The Cert Guide to System and Network Security Practices

The CERT Guide to System and Network Security Practices should be a reference document on SAs, ISOs, and DBA's bookshelf that are serious about protecting their respective infrastructures. I might add that there is unfortunately precious little specific to RDBMS solutions resident in this tome, notwithstanding the paucity of material extant in the market place pertaining to RDBMS Infosec, so if you are looking for application specific, or database specific advice, look elsewhere, but that is another story.Published by Addison Wesley, and of course CERT, and superbly written by Judith Allen, of the NSSP (the Networked Systems Survivability Program), a component of the CERT Coordination Center. Ms Allen was the Deputy Director of Carnegie Mellons' highly respected SEI (Software Engineering Institute).In my humble opinion, Ms. Allen has authored one of the more thorough books on the market for protecting information systems, in general. (Both large and small-scale deployments are covered). However, it is a guideline only, not every solution to every challenge you may encounter is included, which of course, is an impossibility.The book, as a whole, should be viewed as a reference document. Utilized in the practical deployment and implementation of not only enterprise information security architectural solutions, but also the additional deployment and practical day to day solutions for individual machine level infosec issues as well, vis. a vis. secure OS installs, intrusion detection and response, along with the oft-overlooked policy considerations, so essential to successful Infosec rollouts.Essentially the book is organized in three categories, complimenting each other in order of methodology, and in practice, to wit: Securing Computational Devices, then on to Firewall based perimeter defense, to the final chapters delineating Intrusion Detection and Response. Fully documented in both bibliographic reference and indices, the book is almost as useable as a searchable electronic manual (which for me, is a better solution, if it was available). Notwithstanding the absence of availability of this book electronically, I recommend the purchase.All in all, the book is a great reference tool (as noted previously); use it as a guide (just like the title says!), just not the be all and end all. I also recommend this book for Infosec Policy Guideline authors, as it is not completely tied at all times to Oses, Conversely, Ms. Allen does offer up some specific recommendations/configuration settings for the building blocks of Unix Infosec: Tripwire, SSH, Syslog, Logsurfer 1.5, Spar, Tcpdump, Snort, etc.

Before I started working at for a CERT team I bought this book to help familiarize myself with CERT proceures and policies. It has become a must-have reference for all the CERT members here. I showed my copy to my boss and he immediately orderd 24 more! I found the section II (Intrusion Detection and Response) extremely straight-forward and informative. There is a "no BS" approach to intrusion detection, there are no pulled punches against any product, and the recommendations were so good that they became instant policy. The only problems with this book are 1.) The chapter on securing desktops; it is incomplete. 2.) The updates on the Internet are not easy to obtain because the website is very obscure. I wish that I had kept this book to myself at work, I might have a pay raise by now. Along with "Microsoft Windows 2000 Security Handbook - Jeff Schmidt ISBN:0-7897-1999-1" This is a powerful protection tool for any network.

The five step approach to securing and managing systems and assets that this book provides is a blueprint for a comprehensive and effective security programWhat I found especially valuable is the fact that the complex task of developing, implementing and managing an effective security program is clearly outlined in this book. I also like the fact that the security exposures and techniques for dealing with them are based on CERT/CC research and experience - there is no theory here. As such, if you follow the five-step approach and augment this with constant vigilence you will have the assurance that at least 80% of potential threats are dealt with. The remaining 20% of the threats are constantly emerging as the war between you and the 'bad guys' unfolds, but the URLs to CERT/CC and other security-related sites provided in this book are resources that will allow you to remain abreast of these emergent threats.Probably the most valuable aspect of this book is the incident response process, which can serve as the framework for damage control, elements of business continuity planning, and guidelines for immediate and methodical response to breaches. In my opinion this book is an essential resource for security officers and IT security personnel and the foundation of a well planned defensive security posture.

