-size:12pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6pt}h2{padding-top:18pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h3{padding-top:14pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4pt}h4{padding-top:12pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h5{padding-top:11pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}h6{padding-top:10pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2pt}

Surveillance or Security?: The Risks Posed by New Wiretapping Technologiesis a hard book to categorize. It is not about security, but it deals extensively with it. It is not a law book, but legal topics are pervasive throughout the book. It is not a telecommunications book, but extensively details telco issues. Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times.

Surveillance or Security?is one of the most pragmatic books on the topic is that the author never once uses the term Big Brother. Far too many books on privacy and surveillance are filled with hysteria and hyperbole and the threat of an Orwellian society. This book sticks to the raw facts and details the current state, that of insecure and porous networks around a surveillance society.

In this densely packed work, Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University details the myriad layers around surveillance, national security, information security and privacy. Landau writes that her concern is not about legally authorized law enforcement and nationally security wiretapping; rather about the security risks of building surveillance into communications infrastructures.

Landau details numerous reasons why communications security is hard to do right; but an imperative for our ultimate security, privacy and digital wellbeing.

In 250 pages, Landau makes a compelling case. In addition to her superb handle on the topic, the book has over 80 pages of footnotes, where everyquote, statement and claim is verified and confirmed. The book is a great launching pad for a much deeper analysis on the topic.

The main theme of the book is that digital communications have revolutionized the way in which society interacts. The Internet is now the lifeblood of many businesses and governments, including a significant part of our critical infrastructure. The fact that this infrastructure lacks comprehensive security and privacy controls are a troubling concern.

In 11 dense chapters, Landau notes that since security and privacy have not been fully integrated into this infrastructure; this leaves us exposed and vulnerable to cyberattacks.

In the introduction, Landau notes that with this new computing and telecommunications paradigm, the job of law enforcement has become much more challenging. In previous years, surveillance was relatively easy. Once law enforcement had physical access to a phone line, they were in. Today, with cell phones, VoIP, Internet cafes, anonymizing services and more, the dynamics have changed and this has caused quite a shock for law enforcement; who are often struggling to deal with this new paradigm.

Landau notes that the surveillance and eavesdropping technologies that have been deployed since 9/11 are being used to catch one set of enemies. But other antagonists may be posed to turn these tools against us, and we are putting into place something for our enemies to use that they could not afford to do on their own. As to this and other difficult questions that Landau brings up; there are no simple answers.

Chapter 3 — Securing the Internet is Difficult — notes that the original creators of TCP/IP did not have security in their design. Their concerns were more along the lines of traffic breakdowns, packet loss, robustness and more; but not security and privacy. In some ways, this may be been a blessing, as Dennis Jennings, who ran the NSFprogram that built the NFSNET; states that "had we known what was to come, we'd have been terrified and the Internet would never have happened.

In chapter 5 — The Effectiveness of Wiretapping– Landau notes that the biggest use of wiretapping tools is not actually the capture of conversation. But something that is not really wiretapping at all: the capture of transactional information.

Chapter 7 – Who are the Intruders? What are They Targeting?– is one of the best chapters in the book. Landau details both the internal threat and industrial espionage, and it is not a pretty picture. Landau provides numerous cases where nation-states used networks, rather than people to infiltrate US interests, governmental, industrial and scientific areas. She notes that these insider attacks are often the most difficult to detect; the reason being that insiders know the systems, know where the important data is, and what the auditors are looking at. This ultimately makes insiders attack particularly pernicious.

So how significant are nation-states infiltrating US networks? Landau quotes a confidential government source that the NASA network was "completely open to the Chinese".

Landau makes her message loud and clear in chapter 8 when she notes that it does not help to tell people to be secure; rather security must be built into their communications systems. Security must be ubiquitous, from the phone to the central office and from the transmission of a cell phone to its base station to the communications infrastructure itself.

In chapter 9 – Policy Risks Arising from Wiretapping – Landau details how deep packing inspection (DPI) is used by ISP's. It is the ISP's who have the capability to know what you are browsing, what your email says, your VoIP conversation and much more. In a short amount of time, the ISP can develop a dossier on the user, and as noted, it has the ability to amass data to an amount that the Stasi could only dream of. This surveillance ability is what is most troubling to the author.

Landau continues that the only way for a person to avoid the risk from ubiquitous uses of DPI by an ISP would be to encrypt everything. While not completely done now, Gmail and Skype do bulk encryption.

The book closes with chapter 11 – Getting Communications Security Right– and there are no easy answers. Landau notes that across the globe, there are projects on clean-slate network architectures. But our current infrastructure is quite insecure and porous.

Surveillance or Security?: The Risks Posed by New Wiretapping Technologiesis an extremely important book on the topic of the many risks posed by new wiretapping technologies. Landau has the remarkable talent of taking very broad issues and detailing them in a concise, yet comprehensive manner. The book should be seen as the starting point for discussion on a most important topic.

Landau does an excellent job of detailing how unwarranted surveillance can undermine security and affect our rights, while noting that security for every citizen is paramount to the very spirit of the Constitution.

The book closes with the very principles of what it means to get communications security rightand that adhering to these principles cannot guarantee that we will be completely secure. But failure to adhere to them will guarantee that we will not.

As to Surveillance or Security?: The Risks Posed by New Wiretapping Technologies, required reading it is, but that term does not do justice to the importance of this book. Simply put, this book is the definitive text on the topic and it is a title that needs to be read.

Reviewer Ben Rothke (@benrothke) is the author of Computer Security: 20 Things Every Employee Should Know"
Book Reviews

Submission + - CERT Resilience Management Model (RMM)

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c5{width:468.0pt;background-color:#ffffff;padding:72.0pt 72.0pt 72.0pt 72.0pt}.c6{height:11pt;direction:ltr}.c1{text-align:justify;direction:ltr}.c2{color:#000099;text-decoration:underline}.c3{color:inherit;text-decoration:inherit}.c4{font-style:italic}.c0{font-size:12pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{padding-top:24.0pt;color:#000000;font-size:24pt;font-family:Arial;font-weight:bold;padding-bottom:6.0pt}h2{padding-top:18.0pt;color:#000000;font-size:18pt;font-family:Arial;font-weight:bold;padding-bottom:4.0pt}h3{padding-top:14.0pt;color:#000000;font-size:14pt;font-family:Arial;font-weight:bold;padding-bottom:4.0pt}h4{padding-top:12.0pt;color:#000000;font-size:12pt;font-family:Arial;font-weight:bold;padding-bottom:2.0pt}h5{padding-top:11.0pt;color:#000000;font-size:11pt;font-family:Arial;font-weight:bold;padding-bottom:2.0pt}h6{padding-top:10.0pt;color:#000000;font-size:10pt;font-family:Arial;font-weight:bold;padding-bottom:2.0pt}

If Gartnerwere to have created the CERT-RMMframework like what is detailed in the book CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience; it likely would be offered to their clients for at least $15,000-. With a list price of $79.99, the book is clearly a bargain. Besides being inexpensive, it details an invaluable model that should be seriously considered by nearly every organization.

