The Virtual Bookcase Reviews of 'The CERT Guide to System and Network Security Practices':
Reviewer amazon.com wrote:
Black-hat hackers--that is, malicious people who want to break into your networks and machines--are proliferating, it's true. But the number of systems available for them to attack is growing at an even faster clip, which means you can head off a lot of attacks on your Internet-connected resources by following the advice in The CERT Guide to System and Network Security Practices . Julia Allen has distilled a series of "best practices" documents from the CERT Coordination Center (a clearing-house for information about computer attacks) into readily absorbable advice on computer security. She shows how to configure systems for inherent resistance to attack, how to set up logs and intrusion detection tools as early and reliable tripwires, and, to a lesser extent, how to deal with an attack in progress.
Allen's approach is not focused on the details of particular operating systems, applications, or items of equipment, though she does include some such information in a sizable appendix. Most of the time, procedural outlines are phrased generically ("Disable the serving of Web server file directory listings"). It's up to you to figure out what the steps mean, specifically, in terms of your hardware and software. The advice is carefully researched and therefore valuable. If implemented carefully, Allen's recommended practices should deter all but the most determined hackers from harassing your systems.
Reviewer Rob Slade wrote:
The preface states that the intended audience for this work is the
mid-level system and network administrator. Actually, it uses the
plural, giving the first indication that this text is only intended
for those working in very large organizations. Chapter one is an
overview of the structure of the book, along with a listing of some
other resources, and a few general security definitions.
Part one deals with securing or hardening computers against attack.
Chapter two lists good practices for servers and workstations,
providing basic guidelines. There is something of a detailed
breakdown of these conventions, as well as considerations that might
be useful in policy discussions. However, these are not procedures,
and there is very little in the way of system detail. The reader is
advised to limit services running on computers. This is a good
practice, but there is nothing to indicate how to find out what
services are running, nor how to limit or eliminate them once they are
found. A number of assumptions have been implicitly made, for example
about centralized administration policy, so even the material that is
included may not be suitable for all environments. The explanations
are reasonable, but rather pedestrian, and there is a great deal of
duplication of material (the sections dealing with limiting services
running on servers and workstations, for example, are almost
identical.) Much the same is true of securing public web servers, in
chapter three. Some material is quite specific (specifying the Common
Log Format, CLF, for activity files) while other recommendations are
vague. Deploying firewalls, in chapter four, is a bit different, in
that it does contain some explanation of firewall types and
architectures. Unfortunately, this text is very brief, and is padded
out with unilluminating illustrations.
Part two examines intrusion detection practices. Chapter five covers
the preparation and setup of intrusion detection, chapter six the
actual detection of intrusions, and chapter seven outlines responses
to intrusions. Overall, part two is more useful than part one, since
intrusion detection is a newer field, and general concepts are still
helpful even if specific details are lacking.
Given the complaints I have made about the lack of details, some will
respond that I have, heretofore, ignored the fact that there are two
appendices in the book, dealing with security implementations and
practices. True, these documents exist. In terms of the security
implementations, if you are using Solaris 2.x, Tripwire, Logsurfer,
and Snort, the additional material may be very useful. Otherwise, it
still doesn't address the lack of specifics in the book.
This work does provide the security specialist, faced with
responsibility for policy creation or maintenance, a handy set of
checklists and some framework for the policy process. Use of the text
will help remind the professional of areas to be addressed, and
prevent certain aspects from slipping between the cracks. The
advanced and experienced system administrator may also benefit from
the volume, since he or she will likely already know system specifics
for a number of the functions required, and probably has some idea of
where to find information about others. However, intermediate
sysadmins, with an "engineer" level certificate and a few years' work
experience, are unlikely to know the details of security operations
that have, usually, been seen as a specialty area. Therefore, the
audience which will find this book to be useful is a rather narrow
copyright Robert M. Slade, 2001
Add my review for The CERT Guide to System and Network Security Practices
As the Internet and other international and national information infrastructures become larger, more complex, and more interdependent, the frequency and severity of unauthorized intrusions into systems connected to these networks are increasing. Therefore, to the extent possible and practical, it is critical to secure the networked systems of an organization that are connected to public networks.
The CERT© Guide to System and Network Security Practices is a practical, stepwise approach to protecting systems and networks against malicious and inadvertent compromise. The practices are primarily written for mid level system and network administrators--the people whose day-to-day activities include installation, configuration, operation, and maintenance of systems and networks. The practices offer easy-to-implement guidance that enables administrators to protect and securely operate the systems, networks, hardware, software, and data that comprise their information technology infrastructure. Managers of administrators are intended as a secondary audience; many practices cannot be implemented without active management involvement and sponsorship.
CERT security practices address critical and pervasive security problems. Practice topic selection is based on CERT's extensive data on security breaches (21,756 in 2000) and vulnerabilities (774 in 2000), that provide a field of vision not available to other security groups. Our practices fill the gap left by the usual point solutions (typically operating-system-specific) or general advice that lacks "how to" details. With CERT security practices, an administrator can act now to improve the security of networked systems.
By implementing these security practices, an administrator will incorporate solutions and protection mechanisms for 75-80 percent of the security incidents reported to CERT. Each practice is written as a series of technology-neutral "how to" instructions, so they can be applied to many operating systems and platforms. However, an administrator can only implement a solution using a specific host operating system. Therefore, we have included examples of technology-specific implementation details in a separate appendix as these tend to become outdated much sooner than the technology-neutral practices.
