Slashdot Mirror

← Back to Stories (view on slashdot.org)

Assessing Network Security

Posted by timothy on from the what-if-you-press-this-button-here dept.

Anton Chuvakin writes "I've read some pretty bad books on penetration testing; till now, nobody seemed to get this fun subject right! Good news - this time somebody did. Assessing Network Security comes to us direct from the bunkers of Redmond. Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing ('pentesting'), scanning, IT audit and other means." Read on for the rest of Chuvakin's review of the book. Assessing Network Security author Ben Smith, David LeBlanc, Kevin Lam pages 592 publisher Microsoft Press rating 8/10 reviewer Anton Chuvakin ISBN 0735620334 summary Great pentesting book

Assessing Network Security starts with a nice overview of key principles of security (definitely not news for industry practitioners, but nice anyway), and then goes on to defines vulnerability assessment, penetration testing and security audit. A critically important section on reporting the findings is also nicely written, and shows that the authors are knowledgeable, and interested in showing a complete security process rather than just the looking-for-leaks part.

The authors then go into developing and maintaining pentesting skills, including advice on choosing training and resources (nice for those starting in the field). The actual pentesting process is split into non-intrusive (combining the usual "intelligence gathering" with port scans, sweeps and various host queries) and intrusive tests (such as running a vulnerability scanner, brute-forcing passwords, DoS testing and others). Some entries seem to belong in both categories (such as sniffing) but are placed into the intrusive section, for whatever reason. Up-to-date content (wireless, Bluetooth and web assessment, for instance) is well represented.

The authors also include a fairly insightful social engineering testing section (touching on dumpster diving and other non-network assessment methods). My favorite chapter was the one presenting various case studies - examples of specific threats/tests against Web, email, VPN and domain controller systems.

Among other features that I liked in Assessing Network Security were 'notes from the field' sidebars with fun stories related by authors, and FAQs at the end of each section. On the down side, the book is somewhat Windows-focused (although it is amazingly vendor-neutral in most respects, considering the source). The book is also somewhat dry, although the sidebars provide some needed relief when the text gets too process-oriented at times.

Assessing Network Security is largely about methodology, but I'd have preferred to see a bit more technical content, since it is a 600-page volume. I think the checklists present in the Appendix are a great step in that direction.

Overall, I enjoyed the book and think it is both a great guide and a reference for most security professionals, especially for those starting to be involved with penetration testing.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a security information management company and maintains the security portal info-secure.org. He wrote Security Warrior and contributed to Know Your Enemy, 2nd Edition . You can purchase Assessing Network Security from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

7 of 89 comments (clear)

  1. No grain of salt here by DenDave · · Score: 5, Interesting

    Being relitvely novice at network security I only have an extremely humble opinion but at the same time I must say that Mr. Chavaukin strikes me to be an extremeley adept man on this subject. Having just finished the Security Warrior I have learned a lot and I find his (and his co-author Mr. Pekari) insights and information to be extremely astute.
    No, I will take no grain of salt regarding his comments about the book in question, untill I have achieved a decent status in the matter I will refer to Mr. Chavaukin's comments eagerly!

    --
    -if at first you don't succeed, stay the heck away from paragliding.
  2. Re:What about... Linux code? by prisoner-of-enigma · · Score: 4, Interesting

    I think you're thinking a little bit simplistic here.

    No, I think he's being a lot simplistic here, but that's just part of the larger mindset of Slashdot. "Linux GOOD! Microsoft BAD!" It's become the sheep's favorite thing to say during intense meetings on this Animal Farm we call Slashdot. You can lead a zealot to the truth, but you cannot make him think.

    --
    In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  3. Re:What about... Linux code? by stoborrobots · · Score: 3, Interesting
    terrorists ...as they have no thought to any other side to a story than what they've been told to believe ... without letting any facts or alternative ideas get in the way ....


    The story of The Man in the Tinfoil Hat is a poignant one here... The relevant quote is (emphasis mine)...
    "I'm going to give you the best advice you'll ever get for survival in this field. Here it is: Never ask the lunatic if he's crazy. I repeat, never ask the lunatic if he's crazy. Of course he's going to say 'NO.' What do you expect? You're always going to get a self-serving, agenda-driven answer. People are 'crazy' because they can't, and don't, see the lunacy that drives their lives. Never ask the lunatic if his illusions are real. Of course he's going to say 'YES.' If his problems aren't real, then he's crazy. But since he's not crazy, the delusions are real. In a nutshell (no pun intended): the more absurd the belief, the more deeply it must be held, the more aggressively it must be promoted and angrily defended if the patient is to see himself as right and sane. Get it?"


    As the author of that article puts it further down:

    "If MS (and all its staff) is not evil and incompetent, then the zealots are crazy."

    I am a Linux user and advocate, but I still find these assertions silly...
    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  4. Not all Microserfs are dolts by nurb432 · · Score: 2, Interesting

    Most are actually quite intelligent, and like the money and perks you get when working for the best funded company on the planet..

    I bet a lot of them do great work FOR the company, but its caught up and diluted by the much larger 'machine' that makes Microsoft go..

    --
    ---- Booth was a patriot ----
  5. "Researchers" by Daniel+Ellard · · Score: 2, Interesting
    You consider the security researchers incompetent because they are (or were) part of the Microsoft team?

    Giving credit where credit is due, Microsoft has put together an awesome team of researchers in many areas, including security. The list of people who work for MSR is a who's who of CS. The problem is that these guys ain't them. They might have a lot of practical knowledge about how to make Windows secure (and practical knowledge is often the best kind...) but I'm not sure I'd call them researchers.

    --
    Disclaimer: I work for a company, but I don't speak for them.
  6. Open source tools? by Earlybird · · Score: 2, Interesting
    This reminds of a question I've been pondering lately, which I believe would be on topic.

    I have a box on a public IP -- speaking as a person who cannot devote 24/7 to security, are there any good automated tools to verify its "openness" in terms of security vulnerabilities?

    I'm not talking about just potential root exploits and the like, but also about things like file permissions, which I find are hard to get exactly right on Unix (read: Linux with no special ACL stuff installed), where the file system does not support inheritance of security attributes.

    Many Linux distros come with a script that's run nightly to report potential vulnerabilities, changed files etc. There are also tools like Snort and Tripwire. I also use Munin and check it daily for signs of DOS attacks and other suspicious activity (eg., a sudden increase in the number of listening ports).

    What other automated tools do people here recommend?

  7. Re:more to security researchers than lab work by knghtrider · · Score: 2, Interesting

    Outlook eats itself randomly? really?? I've never seen that--and I've been supporting it for years.Outlook .pst files--pre-2000--yes, they had a 2GB limit,and quite frankly it was much less..But Outlook..used with either pop mail or exchange..has NEVER been a problem for me--unless the clueless user forgets how to use it or deletes their .pst file because they don't think they need it.

    Popups--that's a problem everywhere, even at home, but between SP2 and the google toolbar, it's minimal.

    Reinstall the OS? Only when some other software decides to corrupt it--but used with pure MS products..no problems.

    The biggest problem I have found, in supporting Microsoft's OS's over the years have been the end users screwing with things they shouldn't. Now, with the advent of group policy and being able to lock things down much tighter than I could even in NT Workstation, I don't worry about all of that.

    All-in all---I have more problems with the one Oracle server I support than I do with all of the other Microsoft ones--and that's about 45 servers..

    --
    In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c