The CERT-RMMis a capability model for operational resilience management. Put more simply; it is a method to tame the out of control world of IT operations.

CERTnotes that the model has two primary objectives: to establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model. And to apply a process improvement approach to operational resilience management through the definition and application of a capability level scale that expresses increasing levels of process improvement.

In plain English, the model creates a formal method in which to execute IT tasks. Given the reality that most IT tasks are executed in an ad-hoc manner, the CERT-RMMshould be a welcome relief to most organizations.

The CERT-RMM is a relatively new framework, with version 1.0being issued in May 2010. Version 1.1 was made available via this book in December 2010. CERT also has a really good CERT-RMM Overviewpresentation available.

CERT-RMM v1.1 comprises 26 process areas that cover four areas of operations resilience management: enterprise management, engineering, operations and process management.

In chapter 1, the authors astutely note that technology can be very effective in managing risk, but technology cannot always substitute for skilled peoples and resources, procedures and methods that define and connect tasks and activities, and processes to provide structure and stability towards the achievement of common objectives and goals.

The problem is that most companies will spend huge amounts of money on these myriad technologies and seemingly expect the install routine to magically integrate the numerous processes. CERT-RMM is a comprehensive solution to a broad set of problems.

But for those that are looking to CERT-RMM for a quick fix to a decades old problem, the authors also note in chapter 1 that CERT-RMM must be embedded within the culture and practices of an organization. The CERT-RMM practices will only make an organization more resilient to the degree to which they have been institutionalized via its processes.

At just over 1,000 pages, the book is a treasure-trove of invaluable information. While the amount of information may be overwhelming, it is manageable if used in a serious fashion. But just to reiterate, CERT-RMM should not be seen as a quick-fix solution.

The main textual part of the book covers 2 parts and 7 chapters which make up the first 120 pages. These 2 parts provide a comprehensive overview of the CERT-RMM and provides an overview of the various concepts used within the model. The authors do a superb job of showing how structure and processes need to be an integral part of enterprise operations, and note the challenges of not having such an approach.

Focusing on information security, the authors intelligently observe in chapter 2 that historically information was viewed as a technology problem and relegated to the IT department. The problem though with such an approach is that when an incident or disruption occurs, the response is generally localized and discrete; not orchestrated across all affected lines of business and organizational units. That problem is precisely what CERT-RMM comes to fix. If implemented effectively, the processes enable organizations to respond in a more formal manner, with integrated processes; resulting in operations that are quicker, cheaper, and ultimately, more resilient.

In chapter 4, the authors tell you what seems to be obvious: that the CERT-RMM in its entirety looks ominous. They note the reason is that operational resilience management encompasses many disciplines and practices. The challenge though is for the organization to be able to understand the relationships in the CERT-RMM model and connect them to their own organization. CERT-RMM is certainly not for the fainthearted. But for those that are serious about operational efficiency and resilience, CERT-RMM is certainly a godsend.

The reality is that not only does the CERT-RMM look ominous, it is. The reason is that CERT-RMM will most likely be used to retrofit an organization that has used decades of ad-hoc approaches to its IT processes. Trying to fix so much is indeed ominous. But even with that ominous cloud, it is something that must be done.

In chapter 5, the authors make an important point in that CERT-RMM is not a prescriptive model. This means that there is no guidance provided to adopt the model in any specific sequence or prescriptive path. Rather, process improvements are unique to each organization, to which the CERT-RMM provides the basic structure to enable enterprises to chart their own specific improvements paths uses the model as a guide.

Chapter 6 on Using CERT-RMM notes that the model has a strong enterprise undercurrent, due to the fact that effective operational resilience management requires capabilities that often have enterprise-wide significant. But the enterprise–wide nature of the model does not mean that it can't be adopted at more discrete levels.

Part 3 of the book is a complete listing of the 26 CERT-RMM process areas. Part 3 is where the heart of the CERT-RMM is. Each of the 26 sections has a complete set of descriptions of goals and practices and real-world examples.

Think of part 3 as The Checklist Manifesto: How to Get Things Right, but on steroids. In that book, author Atul Gawande uses the notion of a checklist as a quality-control device. He noticed that the high-pressure complexities in place today can overwhelm even the best-trained professional and that only a disciplined adherence to essential procedures can fix things. Gawande would likely be enamored by the CERT-RMM.

When the reader goes through the over 800 pages of part 3, they will see them as a set of standard operating procedures (SOP). Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply embedded in their processes. The SOP in part 3 are far from rocket science. They are simply a comprehensive approach and attention to detail. Given that resilience is all about the details, part 3 can be used to take an organization to a mature state of resilience.

If nothing else, part 3 should give the reader an appreciation for the need for effective process around IT initiatives. The exacting level of detail described in part 3 displays a rigorous set of processes that if deployed, can ensure an all-embracing approach to systems management and control.

Often books with numerous authors lack a sense of style and symmetry. With 3 authors, the book suffers none of that and is completely integrated into a single unit with no disconnects. Each of the authors are CERT veterans that bring considerable experience which is pervasive throughout the book.

But as good as the CERT-RMM, we all know that it is likely to have minimal adoption. Most organizations are far too short-sighted to use a model that requires such discipline and long-term approach as CERT-RMM.

But for those organizations that are truly serious about resiliency, serious about security, serious about saving money and being more efficient, this book and the CERT-RMM is a model they will embrace warmly. This book is an important first step that can be the gateway to resiliency.

For all the others, they should at least use the CERT-RMM incident management and controlprocess area to deal with the many security incidents and breaches they will inevitably have to contend with.

Reviewer Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know."
Book Reviews

Submission + - Network Security Auditing

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c4{color:#000099;font-size:12pt;font-family:Arial;text-decoration:underline}.c0{line-height:1.15;text-align:justify;direction:ltr}.c1{color:#000000;font-size:12pt;font-family:Arial}.c7{color:#000000;font-size:11pt;font-family:Arial}.c6{width:468.0pt;background-color:#ffffff;padding:72.0pt 72.0pt 72.0pt 72.0pt}.c3{line-height:1.15;direction:ltr}.c5{font-style:italic}.c2{height:11pt}body{color:#000000;font-size:11pt;font-family:Arial}h1{color:#000000;font-size:24pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h2{color:#000000;font-size:18pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h3{color:#000000;font-size:14pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h4{color:#000000;font-size:12pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h5{color:#000000;font-size:11pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h6{color:#000000;font-size:10pt;margin:0;font-family:Arial;font-weight:bold;padding:0}

The subtitle of Network Security Auditing is the complete guide to auditing security, measuring risk, and promoting compliance. The book does in fact live up to that and is a comprehensive reference to all things network security audit related.

