Internet Site Security

Mirko Zorz writes "Internet Site Security - what a name for a book. When I first heard about it I was thinking: '1400 pages, 6 CDs,' but when the book came and I began to read through it, I realized how much good information the authors were able to fit into just over 400 pages. We all want 'big books' but with this one, the authors take a somewhat different approach, one that is less connected to software versions and that will endure in time. But, before we get into the core of the book, let's take a look at the people behind it." Mirko's review continues below. Internet Site Security author Erik Schetina, Ken Green and Jacob Carlson pages 432 publisher Addison Wesley rating 8 reviewer Mirko Zorz ISBN 0672323060 summary This book manages to shed new light on the problems of security implementation; a good gift idea for both your IT manager and your system administrator.

About the authors

Erik Schetina, CISSP, is the CTO for TrustWave Corporation. He spent 14 years with the U.S. Department of Defense developing information security systems and public key cryptosystems. Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team. In his copious free time he likes breaking things and writing code. Ken Green is a senior security engineer for TrustWave Corporation where he works extensively on intrusion detection systems, firewalls, and virtual private network initiatives.

When you read biographies like the ones above you can be somehow reassured that the content of the book is good. All of the authors come from TrustWave Corporation and the fact that they work together has influenced the writing of this book, in a very good way.

The basics

At the very beginning of the book the authors show us that the starting point of building a secure environment is not the implementation of a solution but rather the defining of the assets we want to protect. You have to know what's a threat to your assets in order to choose the best security solution.

The authors manage to successfully illustrate how different things such as system administration, policy and audits fit into an overall security plan. Through the book, the authors educate the reader by making sure he sees "the big picture." The bottom line is that "the transition from a techie to a security professional consists in the recognizing the importance of all the components of security." In the second chapter some great material is covered: description of the security process, assessment and policy, asset protection, monitoring and detection.

Which one is better?

When describing the way things can be done, the authors always give you the pros and the cons. For example, at one point they describe the difference when using commercial scanners in penetration testing compared to using a team of people who will do it by hand. They provide good pros and cons for both ways, and that's one of the great things about this book, you always get to look at the other side of the coin.

The insecurities

What we all know is that the Internet is inherently insecure -- that's why this book was published in the first place. The authors explain why it's insecure, who administers it and how it works. Some of the topics presented here are: an overview of TCP/IP, the Domain Name Service (DNS), Whois databases, anonymity, and much more.

History is also present in this book. Chapter 4 begins with a brief overview of the history of the Internet and the TCP/IP protocol suite. Also mentioned is the Morris Worm (November 1998). As we move on, the DNS is explained in greater detail (with some security issues addressed specifically), and we are slowly presented with an abundance of technical details that stretches over several chapters. Some of the things that are explained in the book include: secure protocols, virtual private network protocols and encapsulation, the secure shell (SSH) and authentication systems.

As an inevitable part of a book of this kind, there's a part dedicated to passwords (and good rules for their generation), and another on digital certificates. The authors present the shortcomings of certificates as well as their best uses. Although neither of these are explained in great detail, you'll be able to get an overview of the things presented.

Moving on, we get a plethora of information covering: firewalls, DMZs, VPNs, external and internal threats, the security of wireless networks, workstation management issues, intrusion detection systems and log processing, etc.

Operating systems

The book also gives some good information when it comes to operating systems and server software. Some of the covered topics include:

• Windows NT and 2000 - authentication, access tokens, security identifiers, object access control lists, tightening Windows users rights, etc.
• Linux - overview of the Linux Kernel, file system permissions, authentication mechanisms, how PAM works, etc.
• Server security: web, mail, FTP, etc.

Attack and defense

If you want information about attacks, denials of service attacks are covered in great detail, along with many other attack scenarios. Since you also want to protect yourself from all of these attacks there's naturally much material dedicated to firewalls: their functions, implementation issues and vulnerabilities. Now that's not enough, is it? Now you want more. There's a whole chapter dedicated to intrusion detection systems and one dedicated to incident response and forensics. The chapter on incident response and forensics will be of particular interest for all of you who want more knowledge of legal and privacy issues.

Secure Code

To complete the book, there's a chapter dedicated to the developers, which discusses the development of secure Internet applications. Here you'll be able to read about common sources of programming mistakes, exploiting executable code, application-level security, coding standards, and more.

The verdict

This book manages to shade a new light on the problems of security implementation by explaining the position of the system administrator and the position of the IT manager in order to make them both understand their role in the overall process of security in the company. It's a good idea to give it to both your IT manager and your system administrator, they will both learn from it and in the process start to understand each other on a new level. With this book, you basically learn to think on a larger scale.

