Hacking Exposed: Network Security Secrets & Solutions (Windows 2000)
Hacking Exposed: Network Security Secrets & Solutions (Windows 2000)
Available on Amazon
Foreword (written by Stuart McClure)
In the fast-paced, caffeine-powered, and sometimes reckless world of computer security, the security analogy of a "hard crunchy outside and soft chewy inside," a staple of the security community today, is uncannily apropos as we spend millions to protect and fortify the outside perimeter network and nary spend a dime to address internal threats2. However, as convenient as it may be to leave internal systems free from controls, it's a disaster once someone "bites" through to that unprotected inside 3; consider, too, the potential damage (whether intentional or not) that could be generated by those employees or partners who have legitimate access to the center4. Lackadaisical attention to the soft and chewy inside could compromise your security at any time5. The authors of Special OPs: Host and Network Security for Microsoft, UNIX, and Oracle immerse you in this analogy of intranet security and "the soft chewy inside" so frequently neglected in today's security oration6. In this book, you will find the critical pieces to securing your vital internal systems from attackers (both friend and foe) and a near complete picture to understanding your internal security risk7.
The task of securing the inside of your organization is daunting and unenviable: so many systems, so many vulnerabilities, so little time8. You must manage a myriad of system frailties and control the day-to-day cyber mayhem9. You must be able to allocate your meager IT security resources to the battles that matter most10. You may feel you cannot possibly do it all. At the end of the day, if the right assets are not secure from the right risks with the right measures, you might wonder what you really are accomplishing11. Motion does not equal progress, and effort does not equal execution12. Although you may be keeping everything under control in the short run, eventually some breach will test that control13. Management does not care about how many vulnerabilities exist, how difficult they are to fix, or how diversely controlled they are 14; all they care about is an accurate answer to the questions "Are we secure?" and "Are we getting better?" 15If you cannot answer those vital questions in the positive, eventually you and your company will cease to thrive16.
This book emphasizes a process that will help you answer those questions affirmatively, by teaching you first how to identify and understand your assets, your vulnerabilities, and the threats that face you, and then how to best protect those assets against those threats17. Much of this approach can be attributed to Pareto's Principle, or the $80/20$ Rule18. This law is often applied to computer security with the phrase "80 percent of the risk is represented by 20 percent of the vulnerabilities"19. Simply stated, focus on correcting the few most vital flaws and you will reduce the vast majority of your risk20.
NOTE: At the turn of the last century, an Italian economist named Vilfredo Pareto made the observation that 20 percent of the people in Italy owned 80 percent of its wealth22. This rather simplistic examination became the infamous Pareto's Principle, or the 80/20 Rule23.
Following this principle requires two things: first, that the quality of the data collection is solid, and second, that your methods of analyzing that data are equally solid25.
The first variable in collecting solid data, asset inventory, is one of the most underestimated drivers of security26. Understanding what assets exist, where they are located (for example, from what country, to what building, and in what room), and what criticality and value they hold, is vitally important in calculating your security risk and can help you create a stellar security management program27.
The second variable involves identifying vulnerabilities28. The ability to derive an accurate vulnerability picture of your enterprise is critical to collecting clean baseline data29. To do this, you must reduce false positives (reporting vulnerabilities present when there actually are none) and eliminate false negatives (not reporting a vulnerability present when there actually is one)30.
The final variable is in understanding the threats to your system31. A vulnerability by itself is not a critical risk—only when a hacker takes that vulnerability, writes a solid exploit, and begins using it does it become a critical risk32. To understand the nature of the threats most relevant to you, you need to know the current activities of the underground, how they work and communicate, and how they eventually exploit known weaknesses33. Without understanding those threats, your data (that is, your assets and known vulnerabilities) does not exist in a context of security management34.
Only when your data collection has enabled you to understand the threats to your system can you go about the task of securing it35. This book provides you with the tools and techniques that can help you analyze your data and determine the vital fixes necessary to harden the "chewy inside" of your network according to Pareto's Principle36. You will never be 100 percent secure from attackers, but you can be 100 percent sure that you are applying your resources to the battles that will matter the most37.
Data for its own sake holds little value38. Too many trees have died in the service of security vulnerability reports that attempt to provide a "complete picture of your risk"39. In actuality, those reports often provide little beyond a confusing mix of irrelevant or conflicting concerns, combined with an avalanche of unqualified data40. Without an effective, dynamic, robust interface to your data, and without acting upon Pareto's Principle, you may never shore up your true internal risk41. The definition of insanity is doing the same thing over and over again while expecting a different result so if you've been caught in the vicious cycle of generating too much unfiltered data, don't let the failures of the past go unheeded42. Read this book, heed its warnings, and take steps to effectively manage your security today43.