In 12 chapters at almost 450 pages, the book covers all of the key areas around network security that is of relevance to those working in information security.

As a Cisco Press title, written by a Cisco technical solutions architect, the book naturally has a heavy Cisco slant to it. Nonetheless, it is still an excellence reference even for those not working in a Cisco environment.

While the first 3 chapters of the book provide an overview that is great even for a security newbie, the overall style of the book is highly technical and comprehensive.

Chapters 1-3 provide an introduction to the principles of auditing, information security and the law, and governance, frameworks and standards. Each chapter is backed with a significant amount of information and the reader is presented with a thorough overview of the concepts.

Chapter 3 does a good job of providing the reader with the details of current frameworks and standards, including PCI DSS, ITIL, ISO 17799/27001 and others. Author Chris Jackson does a good job of explaining the differences between them and where they are best used. Given this is a Cisco-centric book, he also shows how the various Cisco security products can be integrated for such regulatory and standards support.

Throughout the book, the author makes excellent use of many auditing checklists for each area that can be used to quickly ascertain the level of security audit compliance.

Chapter 6 is perhaps the best chapter in the book on the topic of Policy, Compliance and Management, and the author provides an exceptionally good overview of the need for auditing security policies. This is a critical area as far too many organizations create an initial set of information security policies, but subsequently never take the time to go back and see if they are indeed effective and providing the necessary levels of data protection.

Jackson notes that accessing the effectiveness of a policy requires the auditor to look at the policy from the viewpoint of those who will interpreting its meaning. A well intentioned policy might recommend a particular course of action, but unless specific actions are required, there is little an organization can expect the policy to actually accomplish to help the organization protect its data assets if it is misinterpreted.

The chapter suggests that the auditor ask questions such as: is the policy implementable, enforceable, easy to understand, based on risk, in line with business objectives, cost effective, effectively communicated and more. If these criteria are not well-defined and delineated, then the policies will exist in text only, offering little information security protection to the organization.

Jackson also writes of the need to measure how well policies are implemented as part of a security assessment. He suggested using a maturity model as a way to gauge if the organization is in its evolution towards fully integrating security into its business process or if it already has a formal integration process in place.

In chapter 8 on Perimeter Intrusion Prevention, Jackson writes that protecting a network perimeter used to be a relatively easy task. All an organization would have to do is stick a firewall on its Internet connection, lock down the unused ports and monitor activity. But in most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and more; and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network.

Chapter 8 provides detailed framework on how to perform a perimeter design review and assessment. As part of the overall review, the chapter details other aspects of the assessment including the need for reviews of the logical and physical architectures, in addition to a review of the firewall. Jackson also lists a large number of security tools that can be used to during an audit.

Chapter 11 covers endpoint protection with a focus on the end-user. Jackson notes that users never cease to amaze with their abilities to disappoint by opening suspicious file attachments, running untrusted Facebook applications, and much more. The book notes that organizations today face significantly higher levels of risk from endpoint security breaches than ever before due to our highly mobile and connected workforce.

The chapter details an endpoint protection operational control review that can be used to assess the organizations processes for identifying threats and performing proactive management of endpoint devices. While the chapter is quite Cisco-centric, with references to the Cisco SIO (Security Intelligence Operations) and a number of other Cisco products, the chapter does provide a good overview of the fundamentals of endpoint protection and how to do it the right way.

Overall, Network Security Auditing is highly technical and detailed reference that makes for an excellent primary reference on the fundamental of information security. With ample amounts of checklist, coding refences, detailed diagrams and just the right amount of screen shots, Network Security Auditing makes an excellent guide that any technical member of an IT or security group should find quite informative.

Reviewer Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know"
Book Reviews

Submission + - Book review of 15 Minutes Including Q&A

brothke writes: "Untitled documentol{margin:0;padding:0}p{margin:0}.c6{color:#000099;font-size:12pt;font-family:Arial;text-decoration:underline}.c7{color:#000000;font-size:11pt;font-family:Arial;font-weight:bold}.c1{line-height:1.15;height:11pt;direction:ltr}.c0{color:#000000;font-size:12pt;font-family:Arial}.c9{color:#000000;font-size:11pt;font-family:Arial}.c5{width:468.0pt;background-color:#ffffff;padding:72.0pt 72.0pt 72.0pt 72.0pt}.c2{line-height:1.15;text-align:justify;direction:ltr}.c4{font-style:italic}.c8{font-weight:bold}.c3{text-align:justify}body{color:#000000;font-size:11pt;font-family:Arial}h1{color:#000000;font-size:24pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h2{color:#000000;font-size:18pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h3{color:#000000;font-size:14pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h4{color:#000000;font-size:12pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h5{color:#000000;font-size:11pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h6{color:#000000;font-size:10pt;margin:0;font-family:Arial;font-weight:bold;padding:0}

When I initially read 15 Minutes Including Q&A: A Plan to Save the World From Lousy Presentations, I enjoyed it and thought it was a good book. It was only a few days later, sitting through yet another tedious vendor briefing, when reread it and truly appreciated how awesome a book it really is.

Author Joey Asher’s premise is quite simple and intuitive: if you as a salesperson (or anyone trying to get a message across) can’t state your case simply and succinctly, no one is going to get it or care. He notes that a major problem is that far too many salespeople and speakers waste their time on areas they think is important; but not on what the attendee wants to hear.

Asher notes that every day, businesspeople bore listeners with presentations that ramble on, make no clear points and fail to address the attendee’s key concerns. His book lays out a plan for eliminating lousy presentations.

The introduction asks the basic question, why do most presentations stink? The answer Asher gives is that they ramble on, fail to make any points, try to say so many things that they become unwieldy PowerPoint death stars with no impact and ignore key audience concerns.

Asher’s answer to the problem is this: keep the presentation short; leave ample time for Q&A and work to get a compelling dialogue and interaction with the attendees. That is the premise of the first two chapters.

The book is divided into 3 sections. Part 1 is about preparing a seven-minute rifle shot presentation. In essence, tell your entire story in about seven minutes. While counterintuitive at first; the book shows how this can be achieved.

The focus of chapter 3 is to start by focusing on key business challenge. Asher warns against starting a presentation by giving a bunch of background information about the approach. In addition, don’t tell the history of the project or do anything other than shine a light on the attendee’s key problems. He suggests using short stories to succinctly illustrate the issue. Just think of how many presentations you have been in where the speaker did not get to the point until 25 minutes and 20 slides into the presentation.