Throughout the book, emphasis is placed on planning as a precursor to implementing, wherever possible. Ideally, the following risk analysis activities need to occur before deciding what actions to take to improve security:
Identify and assign value to information and computing assets Prioritize assets Determine asset vulnerability to threats and the potential for damage Prioritize the impact of threats Select cost-effective safeguards including security measures
In our observation and as reflected in this book, system and network security is an ongoing, cyclical, iterative process of planning, hardening, preparing, detecting, responding, and improving, requiring diligence on the part of responsible administrators. Configuring and operating systems securely at one point in time do not necessarily mean that these same systems will be secure in the future. And no level of security can ensure 100% protection other than disconnecting from public networks and, even then, the threat of attack from insiders still exists.
To get the most out of this book, you should already know how to install and administer popular operating systems and applications, and be familiar with fundamental system security concepts such as establishing secure configurations, system and network monitoring, authentication, access control, and integrity checking.
The book is organized into two parts and two appendices:
Part I: Hardening and Securing the System. Preventing security problems in the first place is preferable to dealing with them after the fact. This part of the book covers the practices and policies that should be in place to secure a system's configuration. Guidelines for securing general purpose network servers and workstations are contained in Chapter 2, followed by chapters containing additional guidance on securing public web servers and deploying firewalls. Part II: Intrusion Detection and Response. Even the most secure network perimeter and system configurations cannot protect against every conceivable security threat. Administrators must be able to anticipate, detect, respond to, and recover from intrusions, and understand how to improve security by implementing lessons learned from previous attacks. This part of the book covers practices required to do so.
Appendix A: Security Implementations. The Appendix contains examples of several procedural and tool-based implementations that provide technology-specific guidance for one or more practices (the applicable implementations are referenced in the practices they support). The implementations chosen for this book are specifically geared for Sun Solaris (UNIX) operating environments, given CERT experience. These implementation examples are intended to be illustrative in nature and do not necessarily reflect the most up-to-date operating system versions. The most current versions of over seventy UNIX and Windows NT implementations and tech tips are available on the CERT web site. Appendix B: Policy Considerations. This Appendix contains all of the security policy considerations and guidance that are presented throughout the book. Having this material in one location may aid you in reviewing and selecting policy topics and generating policy language. You can also treat this Appendix, along with the checklists appearing at the end of each Chapter, as an overall summary of the entire book.
The most effective way to use this book is as a reference. We do not intend that you read it from cover to cover, but rather than you review the introductory sections of each Part and Chapter and then refer to those Chapters and practices that are of most interest.
The web site addresses (URLs) used in this book are accurate as of the publication date. In addition, we have created a CERT web site that contains all URLs referenced in the book. We plan to keep these URLs up to date, provide book errata, and add new references after book publication. At this book site (cert/security-improvement/practicesbk.html), you will find links to all references, information sources, tools, publications, articles, and reports for which a URL exists and is mentioned in the book. We also regularly refer to CERT advisories, incident notes, vulnerability notes, technical tips, and reports, all of which can be found at the CERT web site, cert. We sometimes use the phrase "the CERT web site" to refer to this URL.
The content in The CERT© Guide to System and Network Security Practices derives from Carnegie-Mellon University's Software Engineering Institute (SEI) and CERT Coordination Center. CERT/CC, established in 1988, is the oldest computer security response group in existence. The Center provides technical assistance and advice to sites on the Internet that have experienced a security compromise and establishes tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders. The Software Engineering Institute is a federally funded research and development center with a broad charter to improve the practice of software engineering.
The material that serves as the primary content for this Guide has been posted and updated on the CERT web site over a period of 5 years. It has been reviewed and used by external security experts in commercial, federal government, and university-level academic organizations and by SEI staff members. All materials are periodically reviewed (and tested, where appropriate) for accuracy and currency.
As the Internet and other information infrastructures have become larger, more complex, and more interdependent, unauthorized intrusions into computer systems and networks have become more frequent and more severe. It is increasingly critical that an organization secure the systems it connects to public networks. The CERT Coordination Center ®, the first computer security response group, was established to help systems administrators meet these challenges by publishing advisories and developing key security practices, implementations, and tech tips on a timely basis. The CERT ® Guide to System and Network Security makes these practices and implementations available for the first time in book form.
With a practical, stepwise approach, the book shows administrators how to protect systems and networks against malicious and inadvertent compromise. If you are installing, configuring, operating, or maintaining systems or networks--or managing any of those functions--you will find here easy-to-implement guidance to protect your information infrastructure. The practices are platform- and operating-system independent; however, several procedural and tool-based implementations are provided to illustrate the technology-specific guidance that is freely available from the CERT Web site (cert).
The book is divided into two main parts, the first dealing with hardening and securing your system--preventing problems in the first place. The second part covers intrusion detection and response, recognizing that even the most secure networks and systems cannot protect against every conceivable threat. The practices selected for the book are based on CERT's extensive data on security breaches and vulnerabilities, providing an authoritative view of the most common problems system and network administrators confront.
See how to:
* Secure general-purpose network servers and user workstations
* Configure public Web servers to operate securely including the use of authentication and encryption technologies
* Configure, test, and deploy firewall systems
* Detect, respond to, and recover from intrusions
* Implement selected practices on systems running a Solaris 2.x operating system
* Identify practice-related topics to address in your security policies
By implementing the security practices described in this book, you will be incorporating protection mechanisms for up to 80 percent of the security incidents reported to CERT.