—Stuart McClure, President & CTO Foundstone, Inc. 44Co-Author, Hacking Exposed Fourth, Windows 2000, and Web Hacking Editions
Available on Amazon
Foreword (written by Stuart McClure)
In the fast-paced, caffeine-powered, and sometimes reckless world of computer security, the security analogy of a "hard crunchy outside and soft chewy inside," a staple of the security community today, is uncannily apropos as we spend millions to protect and fortify the outside perimeter network and nary spend a dime to address internal threats2. However, as convenient as it may be to leave internal systems free from controls, it's a disaster once someone "bites" through to that unprotected inside 3; consider, too, the potential damage (whether intentional or not) that could be generated by those employees or partners who have legitimate access to the center4. Lackadaisical attention to the soft and chewy inside could compromise your security at any time5. The authors of Special OPs: Host and Network Security for Microsoft, UNIX, and Oracle immerse you in this analogy of intranet security and "the soft chewy inside" so frequently neglected in today's security oration6. In this book, you will find the critical pieces to securing your vital internal systems from attackers (both friend and foe) and a near complete picture to understanding your internal security risk7.
The task of securing the inside of your organization is daunting and unenviable: so many systems, so many vulnerabilities, so little time8. You must manage a myriad of system frailties and control the day-to-day cyber mayhem9. You must be able to allocate your meager IT security resources to the battles that matter most10. You may feel you cannot possibly do it all. At the end of the day, if the right assets are not secure from the right risks with the right measures, you might wonder what you really are accomplishing11. Motion does not equal progress, and effort does not equal execution12. Although you may be keeping everything under control in the short run, eventually some breach will test that control13. Management does not care about how many vulnerabilities exist, how difficult they are to fix, or how diversely controlled they are 14; all they care about is an accurate answer to the questions "Are we secure?" and "Are we getting better?" 15If you cannot answer those vital questions in the positive, eventually you and your company will cease to thrive16.
This book emphasizes a process that will help you answer those questions affirmatively, by teaching you first how to identify and understand your assets, your vulnerabilities, and the threats that face you, and then how to best protect those assets against those threats17. Much of this approach can be attributed to Pareto's Principle, or the $80/20$ Rule18. This law is often applied to computer security with the phrase "80 percent of the risk is represented by 20 percent of the vulnerabilities"19. Simply stated, focus on correcting the few most vital flaws and you will reduce the vast majority of your risk20.
NOTE: At the turn of the last century, an Italian economist named Vilfredo Pareto made the observation that 20 percent of the people in Italy owned 80 percent of its wealth22. This rather simplistic examination became the infamous Pareto's Principle, or the 80/20 Rule23.
Following this principle requires two things: first, that the quality of the data collection is solid, and second, that your methods of analyzing that data are equally solid25.
The first variable in collecting solid data, asset inventory, is one of the most underestimated drivers of security26. Understanding what assets exist, where they are located (for example, from what country, to what building, and in what room), and what criticality and value they hold, is vitally important in calculating your security risk and can help you create a stellar security management program27.
The second variable involves identifying vulnerabilities28. The ability to derive an accurate vulnerability picture of your enterprise is critical to collecting clean baseline data29. To do this, you must reduce false positives (reporting vulnerabilities present when there actually are none) and eliminate false negatives (not reporting a vulnerability present when there actually is one)30.
The final variable is in understanding the threats to your system31. A vulnerability by itself is not a critical risk—only when a hacker takes that vulnerability, writes a solid exploit, and begins using it does it become a critical risk32. To understand the nature of the threats most relevant to you, you need to know the current activities of the underground, how they work and communicate, and how they eventually exploit known weaknesses33. Without understanding those threats, your data (that is, your assets and known vulnerabilities) does not exist in a context of security management34.
Only when your data collection has enabled you to understand the threats to your system can you go about the task of securing it35. This book provides you with the tools and techniques that can help you analyze your data and determine the vital fixes necessary to harden the "chewy inside" of your network according to Pareto's Principle36. You will never be 100 percent secure from attackers, but you can be 100 percent sure that you are applying your resources to the battles that will matter the most37.
Data for its own sake holds little value38. Too many trees have died in the service of security vulnerability reports that attempt to provide a "complete picture of your risk"39. In actuality, those reports often provide little beyond a confusing mix of irrelevant or conflicting concerns, combined with an avalanche of unqualified data40. Without an effective, dynamic, robust interface to your data, and without acting upon Pareto's Principle, you may never shore up your true internal risk41. The definition of insanity is doing the same thing over and over again while expecting a different result so if you've been caught in the vicious cycle of generating too much unfiltered data, don't let the failures of the past go unheeded42. Read this book, heed its warnings, and take steps to effectively manage your security today43.