There are not many downsides. There are basically only two things that I didn't like about this book: the lack of resources, and (in parts) the writing style. There are not enough resources listed, and I always like to get to more information. As regards the writing style it's obvious that this book was not meant to entertain in any way, but it sometimes seems a bit too serious. I always believed that learning should be fun. That's just me :)

Overall, this is an excellent book, two thumbs up!

If you're interested in hearing what one of the authors of the book has to say, you can check out an interview with him here. You can purchase Internet Site Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

I like big Books, and i cannot lie...

[_Sambo]

"We all want 'big books'"

I thought we all wanted bigger manhood. At least that's what 30% of my spam has been promising. And for only $50!

little suggestion

[newsdee]

This may have been suggested before: /. should add what the "average price" for the book is in the review summary. I know some subjects are "priceless" for some but for the common mortals affordability is the main concern :-)

Re:little suggestion

[Lev13than]

Looks like you can pick it up for about US$35.99 (I have no connection to this vendor).

Re:little suggestion

[mbadolato]

>> BTW, the $ symbol tells everyone it is US currency, hence the US is redundant in your price post.

Really? Maybe we outta go smack those damn Canadians around then for weezing our gig</Pauly_Shore> ;-)

Ask Slashdot...A little OT

[FreeLinux]

The article states "We all want big books" but, I want to knwo if this is true. Lately I've been getting tired of suffering through these massive books that are being published of late. Most especially vexing is that it seems that many/most of these 1000+ page books are artificially inflated, size wise. They don't seem to have any more really valuable content than books half their size. Compound this with the fact that the wordy inflation of the books seems to make them much harder reads, not to mention taking an eternity to get through it.

So, I ask the Slashdot crowd; Do you really want big/bigger books? Or, is 300 pages plenty, provided the information is in there?

Re:Ask Slashdot...A little OT

[jarkko]

I don't want to wade through 1500 pages of crap if the text can be condensed into 50 pages. I always got pissed of at those certain linux-books that had 100 pages of introductory material written by the author and 1400 pages of reprinted HOW-TOs and man-pages. That just plain sucks.

K&R book was OK. Anything beyond 500 pages is way too much, unless you're aiming at "The World Explained for Really Dumb People: From Physics to Philosophy"

Re:Ask Slashdot...A little OT

[LordKariya]

Most of those huge books contain several hundred pages of pure reference in the back - for example, a large number of appendices. An html book I have here contains quick tag listings, number-->symbol conversions, etc. Sometimes they're more useful than the rest of the book's content.

But was he with the DOD when ...

[burgburgburg]

David Lightman was able to wardial his way into NORAD and almost start WWIII?

Joshua: "Do you want to play a game?"

I have seen many books on internet security

[Real+World+Stuff]

on the shelves of my former colleagues. One fellow in particular ws adamant about collecting these books. Unfortunately, he was not as rabid about IMPLEMENTING security. My point is, regardless of the size of the book or the library, it is all worthless unless the measures outlined and detailed are followed.

Quality over size

[newsdee]

Frankly, most IT books have more than 300 pages and are priced at $50 or more. Most of these, however, filled with a lot of "tricks" to increase page count - large fonts, large margins, useless chapters, you name it. Editors have to make a living, but if as the consumer we are always saying "the bigger the better", then it will only result in editors believing that "size is everything" as their daily spam suggests.

Re:Quality over size

[pommiekiwifruit]

The books I buy tend to be ~256 pages (Scott Meyers, Herb Sutter, Kernighan etc.) or ~64 pages (Xenophobes Guides). I fail to see why people would read a 1500 page listing of windows.h or something like that.

Some people buy cars with the turning radius of an oil tanker, books with 10 pages of useful content and 1000 pages of bug-ridden listings, and big plastic boxes with a couple of silicon chips in them, so maybe this is a cultural thing. I leave admiring the bigger is better idea to personal attributes (Jouko Ahola/Lola Ferrari/Filip Smirnov for example) or possibly monumental architecture rather than consumer items.

Re:Quality over size

[rossz]

This is one of my pet peeves. Computer books are too damn expensive, especially given the fact that most of those $40 or $50 books will be obsolete within six months (I'm being generous by saying six months).

Yes, it's a nitch market. Geek books will never have the market of someone like Stephen King. However, attempting to gouge me only means I buy a couple of computer books a year. Whenever I look at a computer book, I ask, "do I NEED this book", as opposed to just wanting it. Very few books can get by this rule.

And why the hell is a paperback geek book more expensive than a hardbound novel?

Re:Books on security...

[tomknight]

I don't think that's necessarily true.