After reading the CERT Guide to System and Network Security Practices, you may feel as if you've been speaking with your mother about computer security, as most of the advice detailed in the book is common sense. But, as Voltaire astutely noted, common sense is not so common. The truth is that there is really nothing new in this book that CERT (Computer Emergency Response Team...) has not been saying in one way or another for the last decade. But that should not in the least underscore the importance of the book, as it provides an excellent treatment of securing information assets. In fact, the book subtly echoes the sentiment of George Santayana, who stated that "those who cannot remember the past are condemned to repeat it." This is true with information security. As even with all of the strides that have been made and new security technologies that have been developed, a large percentage of security breaches are the result of systems that were either incorrectly configured or ineffectively secured. While many people erroneously think that a firewall is the foundation of information security, the truth is that an effective set of information security policies and procedures are. In fact, policy is such a critical element within the effective and successful operation of information technology systems, that systems can't be effective unless they are deployed in the context of working policies that govern their use and administration...As an example, Marcus Ranum defines a firewall as "the implementation of your Internet security policy. If you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do." The sad fact is that most firewalls permit so much traffic through that it is often difficult to tell where the firewall ends and the router begins...The truth be told, when Mother in her infinite wisdom says something, it is good advice. When a consultant says the same thing, it is called a Best Practice. Some of the best practices that CERT has long recommended are: using effective passwords, ensuring systems are patched against recent vulnerabilities, hardening the operating system, removing unnecessary services, protocols, and accounts, and more. None of these recommendations is exactly rocket science; even so, this aspect of Security 101 is overlooked in many, if not most, organizations...The beauty of the book is that it is vendor agnostic. It doesn't cover the specific details of the operating system or software application; rather, it focuses on the policies and procedures needed to make that system secure. With that, the book will be current, even with operating systems' changes and upgrades. Many computer books today have scores, if not hundreds, of pages of screen prints and source code, which often only serve to increase their page count. This book has none of that, and is

This book contains a security approach that is based on the collective experience and statistical analysis of the CERT Coordination Center. The contents of this book are authoritative and well structured. Structure is based on a five layer (or step) approach to securing information assets that consists of 52 distinct practices. The layers correspond to stages in a process that encompasses (1) hardening and securing assets, (2) developing and implementing detection and response practices [prepare], (3) intrusion detection, (4) intrusion response and (5) improve. Hardening and securing assets consumes nearly the first half of the book. The practices systematically address the essentials for securing servers and workstations, web servers and firewalls. Every facet is addressed from configuration advice to specific exposures. These are the minimum practices that need to be in place and if these practices are implemented and actively managed approximately 80% of common exposures will be eliminated.The remainder of the book leads you through setting up intrusion detection and response practices (including an excellent set of steps and considerations for establishing policies and procedures), how to detect signs of intrusion and how to assess the impact of the intrusion and respond appropriately. Two highlights are the appendices. Appendix A covers in great detail some of the finer points of securing Solaris 2.x (you will need to tailor this information for HP/UX, Linux and AIX). The reason Solaris is chosen is because it is one of the most widely used operating systems on the Internet. Among the finer points are: installing and configuring Tripwire, SSH, Logsurfer, Spar and Tcpdump; understanding system log files, and writing rrules and understanding alerts for Snort. URLs are provided to sites from which you can obtain the third-party security facilities, such as Tripwire, Logsurfer, etc. Appendix B is a concordance of practices and how they should map to a comprehensive security policy. This is especially valuable because you can check your own policies against each of the 52 practices to make sure all are covered in your security policy.This book is an important work that is an essential reference for anyone who is responsible for security. This responsibility extends beyond the role of security officer or team member into architecture, network operations and production support (to name a few areas that need to be closely involved). The book will give you the foundation for an effective, responsive security program, but needs to be augmented by keeping up with trends and emerging threats and exposures. To this end the URLs to CERT/CC and other security-related sites are a necessary adjunct to this book. It merits 5 stars and my rare recommendation as a "must have".