Archive for January, 2009
“Extrusion Detection” Review Posted
by Josh on Jan.23, 2009, under Uncategorized
Amazon has posted my 5 star review of Richard Bejtlich’s ‘Extrusion Detection”
“This is my 2nd book by Bejtlich that I have read, with the first being “The Tao of Network Security Monitoring: Beyond Intrusion Detection.” While the Tao of NSM focused mainly on detecting attacks coming in from the perimeter, this book focused on Network Security Monitoring principles as applied to traffic going out of the network.
Bejtlich starts out by doing an overview of Network Security Monitoring, referencing his earlier book as a more in-depth treatise on NSM. He then goes on to the theory and illustration of “Extrusion Detection.” (“‘The process of identifying unauthorized activity by inspecting outbound network traffic.”) We see Extrusion Detection illustrated with the 4 types of NSM data. (Full Content, Session, Statistical, and Alert)
We then moved onto “Enterprise Network Instrumentation,” which included discussions on network/packet capture equipment, some I had never seen before: SPAN Regeneration Taps, Link Aggregator Taps, etc.
The next section was probably my favorite: Enterprise Sink Holes. What a fantastic way to discover a local compromised host scanning your internal network. This section also had some great ways to do short-term containment (with a Sink Hole) on a loose worm. (The coolest, in my opinion, being Unicast Reverse Path Forwarding)
Next we have sections on Traffic Threat Assessments, Network Incident Response, and Network Forensics. The book finishes up with a case study on traffic threat assessment and a discussion on Malicious Bots.
I have to give this book 5 stars out of 5 for it’s fresh and unique look at internal and outbound intrusions. Richard doesn’t rehash what a thousand other network security pros have written.”
Josh
System & Network Administrator /= Security Administrator
by Josh on Jan.15, 2009, under Uncategorized
A section of a book that I have been reading (Protect Your Windows Network From Perimeter to Data by Johansson & Riley) really made me sit and think, especially since it is so personally applicable to where I am, and the organization I am with is at. Let me just quote it for you, and let you think on it: (I have sourced it from a sample chapter available online, found here.)
System Administrator – Security Administrator
“Making system or network administrators manage security is counterproductive; those job categories then would have conflicting incentives. As a system or network administrator, your job should be to make systems work, make the technology function without users having to think about it, making the technology transparent. As a security administrator, your job is to put up barriers to prevent people from transparently accessing things they should not. Trying to please both masters at the same time is extremely difficult. Dr. Jekyll/Mr. Hyde may succeed at it (for a time at least), but for the rest of us, it is a huge challenge. The things that will get you a good performance review in one area are exactly what will cost points in the other area. This can be an issue today because many who manage infosec are network or system administrators who are also part-time security administrators. Ideally, a security administrator should be someone who understands system and network administration, but whose job it is to think about security first, and usability/usefulness second. This person would need to work closely with the network/system administrator, and obviously the two roles must be staffed by people who can work together. However, conflict is a necessity in the intersection between security and usability/usefulness. Chances are that only by having two people with different objectives will you be able to find the optimal location on the continuum between security and usability/usefulness for your environment.”
Josh
Another New SANS Class: Hacker Techniques, Exploits & Incident Handling
by Josh on Jan.12, 2009, under Uncategorized
So when SANS had a really nice 30% discount on OnDemand classes, I had to go for it: Hacker Techniques, Exploits & Incident Handling
I have until late April to finish it. And no, I haven’t forgotten about doing my GSEC Gold Certification. But I will also need to do my GCIH Gold Certification. So I thought I might as well finish this next class, and then do both Gold Certs. I will then be able to apply for the SANS Master’s program!
Josh