Chapter 11 is titled creating slides to support your message. The book astutely notes that preparing presentations has to a large part become an exercise in preparing PowerPoint slides. The reality is that it should be an exercise in figuring out how to tell your story. Asher notes that if you want to use slides well, you should only prepare your slides after you have figured out the story that you plan to tell your audience. The failure of many presentations is that the PowerPoint drives the story and not the other way around.

Part 2 is about allowing listeners to fill in the blanks and raise questions with Q&A.Asher suggests in chapter 12 to make Q&A a major part of your presentation strategy. He notes that Q&A allows the audience to guide the message and fill in missing information. It also gives the speaker the chance to persuade by responding to objections. And finally, it improves the speaker’s communications style.

While he may not realize it, Asher has uncovered what is the Achilles heel of many project problems and failures. It is that the salesperson sells an obtuse problem to a clueless customer who is oblivious to what they want or how they are going to deploy the solution.

The beauty of Q&A is twofold: first, it requires the salesperson to clearly articulate what they are selling, and the customer to articulate what their specific problems are. The answer should be a clear understanding of the issue and how the product can solve it. But the reality is that many companies will deploy expensive hardware or software solutions (often costing millions of dollars) without really understanding why they are embarking on such a venture.

The book concludes with part 3, on delivering the presentation with intensity. Part 3 moves away from the PowerPoint and into areas such as eye contact, voice energy, rehearsal and other important points. These are critical areas as even the best presentation delivered without intensity can turn into a fruitless endeavor.

While the title 15 Minutes Including Q&A: A Plan to Save the World From Lousy Presentations may border on hyperbole, the reality is that the term death by PowerPoint is a real problem. The book shows a clear path in which to stop that. At 104 pages, Asher writes like he talks, clearly, succinctly and to the point. For many people, it is only after reading this important book when they will truly understand how much of their lives are wasted in by viewing pathetic PowerPoint’s and listening to rambling sales monologues.

The truth is that Asher’s points don’t have to be limited to PowerPoint presentations exclusively. Be it e-mail messages, memos, status reports, proposals and more; if you can get to the point, and get your point across, you are often more likely to succeed.

At $7.95, the book is about as inexpensive as they get, which means you can also give ample copies to numerous people in your organization. In fact, it should be required reading to anyone who will be using PowerPoint and giving presentations.

Ultimately, the value of 15 Minutes Including Q&A: A Plan to Save the World From Lousy Presentations is best summed up by Scott Leslie who suggests that one keep extra copies of this book in their briefcase at all times. Next time youre forced to listen to someone laboriously narrate bullet points, quietly slip a copy in the presenters briefcase without them noticing and sign it: Thought you might enjoy reading this. That way, maybe your audience will enjoy your next presentation.

Reviewer Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know"
Book Reviews

Submission + - Social Engineering book review

brothke writes: "MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_01CBDB8F.DFA37970" This document is a Single File Web Page, also known as a Web Archive file. If you are seeing this message, your browser or editor doesn't support Web Archive files. Please download a browser that supports Web Archive, such as Windows® Internet Explorer®. ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="windows-1252" Ben Rothke Ben Rothke 2 169 2011-03-06T04:48:00Z 2011-03-06T04:48:00Z 2 1183 6744 INS 56 15 7912 14.00 Clean Clean false false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Calibri","sans-serif"; mso-bidi-font-family:"Times New Roman";}

One can sum up a= ll of Social Engineering: The Art of Human Hacking in two sentences from page 297, where author Christopher Hadnagy wr= ites “tools are an important aspect of social engineering, but they do not make = the social engineer. A tool alone is useless; but the knowledge of how to leverage and utilize that tool is inva= luable”. Far too many people think that informa= tion security and data protection is simply about running tools, without understanding how to use them. In = this tremendous book, Hadnagy shows how crucial the human element is within information security.

With that, Social Engineering: The Art of Human Hacking is a fascinating and engrossing book on an important topic. The author takes the reader on a vast j= ourney of the many aspects of social engineering. Since social engineering is such a people oriented topic, a large pa= rt of the book is dedicated to sociological and psychological topics. This is an important area, as far too m= any technology books focus on the hardware and software elements, completely ig= noring the people element. The social eng= ineer can then use that gap to their advantage.

By the time that= you start chapter 2 on page 23, it is abundantly clear that the author knows wh= at he is talking about. This is in st= ark contrast with How To Become The Worlds No. 1 Hacker, where t= hat author uses plagiarism to try to weave a tale of being the world’s greatest= security expert. Here, Hadnagy uses his real knowledge and experience to take the reader on a long and engaging ride on = the subject. Coming in at 9 chapters and 360 pages, the author brings an encyclopedic knowledge and dishes it out in every chapter.

Two of the most popular books to date on social engineering to date have been Kevin Mitnick= ’s The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hacker= s, Intruders and Deceivers. The difference between those books and = Hadnagy, is that Mitnick for the most part details the events and stories around the attacks; while Hadnagy details the myriad specifics on how to carry out the= social engineering attack.

The book digs de= ep and details how the social engineer needs to use a formal context for the attack, and breaks down the specific details and line-items on how to execu= te on that. That approach is much more suited to performing social engineering, than simply reading about social engineering.

Chapter 1 goes t= hough the necessary introduction to the topic, with chapter 2 detailing the vario= us aspects of information gathering. = Once I started reading, it was hard to put the book down.

Social engineeri= ng is often misportrayed as the art of asking a question or two and then gaini= ng root access. In chapter 3 on elicitation, the author details th= e reality of the requirements on how to carefully and cautiously elicit information f= rom the target. Elicitation is not som= ething for the social engineer alone, even the US Department of Homeland Security = has a pamphlet that is uses to assist agents with elicitation.=

After elicitatio= n, chapter 4 details the art of pretexting, which is when an attacker creates = an invented scenario to use to extract information from the victim.=

Chapter 5 on min= d tricks starts getting into the psychological element of social engineering. The author details topics such as micro= expressions, modes of thinking, interrogation, neuro-linguistic programming and more.

Chapter 6 is on = influence and the power of persuasion. The a= uthor notes that people are trained from a young age in nearly every culture to listen to and respect authority. W= hen the social engineer takes on that role, it becomes a most powerful tool; far more powerful than any script or piece of software.

The author wisely waits until chapter 7 to discuss software tools used during a social engineering engagement. One of the author’s favorite and most powerful tools is Maltego, which is an open source intelligence and forensics application. While the author concludes that it is t= he human element that is the most powerful, and that a great tool in the hand = of a novice is worthless; the other side is that good tools (of which the author lists many), in the hands of an experienced social engineer, is an extremely powerful and often overwhelming combination.

