Intranet Security - Stories from the Trenches

89475-8 Security consultant Linda McCarthy shows: *How breaches occurred *What steps were taken to deal with them-and how well they worked *What steps could have been taken to prevent the crisis There's nothing academic about network security when it's late at night and some hacker is rummaging through your R&D files. If you don't want that 3 a.m. phone call, and you don't want your company's strategic plans in tomorrow's Wall Street Journal, now's the time to prevent it from happening to you. In this book, you'll watch as real network administrators track hacker intrusions. You'll see firsth and how companies struggle with security problems caused by poor training, lack of management support, hidden agendas, and careless intranet development. You'll find checklists of preventive security measures you can take right now-and lists of tools that can help. Above all, you'll find insight into the all-too-human security flaws that make corporate intranets an easy target for hackers." Linda McCarthy's book not only blends statistics with real life stories to good effect, but discusses and documents crucial items such as the importance of a security policy, the impact of organizational politics, and actual transcripts of break-ins. Read the book-it will help you understand security in the real world. And when all is said and done, that's saying a lot, isn't it?" --Dan Farmer, Security Researcher "In addition to accurate and scary war stories, this book is chock-full of practical advice that anyone can benefit from." --Marcus J. Ranum, CEO, Network Flight Recorder

Table of Contents:
1. Visitors in the Night. An Unwanted Guest. Day 1: A Nice Night for a Hack. Day 2: Out of Sight, Out of Mind. Day 3: The Hack is Back. Days 4 to 7: Waiting to Exhale. Day 8: Too Little, Too Late. Day 9: Just the Facts. Summary: It Can Come from Within. Let's Not Go There. Focus on Prevention. Prepare for the Worst. React Quickly and Decisively. Follow Up. Checklist. Final Words. 2. The Bogus Box. Out-of-the-box Security. Day 1: False Security from a Box. Two Years Later: It Was Bound to Happen Eventually. + Two Weeks: Once Is Never Enough. + Three Weeks: No Quick Fix. The Saga Continues: A Disaster Awaits. Summary: Would You Hire this ISP? Let's Not Go There. Know Your Risks. Avoid Out-of-the-box Installations. Audit Your Network. Know the People Who Know Your Data. Assign or Acquire Adequate Funding for Security. Don't Export Read/Write Permissions to the World. Remove Old Accounts. Forbid the Use of Crackable Passwords. Apply Security Patches. Follow Policies and Procedures. Get Help. Use Training. Checklist. Final Words. 3. Executive Nightmare. Can You Hear Me At The Top? Day 1: Not a Security Measure in Sight. A Year Later: The Hacks Continue. Summary: Take an Active Approach. Let's Not Go There. Commit to Security from the Top Down. Speak Softly and ACT LOUDLY. Keep Levels of Management to a Minimum. Report Back! Set Security as a Management Goal. Provide or Take Training as Required. Make Sure that All Managers Understand Security. Check that System Administrators Communicate Needs Clearly. Checklist. Final Words. 4. Controlling Access. The Never-ending Network. Day 1: An Ill Fated Plan for Outside Access. A Few Weeks Later: Dave's Big Mistake. The Next Day: Who's Job is Security, Anyway? Over the Next 29 Days: And the Hacker Wanders Quietly. + One Month: A Spot Audit Spots the Hacker. Audit Day 1: Follow the Network Map to Follow the Security Hole. Audit Day 2: An Unenforced Policy is a Useless Policy. The Last Audit Day: The Wrong Man for the Job is Worse than No Man for the Job. Summary: Close the Door to the Competition. Let's Not Go There. Use Standard Architecture Designs. Track External Connections. Take Responsibility for Your Territory. Require Approval for External Connections. Enforce Policies and Procedures. Disable Unnecessary Services. Stress the Importance of Training. Follow Through. Don't Connect Unsecured Systems to the Internet. Checklist. Final Words. 5. What You Don't Know. Sink or Swim? Initial Contact: A Good Sign. Day 1: Don't Put Your Security Eggs in One Basket. Day 2: The Penetration Begins. Day 3: Sink or Swin Always Means Sink. Summary: Can't Afford the Power of Negative Training. Let's Not Go There. Have Management Send the Right Security Message. Educate Executive Management. Protect the Security Training Budget. Make Security a Management Requirement. Make Training a System Administrator Requirement. Attend Security Seminars. Have Brown Bag Lunches. Disseminate Security Information. Join Security Aliases. Write White Papers. Write for Newsletters. Develop Tools into Products. Checklist. Final Words. 6. Risking the Corporation. Trauma Zone. Day 1: An Unscheduled Audit. A Game of Risk is a Game of Strategy. Phase One: Dress the Part. Phase Two: Infiltrate Physical Security. Phase Three: A Walk Through the System Park. Day 2: Patient Records at Risk. Summary: Look Before You Leap. Let's Not Go There. Assess Risks. Classify Systems. Forbid Out-of-the-box Installations. Don't Be Too Trusting. Learn from the Past. Target Budget Cuts. Conduct Security Audits. Hold Management Accountable. Don't Set Yourself Up. Include Training in Right-sizing Budgets. Keep Score. Checklist. Final Words. 7. Not My Job. Come On In, The Door's Open. Day 1: Why Can't We Lock the Hackers Out? Day 2: The Usual Suspects. Stuck on Band-Aides for Job Security. Moving On. When You Hear ”Don't Worry,” Start Worrying. My Last Day: Breaking the News. Summary: Ask Not What Your Company's Security Can Do for You. Let's Not Go There. Define Roles and Responsibilities. Develop Firewall Policies and Procedures. Feed Your Firewall. Read Your Audit Logs. Use Detection Software. Respond Quickly! Require Proof of Security. Conduct Audits. Get Educated. Checklist. Final Words. 8. For Art's Sake. Policies? What Policies? In the Beginning: A Conflict Arises. Day 1: In Search of Tangible Evidence. Day 2: Whose Side Are You On, Anyway? System Admins: It's Not Our Problem, It's Theirs. Security Team: It's Not Our Problem, It's Theirs. Summary: Security is the Casualty of War. Let's Not Go There. Put Someone in Charge of Policies and Procedures. Delineate Cross-organizational Security Support. Don't Wait for Miracles. Question Processes. Know When to Cry “Uncle”. Be Responsible. Checklist. Final Words. 9. Outsourcing the Store. I Did It My Way. Day 1: On the Surface, Everything Appears Normal. Day 2: A Skeleton Key to Success. Cracking the Case. Lifestyles of the Untrained and Inexperienced. Days 3 and 4: The Fix Is Up to Them. Summary: Stop! Look! Audit. Let's Not Go There. Conduct Audits. Do It Right. Do It Regularly. Use the Freebies. Fix the Problems You Find. Kill the Sink-or-Swim Trainers. Checklist. Final Words. 10. What They See Can Hurt You. E-mail or See Mail? Personal Data in 30 Seconds Flat. Summary: You Have the Right to Waive Your Right to Privacy. Let's Not Go There. Use Encryption! Encourage Your Friends to Encrypt. Add Encryption to Your Security Budget. Promote Strong Cryptography Everywhere. Watch for Other E-mail Hazards. Final Words. 11. A Hacker's Walk Through the Network. A Hacker's Profile. The Real Hackers. About Those Tools. Walking with the Hacker. What the Hacker Was Doing. Conclusion. Appendix A: People and Products to Know. Glossary. Index.