If the book's about how to ensure a given app is secure (e.g DIND, IIS) then you're right, as both apps keep having vulnerabilities found.
If it's about the general proinciplers of security then it will become out of date but not at quickly as you make out.

Tom.

Synopsis.

[grub]

Don't use IIS.

what were the other 1399 pages for?

Re:Synopsis.

[ceejayoz]

Honestly, if IIS was as insecure as Slashdot likes to think it is, wouldn't the Microsoft site have been hacked more often?

Re:Synopsis.

[caluml]

Contrary to popular belief, it isn't impossible to run IIS and not get hacked.
We ran about 30 of them, and if you are clever about it, you can do all kinds of things to keep the bugs out.

Step 1. Remove all mappings apart from asp.dll
Step 2. Keep web content on a different drive to the system (thus negating ../../../cmd.exe stuff)
Step 3. Disable, and never use the default website.

With those 3 things, you don't get affected by about 60% of the bugs.

Add things like making all the static content read only, and only allowed a certain secured firewalled server to update the DBs, and you're almost there. Disallowed any net connections originated by the webservers (with exceptions of course) and you rule out strange shells making connections to IRC servers, etc.
The only other thing is then to STAY PATCHED.

Having said what I've said, I wouldn't like to do it again. Keeping those things secure took up so much of my time. Should it be a full time job to keep webservers running securely?
rpm --freshen -vah apache*.rpm anyone?
Now I have lots more time to do more interesting things ;)

Big Books

[Gary+Franczyk]

Yes, big books are kind of a trend in the computer-book realm. Where else in the bookstore would you find monstrous tomes like the ones you see on Visual Basic or Java?

It has a lot to do with how much they charge for these books. You want $50 for a book that costs $3 to print? (I can hear the anti-RIAA trolls now :-) Much like the huge portions that restaurants now serve, people want to feel that they are getting some value for the obviously inflated prices. Even if they were only going to eat a small amount, they are happy to see a huge plate of food for their $12.

If you were to get a normal sized entree (or book) for the amount of money you are spending, you would feel that something is wrong, that you are getting ripped off somehow. Big books sell more than small books. Even if the content is the same. They will make the typeface larger and include tons of screenshots if that is what it takes to make a massive volume.

Morris worm

[Hulver]

Well, here was me thinking that the morris worm was in 1988, not 1998.

Re:Books on security...

[sczimme]

Are always horribly obsolete.

Not necessarily.

Books that cover the latest vulnerability in RandomOS can go stale very quickly; books that teach sound security principles tend to have a much longer shelf life.

Aberdeen Group?

[burgburgburg]

And we are supposed to take the word of the Aberdeen Group because ...?

Let's look at some previous work of theirs, reprinted here

You may have noticed a Barnes and Noble bfast link

[Real+World+Stuff]

at the end of the review. If you decide to buy this book consider using the /. clickthrough link. It generates revenue for the /. crew, and is a convenient way to shop. This is a new feature outside of the OSDN advertising. So support Rob and the crew directly and click on that link.

Re:E-Week Article on security

[binaryDigit]

This demonstrates that as an industry we have a lot of work to do in security

I think that this comment by a M$'ie is the key point. If OS people sit around patting themselves on the back because of how much more secure OS is because of all those "talented eyes" that are poring over the code, then they are going to be in for a very rude awakening. All this "your software is less secure than mine" blustering just simply points out that the overwhelming majority of software that is used out there (regardless of the religious camp from which it originated) has serious security issues. The OpenBSD camp seems to be the only ones that are making a focused effort to try to shore things up in this regard, and until others (M$ and Linux) tackle the issue with the same zeal, we'll continue to have problems.

the main problem is not technical.

[jb_nizet]

I've been involved as a developer and/or security consultant in several internet projects, and I've noticed that the main problem, most of the time, is not really technical. If you really want a secure web site, you can have one relatively easily. Of course it might not be absolutely secure, but it's very hard to break by the average hacker.
The main problem is that security is often developed at the end of the project, or completely forgotten, because it doesn't add any functionality to the application.
At the beginning of the project, a prototype is developed (without security, because the goal is to show the application functionality), then a first version (still without security, because you're in a hurry), then the whole thing is developed and someone sometimes starts thinking about security.
Since the application hasn't been designed at the very beginning with security aspects in mind, you end up adding hacks and workarounds to the application to make it a bit more secure, but it's sometimes very hard because it might break the functional spec or make the application look different than in the demo.
At the end, you often end up with a solution which uses security through obscurity: since there is no link to this administration page in the welcome page, users won't find it! BAHAHAHAHA!

JB.