Every chapter in= the book is superb, but chapter 9 – Pre= vention and Mitigation stands out. Aft= er spending 338 pages about how to use social engineering; chapter 9 details t= he steps a firm must put in place to ensure they do not become a victim of a social engineering attack. The chapter li= sts the following six steps that must be executed upon:

Learning to identify social engineering attacks=

Creating a personal security awareness program

Creating awareness of the value of the informat= ion that is being sought by social engineers

Keeping software updated

Developing scripts

Learning from social engineering audits

The author astut= ely notes that security awareness is not about 45- or 90-minute programs that o= nly occur annually; rather it is about creating a culture and set of information security standards that each person in the organization is committed to usi= ng their entire life. This is definit= ely not a small undertaking. Firms must create awareness and security engineering programs to deal with the above s= ix items. If they do not, they are th= em placing themselves at significant risk of being unable to effectively deal = with social network attacks.

As to awareness,= if nothing else, Social Engineering: The Art of Human Hacking demonstrates the importance of ensuring that social engineering is = an integral part of an information security awareness program. This can’t be underemphasized as even t= he definitive book on security awareness Managing an Information Security and Privacy Awareness and Training Program only has about 10 pages on social engineering attacks.

There are plenty= of security books on hardware, software, certification and more. Those were perhaps the easy ones to write. Until now, very few have de= alt with the human element, and the costs associated with ignoring that have be= en devastating. Social Engineering: The Art of Human Hacking is a book that is a long time in coming, but worth every page.

While seemingly geared to the information security staff, this is a book should be read by everyone, whether they are in technology or not. Social engineering is not something tha= t just occurs behind a keyboard. Social attackers know that. It is about t= ime everyone else did also.

------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/themedata.thmx Content-Transfer-Encoding: base64 Content-Type: application/ UEsDBBQABgAIAAAAIQDp3g+//wAAABwCAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKyRy07DMBBF 90j8g+UtSpyyQAgl6YLHjseifMDImSQWydiyp1X790zSVEKoIBZsLNkz954743K9Hwe1w5icp0qv 8kIrJOsbR12l3zdP2a1WiYEaGDxhpQ+Y9Lq+vCg3h4BJiZpSpXvmcGdMsj2OkHIfkKTS+jgCyzV2 JoD9gA7NdVHcGOuJkTjjyUPX5QO2sB1YPe7l+Zgk4pC0uj82TqxKQwiDs8CS1Oyo+UbJFkIuyrkn 9S6kK4mhzVnCVPkZsOheZTXRNajeIPILjBLDsAyJX89nIBkt5r87nons29ZZbLzdjrKOfDZezE7B /xRg9T/oE9PMf1t/AgAA//8DAFBLAwQUAAYACAAAACEApdan58AAAAA2AQAACwAAAF9yZWxzLy5y ZWxzhI/PasMwDIfvhb2D0X1R0sMYJXYvpZBDL6N9AOEof2giG9sb69tPxwYKuwiEpO/3qT3+rov5 4ZTnIBaaqgbD4kM/y2jhdj2/f4LJhaSnJQhbeHCGo3vbtV+8UNGjPM0xG6VItjCVEg+I2U+8Uq5C ZNHJENJKRds0YiR/p5FxX9cfmJ4Z4DZM0/UWUtc3YK6PqMn/s8MwzJ5PwX+vLOVFBG43lExp5GKh qC/jU72QqGWq1B7Qtbj51v0BAAD//wMAUEsDBBQABgAIAAAAIQBreZYWgwAAAIoAAAAcAAAAdGhl bWUvdGhlbWUvdGhlbWVNYW5hZ2VyLnhtbAzMTQrDIBBA4X2hd5DZN2O7KEVissuuu/YAQ5waQceg 0p/b1+XjgzfO3xTVm0sNWSycBw2KZc0uiLfwfCynG6jaSBzFLGzhxxXm6XgYybSNE99JyHNRfSPV kIWttd0g1rUr1SHvLN1euSRqPYtHV+jT9yniResrJgoCOP0BAAD//wMAUEsDBBQABgAIAAAAIQAw 3UMpqAYAAKQbAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbOxZT2/bNhS/D9h3IHRvYyd2Ggd1 itixmy1NG8Ruhx5piZbYUKJA0kl9G9rjgAHDumGHFdhth2FbgRbYpfs02TpsHdCvsEdSksVYXpI2 2IqtPiQS+eP7/x4fqavX7scMHRIhKU/aXv1yzUMk8XlAk7Dt3R72L615SCqcBJjxhLS9KZHetY33 37uK11VEYoJgfSLXcduLlErXl5akD8NYXuYpSWBuzEWMFbyKcCkQ+AjoxmxpuVZbXYoxTTyU4BjI 3hqPqU/QUJP0NnLiPQaviZJ6wGdioEkTZ4XBBgd1jZBT2WUCHWLW9oBPwI+G5L7yEMNSwUTbq5mf t7RxdQmvZ4uYWrC2tK5vftm6bEFwsGx4inBUMK33G60rWwV9A2BqHtfr9bq9ekHPALDvg6ZWljLN Rn+t3slplkD2cZ52t9asNVx8if7KnMytTqfTbGWyWKIGZB8bc/i12mpjc9nBG5DFN+fwjc5mt7vq 4A3I4lfn8P0rrdWGizegiNHkYA6tHdrvZ9QLyJiz7Ur4GsDXahl8hoJoKKJLsxjzRC2KtRjf46IP AA1kWNEEqWlKxtiHKO7ieCQo1gzwOsGlGTvky7khzQtJX9BUtb0PUwwZMaP36vn3r54/RccPnh0/ +On44cPjBz9aQs6qbZyE5VUvv/3sz8cfoz+efvPy0RfVeFnG//rDJ7/8/Hk1ENJnJs6LL5/89uzJ i68+/f27RxXwTYFHZfiQxkSim+QI7fMYFDNWcSUnI3G+FcMI0/KKzSSUOMGaSwX9nooc9M0pZpl3 HDk6xLXgHQHlowp4fXLPEXgQiYmiFZx3otgB7nLOOlxUWmFH8yqZeThJwmrmYlLG7WN8WMW7ixPH v71JCnUzD0tH8W5EHDH3GE4UDklCFNJz/ICQCu3uUurYdZf6gks+VuguRR1MK00ypCMnmmaLtmkM fplW6Qz+dmyzewd1OKvSeoscukjICswqhB8S5pjxOp4oHFeRHOKYlQ1+A6uoSsjBVPhlXE8q8HRI GEe9gEhZteaWAH1LTt/BULEq3b7LprGLFIoeVNG8gTkvI7f4QTfCcVqFHdAkKmM/kAcQohjtcVUF 3+Vuhuh38ANOFrr7DiWOu0+vBrdp6Ig0CxA9MxEVvrxOuBO/gykbY2JKDRR1p1bHNPm7ws0oVG7L 4eIKN5TKF18/rpD7bS3Zm7B7VeXM9olCvQh3sjx3uQjo21+dt/Ak2SOQEPNb1Lvi/K44e//54rwo ny++JM+qMBRo3YvYRtu03fHCrntMGRuoKSM3pGm8Jew9QR8G9Tpz4iTFKSyN4FFnMjBwcKHAZg0S XH1EVTSIcApNe93TREKZkQ4lSrmEw6IZrqSt8dD4K3vUbOpDiK0cEqtdHtjhFT2cnzUKMkaq0Bxo c0YrmsBZma1cyYiCbq/DrK6FOjO3uhHNFEWHW6GyNrE5lIPJC9VgsLAmNDUIWiGw8iqc+TVrOOxg RgJtd+uj3C3GCxfpIhnhgGQ+0nrP+6hunJTHypwiWg8bDPrgeIrVStxamuwbcDuLk8rsGgvY5d57 Ey/lETzzElA7mY4sKScnS9BR22s1l5se8nHa9sZwTobHOAWvS91HYhbCZZOvhA37U5PZZPnMm61c MTcJ6nD1Ye0+p7BTB1Ih1RaWkQ0NM5WFAEs0Jyv/chPMelEKVFSjs0mxsgbB8K9JAXZ0XUvGY+Kr srNLI9p29jUrpXyiiBhEwREasYnYx+B+HaqgT0AlXHeYiqBf4G5OW9tMucU5S7ryjZjB2XHM0ghn 5VanaJ7JFm4KUiGDeSuJB7pVym6UO78qJuUvSJVyGP/PVNH7Cdw+rATaAz5cDQuMdKa0PS5UxKEK pRH1+wIaB1M7IFrgfhemIajggtr8F+RQ/7c5Z2mYtIZDpNqnIRIU9iMVCUL2oCyZ6DuFWD3buyxJ lhEyEVUSV6ZW7BE5JGyoa+Cq3ts9FEGom2qSlQGDOxl/7nuWQaNQNznlfHMqWbH32hz4pzsfm8yg lFuHTUOT278QsWgPZruqXW+W53tvWRE9MWuzGnlWALPSVtDK0v41RTjnVmsr1pzGy81cOPDivMYw WDREKdwhIf0H9j8qfGa/dugNdcj3obYi+HihiUHYQFRfso0H0gXSDo6gcbKDNpg0KWvarHXSVss3 6wvudAu+J4ytJTuLv89p7KI5c9k5uXiRxs4s7Njaji00NXj2ZIrC0Dg/yBjHmM9k5S9ZfHQPHL0F 3wwmTEkTTPCdSmDooQcmDyD5LUezdOMvAAAA//8DAFBLAwQUAAYACAAAACEADdGQn7YAAAAbAQAA JwAAAHRoZW1lL3RoZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwucmVsc4SPTQrCMBSE94J3CG9v 07oQkSbdiNCt1AOE5DUNNj8kUeztDa4sCC6HYb6ZabuXnckTYzLeMWiqGgg66ZVxmsFtuOyOQFIW TonZO2SwYIKObzftFWeRSyhNJiRSKC4xmHIOJ0qTnNCKVPmArjijj1bkIqOmQci70Ej3dX2g8ZsB fMUkvWIQe9UAGZZQmv+z/TgaiWcvHxZd/lFBc9mFBSiixszgI5uqTATKW7q6xN8AAAD//wMAUEsB Ai0AFAAGAAgAAAAhAOneD7//AAAAHAIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVz XS54bWxQSwECLQAUAAYACAAAACEApdan58AAAAA2AQAACwAAAAAAAAAAAAAAAAAwAQAAX3JlbHMv LnJlbHNQSwECLQAUAAYACAAAACEAa3mWFoMAAACKAAAAHAAAAAAAAAAAAAAAAAAZAgAAdGhlbWUv dGhlbWUvdGhlbWVNYW5hZ2VyLnhtbFBLAQItABQABgAIAAAAIQAw3UMpqAYAAKQbAAAWAAAAAAAA AAAAAAAAANYCAAB0aGVtZS90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAA3RkJ+2AAAA GwEAACcAAAAAAAAAAAAAAAAAsgkAAHRoZW1lL3RoZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwu cmVsc1BLBQYAAAAABQAFAF0BAACtCgAAAAA= ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/colorschememapping.xml Content-Transfer-Encoding: quoted-printable Content-Type: text/xml ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/filelist.xml Content-Transfer-Encoding: quoted-printable Content-Type: text/xml; charset="utf-8" ------=_NextPart_01CBDB8F.DFA37970--"

