To The Last Tribe Consulting

The Tao of Network Security Monitoring: Beyond Intrusion Detection was my first Information Security book that I read.  The author, Richard Bejtlich , has authored a few other books that I hope to read soon.  As for Tao, I have found it to be an absolutely fascinating book on InfoSec.

The author starts out by laying the groundwork of Risk Management, and how risk, threats, vulnerabilities and exploits are defined and used in the real world.

The author then makes this statement:

“Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”

With this kind of outlook on security, the author puts forth the concept of a “defensible” network: a network that can easily watched (monitored); a network that limits an intruder’s freedom to maneuver; a network that offers a minimum of services; and finally, a network that can be kept current.

With this foundation laid, the author delves into “Network Security Monitoring” which is defined as “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.”  The rest of the book deals with the practical aspects of NSM: how to setup and use programs to collect NSM data; Best Practices; Case Studies; managing a NSM program; and finally, tactics on attacking NSM, and ways to mitigate these risks.

I have found this book to be very helpful in bringing balance to my understanding of how Intrusion Detection fits into an InfoSec program.  I will follow up on this thought in my next post.

I would highly recommend this book to anyone interested in going deeper into InfoSec, especially dealing with Intrusion Detection Systems.  It does have quite a bit of BSD-centric material, of which I skipped over alot of, but still very useful principles.

I hate to give my first book review a 10 out of 10, but any less would not do it justice.

Josh

So, because of some work that I am doing right now, I went ahead and skipped ahead to the module “Linux Security.” As I finished the module yesterday, I have to say, I throughly enjoyed it! We started out with the basics, then went deeper from there. I had a virtual machine running CentOS 5, so I was able to practice alot of the things we talked about. Here are a couple thoughts on things that we covered:

-The Power of the CLI (Command Line Interface): wow. I have never felt more comfortable at a cli. Watch for another post on the CLI–Specifically about piping.

-Syslog: I have always wanted to get a little bit more indepth on syslog, and here was my chance. We learned about how syslog is used to consolidate all your logs from your other servers, even your Windows servers; how to use rsyslog to securely transmit your logs via an encrypted TCP connection to your syslog server.

-Security: Many ways to harden a server, espically a internet-facing webserver:

-Kernal Hardening:

-Network Resource Hardening: Changing network parameters such as ignorning all pings that come from a broadcast address (mitigating a particular Denial of Service attack)

-System Resource Hardening: Limiting a users CPU cycles , how many processes he can run at a given time, how much memory he can use, etc.. This can help mitigate fork bombing, an attack that rapidly increases the number of running processes to lock up all the system resources.

-SELinux: Developed in conjunction with the NSA, SELinux is a kernel level role and policy based control–very difficult and time-consuming to integrate

-Warning Banners: Create a legally binding warning banner that the user has to accept before they can continue to use the system

-File Integrity Checkers: Use something like TripWire to generate checksums of critical system files of a pristine (new/clean) system; Email/Log alerts when checksums change, taking into account maintenance windows (when the files might have been validly changed because of system updates)

-chroot: Isolating the running user into a virtual root directory–Used for applications like Apache, etc..

I’ve got to get going, but I will write another post on the CLI: piping sometime soon.

Josh

I have started my first pre-requisite for the sans.edu Masters’ of Information Security Engineering program. This first class is SEC401: SANS Security Essentials. You can check out the description here. It is basically the foundational class for the whole InfoSec program, and as such, it deals with some pretty basic topics (Networking Fundamentals, IP & Routing Fundamentals) and moves to some more interesting stuff (Some basic Cryptography, Steganography, OPSEC, etc). I am doing the program from my laptop at home, and it will take me somwhere close to 80+ hours, then the test. I will be doing some posts on some interesting things that I come across as I am taking the class.

Josh