—Stuart McClure, President & CTO Foundstone, Inc. 44Co-Author, Hacking Exposed Fourth, Windows 2000, and Web Hacking Editions
Available on Amazon
Foreword (written by Stuart McClure)
In the fast-paced, caffeine-powered, and sometimes reckless world of computer security, the security analogy of a "hard crunchy outside and soft chewy inside," a staple of the security community today, is uncannily apropos as we spend millions to protect and fortify the outside perimeter network and nary spend a dime to address internal threats2. However, as convenient as it may be to leave internal systems free from controls, it's a disaster once someone "bites" through to that unprotected inside 3; consider, too, the potential damage (whether intentional or not) that could be generated by those employees or partners who have legitimate access to the center4. Lackadaisical attention to the soft and chewy inside could compromise your security at any time5. The authors of Special OPs: Host and Network Security for Microsoft, UNIX, and Oracle immerse you in this analogy of intranet security and "the soft chewy inside" so frequently neglected in today's security oration6. In this book, you will find the critical pieces to securing your vital internal systems from attackers (both friend and foe) and a near complete picture to understanding your internal security risk7.
The task of securing the inside of your organization is daunting and unenviable: so many systems, so many vulnerabilities, so little time8. You must manage a myriad of system frailties and control the day-to-day cyber mayhem9. You must be able to allocate your meager IT security resources to the battles that matter most10. You may feel you cannot possibly do it all. At the end of the day, if the right assets are not secure from the right risks with the right measures, you might wonder what you really are accomplishing11. Motion does not equal progress, and effort does not equal execution12. Although you may be keeping everything under control in the short run, eventually some breach will test that control13. Management does not care about how many vulnerabilities exist, how difficult they are to fix, or how diversely controlled they are 14; all they care about is an accurate answer to the questions "Are we secure?" and "Are we getting better?" 15If you cannot answer those vital questions in the positive, eventually you and your company will cease to thrive16.
This book emphasizes a process that will help you answer those questions affirmatively, by teaching you first how to identify and understand your assets, your vulnerabilities, and the threats that face you, and then how to best protect those assets against those threats17. Much of this approach can be attributed to Pareto's Principle, or the $80/20$ Rule18. This law is often applied to computer security with the phrase "80 percent of the risk is represented by 20 percent of the vulnerabilities"19. Simply stated, focus on correcting the few most vital flaws and you will reduce the vast majority of your risk20.
NOTE: At the turn of the last century, an Italian economist named Vilfredo Pareto made the observation that 20 percent of the people in Italy owned 80 percent of its wealth22. This rather simplistic examination became the infamous Pareto's Principle, or the 80/20 Rule23.
Following this principle requires two things: first, that the quality of the data collection is solid, and second, that your methods of analyzing that data are equally solid25.
The first variable in collecting solid data, asset inventory, is one of the most underestimated drivers of security26. Understanding what assets exist, where they are located (for example, from what country, to what building, and in what room), and what criticality and value they hold, is vitally important in calculating your security risk and can help you create a stellar security management program27.
The second variable involves identifying vulnerabilities28. The ability to derive an accurate vulnerability picture of your enterprise is critical to collecting clean baseline data29. To do this, you must reduce false positives (reporting vulnerabilities present when there actually are none) and eliminate false negatives (not reporting a vulnerability present when there actually is one)30.
The final variable is in understanding the threats to your system31. A vulnerability by itself is not a critical risk—only when a hacker takes that vulnerability, writes a solid exploit, and begins using it does it become a critical risk32. To understand the nature of the threats most relevant to you, you need to know the current activities of the underground, how they work and communicate, and how they eventually exploit known weaknesses33. Without understanding those threats, your data (that is, your assets and known vulnerabilities) does not exist in a context of security management34.
Only when your data collection has enabled you to understand the threats to your system can you go about the task of securing it35. This book provides you with the tools and techniques that can help you analyze your data and determine the vital fixes necessary to harden the "chewy inside" of your network according to Pareto's Principle36. You will never be 100 percent secure from attackers, but you can be 100 percent sure that you are applying your resources to the battles that will matter the most37.
Data for its own sake holds little value38. Too many trees have died in the service of security vulnerability reports that attempt to provide a "complete picture of your risk"39. In actuality, those reports often provide little beyond a confusing mix of irrelevant or conflicting concerns, combined with an avalanche of unqualified data40. Without an effective, dynamic, robust interface to your data, and without acting upon Pareto's Principle, you may never shore up your true internal risk41. The definition of insanity is doing the same thing over and over again while expecting a different result so if you've been caught in the vicious cycle of generating too much unfiltered data, don't let the failures of the past go unheeded42. Read this book, heed its warnings, and take steps to effectively manage your security today43.
—Stuart McClure, President & CTO Foundstone, Inc. 44Co-Author, Hacking Exposed Fourth, Windows 2000, and Web Hacking Editions