Book Reviews

Submission + - Security Information and Event Management Implemen

brothke writes: Untitled documentol{margin:0;padding:0}p{margin:0}.c0{line-height:1.15;text-indent:0pt;text-align:justify;direction:ltr}.c6{color:#000099;font-size:12pt;font-family:Garamond;text-decoration:underline}.c5{line-height:1.15;text-indent:0pt;direction:ltr}.c4{color:#000000;font-size:11pt;font-family:Arial}.c1{color:#000000;font-size:12pt;font-family:Garamond}.c3{background-color:#ffffff}.c2{font-style:italic}body{color:#000000;font-size:11pt;font-family:Arial}h1{color:#000000;font-size:24pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h2{color:#000000;font-size:18pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h3{color:#000000;font-size:14pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h4{color:#000000;font-size:12pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h5{color:#000000;font-size:11pt;margin:0;font-family:Arial;font-weight:bold;padding:0}h6{color:#000000;font-size:10pt;margin:0;font-family:Arial;font-weight:bold;padding:0}

With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks.

Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation.

As a technology, SIEM provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. Many firms have deployed SIEM as a method to address regulatory compliance reporting requirements, in addition to using it as a mechanism in which to build a robust information security operation, integrating the SIEM into their security management and incident response areas.

With that, the good news is that the SIEM market is now at a mature state, with numerous vendors competing off each other. Combined with the level of SIEM adoption, it’s ready for prime time. But ensuring it works in prime time is heavily dependent upon the requirements definitions and planning.

The books 15 chapters are organized in three parts: Introduction to SIEM: Threat Intelligence for IT Systems, IT Threat Intelligence Using SIEM Systems and SIEM Tools. Part 3 (chapters 8-15) provides the bulk of the reading.

Part 1 provides a high-level overview of the topic and covers information security fundamentals. Chapter 2 details the various threats that the SIEM will be used to defend against. While chapter 3 gets into regulatory compliance, which is a key driver for many SIEM rollouts.

Part 2 details four SIEM vendors. The products the authors selected to showcase are: OSSIM, ArcSight ESM, Cisco Mars and Ounce Labs QRadar. While it is debatable if OSSIM is a SIEM, I am not sure why the authors did not include the netForensics product. This is especially true since the nFX SIM One software is one of the better tools which works on large deployments in which customization is needed.