Password generation

[ceswiedler]

My favorite way to generate passwords is to alternate random consonants and vowels. The results are just about as 'secure' as any other randomly generated password (i.e., knowing the pattern won't help very much) and much easier to remember. Social engineering is always the easiest way to break passwords, and people often write down difficult-to-remember passwords.

Some examples:
gymolifi
tosenima
qopanela

Because of the alternating pattern, the results are almost always pronouncable, which makes the passwords signifigantly easier to remember. Digits or symbols can be added to satisfy password requirements and increase security.

Re:Password generation

[SirSlud]

I usually select passwords that are patterns on my keyboard (non-trivial patterns).

People seem to select lexographical patterns (words with numbers replacing some of the letters .. 1 instead of l, etc). And anybody trying out programmatic attacks on passwords is likely not going to consider the pattern-space of the keyboard (instead favouring dates, names, words, and variations thereof) as a possible source of passwords.

And I don't have to remember the password proper; only the non-trivial pattern it makes on my qwerty. Results are usually with letters, numbers, and symbols, but its very easy to remember the visual footprint of these passwords.

who wants big books?

[customiser]

>We all want 'big books'

No we don't. Personally, since reading Kernighan & Ritchie, I've been convinced that good books have to be slim.

(another precondition is that it doesn't have a "Learn X in x minutes/hours/days" title)

Re:who wants big books?

[Tet]

Personally, since reading Kernighan & Ritchie, I've been convinced that good books have to be slim.

I couldn't agree more. In fact, K&R themselves said it best in the preface to the second edition:

C is not a big language, and it is not well served by a big book.

1998: Maurice Worm

[burgburgburg]

Much more insidious, because it speaks of the pompatus of love.

some what contradictory

[warpSpeed]

Rating: 8

Overall, this is an excellent book, two thumbs up!

This seems kind of odd, or is it just "thumb" inflation. Two thumbs up does not mean what it used to...

Quality, not quantity

[StRex]

I honestly will not buy a technical book in the 1,000+ page range, especially if the title:

• Includes the words "bible", "unleashed", or "secrets"
• Is entitled Learn x in y days/hours

Why? Because I know I'm unlikely digest the contents of 1000+ pages of text on one subject, if I manage to finish it. I also generally suspect large books of rehashing FAQs or other widely-available docs just to fill pages.

I don't consider myself an O'Reilly bigot, though I do lean towards their books since they tend to publish smaller, focused books. If a book is pure reference, I may consider buying it if it's 1000+ pages. Following are examples of some great books I've bought that I found very useful and readable due to their small size:

• Mastering Regular Expressions, 484 pages
• Linux Routing, 350 pages
• A Programmer's Introduction to PHP 4.0, 453 pages

The Internet already offers me an overwhelming, disorganized pile of information on any subject--and at least it's searchable via Google. Dead tree books have use when they're usable and organized, and I've found that generally translates into a smaller book.

Newer and cheaper book available

[goonies]

Did anyone notice that there is a newer book available on amazon.com than the book mentioned it the text above? The publisher is now Addison Wesley Professional and it is also a little bit cheaper. It has the same amount of pages and seems to be the same edition.

Don't be seduced by big books

[The+Pim]

Or, is 300 pages plenty, provided the information is in there?

Not only is a big book not necessarily better; it is almost invariably worse. For simple reasons: Writing well is difficult. It takes a lot of work for an author--or a team of two or three working closely--to produce 200 quality pages. 1000 quality pages would be a monumental effort that, frankly, nobody's going to put into a book on Visual Basic. Further, concision is a mark of good writing, so when you see a big book, you should wonder, "why were they not able to get this into 200 pages?". Not to mention that a big book takes longer to read, is harder to find things in, and is less convenient to use and carry.

For most technical books, the only ways to get to 1000 pages are to write sloppily, add filler, or employ many authors working independently. The last tends to produce an incoherent whole, and make each author care less about his contribution.

The main exceptions are books with a justifiably large reference section (large because there is truly a lot of valuable material to reference, which is uncommon), and, to some extent, books that have been through several editions, whose authors have put new effort into each edition.

Please explain...

[gillbates]

why the parent post got modded down as a troll. I don't find anything particularly incindiery about what the poster said. Unlike a lot of posters here on slashdot, he actually took the time to think of something unique to say rather than repeating the same tired old arguments.

You may not agree with what he said, but I think he made his points rather well. If you disagree with what the poster said, why not post a reply?

Writing secure programs...

[dwheeler]

If you're interested writing secure applications for Linux/Unix systems, take a look at my free book, Secure Programming for Linux and Unix HOWTO, available at http://www.dwheeler.com/secure-programs.