A mistake many firms makes when considering a SIEM is spending too much time selecting a specific SIEM vendor and not enough time defining their specific security requirements for the SIEM product. The book does a good job of communicating the important of effective requirements definition. An important notion around requirements definition is that it must not involve just IT and security groups alone. Other groups including audit, regulatory, legal, administration, applications and more must be involved.

The book provides examples of real-world advice. A good point made in chapter 11 is the need to realize that a SIEM takes time to develop and is an out of the box solution. The authors note that one should not expect full inventory activity and actionable information immediately. It often may take a few weeks for that information to be normalized into data that is actionable.

Part 3 goes into the various products. In chapter 12, while about QRadar, lists 10 highly detailed questions that must be answered irrregardless of what SIEM vendor will be used. These 10 questions (for a formal SIEM definition, there are a good 30 or more that can be asked) require a firm to truly understand their infrastructure and environment, before they deploy a SIEM. The authors note that these questions are meant to facilitate a firm doing their homework around the SIEM. Detailed answers to these questions should not be underestimated, as failure to do them in advance can lead to a SIEM deployment that will ultimately fail.

For many readers, the screen print of a QRadar system settings console on page 278 may be enough to scare them away from a SIEM. This screen, of which there are many in QRadar, list over 50 settings that must be configured in order to effectively use the software. While many of the default settings can be used; firms should know exactly what their settings should be if they want to get the most out of SIEM solution.

In many books, the appendix is often public information which is simply added as filler to increase the page count. The appendix The Ways and Means of the Security Analyst is superb. It details the human element of the SIEM, the security analyst, which is often what will make or break the SIEM. The analyst is the one who will use the SIEM and attempt to make sense of it. A SIEM deployment without good analysts is ultimately useless.

It should be noted that even though the book has the term implementation in the title, it is not really a full implementation reference. It should be viewed as a comprehensive introduction to SIEM. The reason is that when one digs into the deeper layers of a SIEM deployment, there are significant complexities that must be dealt with. Anyone who attempts to deploy SIEM based on this guide alone will likely be disappointed. This is not a fault of the book; rather a reality of the complexity of a SIEM, and the amount of pages it requires to be written.

While the book does have implementation guidelines around the insulation and configuration of 4 SIEM products, the real challenge in a SIEM is the post-installation configuration issues, and not simply the installation. Perhaps the authors will take this as a challenge to create a second volume of this book detailing those issues.

With that, the book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM. Those looking for a solid introduction to the world of SIEM should definitely get a copy. Don’t think about a SIEM without it.
Book Reviews

Submission + - Book review of Computer Incident Response (

brothke writes: Untitled documentol{margin:0;padding:0}p{margin:0}.c1{line-height:1.15;text-indent:0pt;text-align:justify;direction:ltr}.c2{color:#000099;font-size:12pt;text-decoration:underline;font-family:Arial}.c3{line-height:1.15;text-indent:0pt;direction:ltr}.c0{color:#000000;font-size:12pt;font-family:Arial}.c5{background-color:#ffffff}.c4{font-style:italic}body{color:#000000;font-size:11pt;font-family:Arial}.heading1{font-size:24pt;font-weight:bold}.heading2{font-size:18pt;font-weight:bold}.heading3{font-size:14pt;font-weight:bold}.heading4{font-size:12pt;font-weight:bold}.heading5{font-size:11pt;font-weight:bold}.heading6{font-size:10pt;font-weight:bold}

When someone calls 911 in a panic to report an emergency, within seconds the dispatcher knows where the call is coming from, and help is often only moments away.

When it comes to computer security incidents, often companies are not as resilient in their ability to quickly respond. Take for instance the TJX Cos. data breach, where insecure wireless networks were compromised for months, revealing millions of personal records, before they were pinpointed and finally secured. Once made aware of the issue, it took TJX an additional few months until the situation was in completely in control and secured.

In Computer Incident Response and Product Security, author Damir Rajnovic provides the reader with an excellent and practical guide to the fundamentals of building and running a security incident response team. The book is focused on getting the reader up to speed as quick as possible and is packed with valuable real-world and firsthand guidance.

Be it a IRT (Incident Response Team), CIRT (Computer Incident Response Team), CERT (Computer Emergency Response Team), or CSIRT (Computer Security Incident Response Team); whatever the term used, companies desperately need a process and team to formally respond to computer security incidents. The simple equation is that to the degree the incident is quickly identified, handled and ameliorated; is to the extent that the damage is contained and limited.

At just over 200 pages, the books 13 chapters provides an excellent foundation on which to start a CIRT. The book is divided into two parts. Chapters 1-6 form part 1, Computer Security Incidents, with part 2 being on Product Security.

Chapter 1 provides a basic introduction to the topic on why an organization should care about computer security incident response. This brief chapter touches upon the various business impacts, in addition to the legal and other reasons necessary for establishing a CIRT.

Chapter 2 lays down the 6 steps in which to establish an IRT, which are: defining the constituency, ensuring upper-management support, obtaining funding, hierarchy, team structure and policies and procedures. Each of these steps is crucial, and a mistake too many organizations make is to leave one or more out. Only later when an incident occurs, which often takes an inordinate amount of time to fix, do these companies realize that their IRT was incomplete and inadequate in the first place.

The chapter includes an interesting look at the various types of IRT teams that can be created; namely central, distributed or virtual. The book notes that if you don’t have sufficiently strong support from senior organizational executives to form a real IRT (which should be a huge red flag right there), a virtual team is a good option. Virtual teams can be easier to set up as they are less formal with fewer bureaucratic hurdles. While there are benefits to a virtual IRT, companies that are truly serious about computer security will ensure that they have a formal and dedicated IRT in place.

In chapter 3, Operating an IRT, the author details the items needed to successfully operate an IRT. One of the soft skills the author discusses is effective interpersonal skills. The author writes that one situation that can arise when handling an active incident is that the person reporting the incident may say offensive things or become abusive to the IRT analyst. This behavior is generally the consequence of the attack, indicating its urgency. When dealing with such a person, it is imperative that IRT analyst not get caught up in the user’s behavior. Rather they must focus on determining the appropriate method to fix the problem.

While part 1 is around the computer security incident itself, part 2 deals with product security. Most organizations create their IRT around computer security incidents. In chapter 8, the author writes about the need to create a product security team (PST) to deal with security issues related to vendor products.

Every software and hardware product has security flaws, be it Cisco, Juniper, Check Point and others. By understanding this and having a PST to deal with vendor security issues, a company will be adequately protected. In truth, only large companies will have the budget to support an independent PST in addition to an IRT.

In many ways, the PST is simply a specialized section of the IRT, with specific expertise around a specific product set. Many firms already have some sort of PST in place to deal with Patch Tuesday, which is the second Tuesday of each month when Microsoft releases security patches.

Overall, Computer Incident Response and Product Security provides a good overview of the topic. At 215 pages, the book should be seen as an introduction to the topic, not a comprehensive reference. The reason is that a topic such as security incident response requires much broader coverage given the extent of the requirements encompassed. In some ways though, its conciseness is its advantage, as a 750 page tome, while adequate for the subject, may overwhelm many, if not most readers. Also, the author has the ability to adequately discuss topics in a manner while brief, does cover the topic issues.

At $49-, the book is moderately priced, given the value of the content. For those on a limited budget, the Handbook for Computer Security Incident Response Teams from CERT provides a good overview of the topic. While the handbook was last revised in 2003, much of the core concepts around incident response are immutable.

As this title is from Cisco Press and the author an employee of the Cisco Product Security Incident Response Team (PSIRT), the book has a definite Cisco slant. While Cisco products are often referenced, this though is not a book from Cisco marketing. More importantly, as part of the Cisco PSIRT, the author has first-hand knowledge of one of the world’s premier IRT.

For those serious about computer security and incident response, Computer Incident Response and Product Security should be one of the required books for every member of the team.

Ben Rothke is an information security professional and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).

Book Reviews

Submission + - Securing the Smart Grid: Next Generation Power Gri

brothke writes: Untitled documentol{margin:0;padding:0}p{margin:0}.c0{line-height:1.15;text-indent:0pt;text-align:justify;direction:ltr}.c4{color:#000099;font-size:12pt;text-decoration:underline;font-family:Arial}.c3{color:#000000;font-size:11pt;font-family:Arial}.c5{line-height:1.15;text-indent:0pt;direction:ltr}.c1{color:#000000;font-size:12pt;font-family:Arial}.c6{background-color:#ffffff}.c2{font-style:italic}p{color:#000000;font-size:11pt;font-family:Arial}.heading1{font-size:24pt;font-weight:bold}.heading2{font-size:18pt;font-weight:bold}.heading3{font-size:14pt;font-weight:bold}.heading4{font-size:12pt;font-weight:bold}.heading5{font-size:11pt;font-weight:bold}.heading6{font-size:10pt;font-weight:bold}

Smart grid is one of the hottest topics and to a degree fad, in the energy sector. Security is and always has been a most important topic. The challenge then is integrating security into smart grid.

In Securing the Smart Grid: Next Generation Power Grid Security, authors Tony Flick and Justin Morehouse provide a comprehensive and first-rate overview of smart grid technology and what is needed to ensure that it is developed and deployed in a secure and safe manner.

An issue is that smart grid has significant amount of hype around it, including the promise that it will make energy more affordable, effective and green. With that, promises around security and privacy are often hard to obtain.

While the books notes early on that there is no singular definition of what defines smart grid, a generally accepted definition is that it is a “network of technologies providing real-time two-way communication that delivering electricity from utilities to consumers”.

Most importantly, it is crucial to understand that the smart grid is an evolving environment, not a single entity or technology.

As important as the smart grid and security is, roughly 80% of Americans claim to know little or nothing about the smart grid, while 76% lack knowledge or understanding of smart meters, according to results of the latest Market Strategies International E2 Study.

From a security perspective, securing the smart grid is a complex endeavor. When you combined this with a public that is oblivious to the security and privacy issues, it gets worrisome quite fast.

The books 14 chapters provide a good overview of the various aspects of smart grid, energy and utility transmission, security, privacy attack vectors and more. The book offers a good balance of the topics, in a very readable format.

In chapter 1, the authors note that a smart grid is not a single device, application, system network, or even idea. And that there is no single authoritative definition for what a smart grid is. With that, the initial chapter sets and defines the various aspects to smart grid.

Chapter 2 provides an overview of the threats and impacts of smart metering at the consumer level. A large part of smart grid technologies is advanced metering infrastructure (AMI), which is a set of systems that measure, collect and analyze energy usage, and interact with advanced devices such as electricity meters, gas meters, heat meters, and water meters, through various communication media. Once smart grid is ubiquitous, AMI will be a hacker’s platform of choice.

With all those benefits of AMI come security and privacy issues, and those open the metering infrastructure to smart thieves, stalkers, and a broad range of other threats and attacks. AMI also opens up a new set of privacy issues in that the AMI devices will be collecting significant amounts of personal energy data, which may or may not be transmitted over a secure channel.

Unfortunately, leaving security to vendors of home-based products has traditionally not been met with much success. Let’s hope the smart grid vendors learn from the security debacles of the past and build effective and strong security into their products.

Chapter 4 notes that smart grid security is a matter of national security and that the US government is playing a large role in directing the effort. Numerous groups have efforts in place to secure smart grids, including DOE, FERC, DoC, DHS and more.

An important group working on this is the NIST Cyber Security Working Group (CSWG). The primary goal of the CSWG is to develop an overall cyber security strategy for the smart grid that includes a risk mitigation strategy to ensure interoperability of solutions across different domains/components of the infrastructure. This strategy addresses prevention, detection, response, and recovery.

The CSWG recently created NISTIR 7628 — Guidelines for Smart Grid Cyber Security, which complement everything detailed in this book. It also has the added benefit of being free. At 577 pages, it is also much more comprehensive.

Chapter 11 is especially fascinating, which deals with the topic of social networks and smart grid. While smart grid can leverage the power of social networking, it is inevitable that people will start tweeting about their energy usage. While that energy data may seem like an innocuous tweet, that information can be used to determine if the people are at home, on vacation, using specific appliances, etc.

For example, the Lyceum is the oldest building on the University of Mississippi campus. The Lyceum also has a twitter feed about its energy usage. While this is more informational, when individuals start sharing their energy usage, without effective social media controls, the security outcome is quite predictable. With that level of information disclosure, it is quite easy to determine if a family is home, not home, sleeping, entertaining guests, etc.

As to users who in the future will integrate tweets and other energy data into their social networking, the chapter illustrates how much of a security risk this can pose by detailing vampire energy cost estimates for over 75 different types of electronic products. Attackers can use the energy data and extrapolate what products are in use, when, and more.

The chapter concludes with a smart grid social networking security checklist. The smart grid social networking security checklist contains five categories for implementing basic security controls, name around: identity, authentication, information sharing, networking and usage.

The book also includes a number of sidebar Epic Fail stories, which detail major failures and catastrophes in various energy topics.

Overall, Securing the Smart Grid: Next Generation Power Grid Security provides an excellent overview on the state of smart grid technology and its related security, privacy and regulatory issues. The book provides an excellent introduction for anyone looking to understand what smart grid is all about, and its security and privacy issues.

Slashdot Top Deals

When it is incorrect, it is, at least *authoritatively* incorrect. -- Hitchiker's Guide To The Galaxy