Slashdot Mirror
Book Review: Network Security Auditing
brothke writes "Network Security Auditing is touted as the complete guide to auditing security, measuring risk, and promoting compliance. The book lives up to its promise and is a comprehensive reference to all things network security audit related." Read below for the rest of Ben's review.
Network Security Auditing
author
Chris Jackson
pages
528
publisher
Cisco Press
rating
9/10
reviewer
Ben Rothke
ISBN
1587053527
summary
Excellent highly technical and detailed reference
At almost 450 pages, the book covers all of the key areas around network security that is of relevance to those working in information security. As a Cisco Press title, written by a Cisco technical solutions architect, the book naturally has a heavy Cisco slant to it. Nonetheless, it is still an excellence reference even for those not working in a Cisco environment. While the first 3 chapters of the book provide an overview that is great even for a security newbie, the overall style of the book is highly technical and comprehensive.
Chapters 1-3 provide an introduction to the principles of auditing, information security and the law, and governance, frameworks and standards. Each chapter is backed with a significant amount of information and the reader is presented with a thorough overview of the concepts.
Chapter 3 does a good job of providing the reader with the details of current frameworks and standards, including PCI DSS, ITIL, ISO 17799/27001 and others. Author Chris Jackson does a good job of explaining the differences between them and where they are best used. Given this is a Cisco-centric book, he also shows how the various Cisco security products can be integrated for such regulatory and standards support.
Throughout the book, the author makes excellent use of many auditing checklists for each area that can be used to quickly ascertain the level of security audit compliance.
Chapter 6 is perhaps the best chapter in the book on the topic of Policy, Compliance and Management, and the author provides an exceptionally good overview of the need for auditing security policies. This is a critical area as far too many organizations create an initial set of information security policies, but subsequently never take the time to go back and see if they are indeed effective and providing the necessary levels of data protection.
Jackson notes that accessing the effectiveness of a policy requires the auditor to look at the policy from the viewpoint of those who will interpreting its meaning. A well intentioned policy might recommend a particular course of action, but unless specific actions are required, there is little an organization can expect the policy to actually accomplish to help the organization protect its data assets if it is misinterpreted.
The chapter suggests that the auditor ask questions such as: is the policy implementable, enforceable, easy to understand, based on risk, in line with business objectives, cost effective, effectively communicated and more. If these criteria are not well-defined and delineated, then the policies will exist in text only, offering little information security protection to the organization.
Jackson also writes of the need to measure how well policies are implemented as part of a security assessment. He suggested using a maturity model as a way to gauge if the organization is in its evolution towards fully integrating security into its business process or if it already has a formal integration process in place.
In chapter 8 on Perimeter Intrusion Prevention, Jackson writes that protecting a network perimeter used to be a relatively easy task. All an organization would have to do is stick a firewall on its Internet connection, lock down the unused ports and monitor activity. But in most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and more; and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network.
Chapter 8 provides detailed framework on how to perform a perimeter design review and assessment. As part of the overall review, the chapter details other aspects of the assessment including the need for reviews of the logical and physical architectures, in addition to a review of the firewall. Jackson also lists a large number of security tools that can be used to during an audit.
Chapter 11 covers endpoint protection with a focus on the end-user. Jackson notes that users never cease to amaze with their abilities to disappoint by opening suspicious file attachments, running untrusted Facebook applications, and much more. The book notes that organizations today face significantly higher levels of risk from endpoint security breaches than ever before due to our highly mobile and connected workforce.
The chapter details an endpoint protection operational control review that can be used to assess the organizations processes for identifying threats and performing proactive management of endpoint devices. While the chapter is quite Cisco-centric, with references to the Cisco SIO (Security Intelligence Operations) and a number of other Cisco products, the chapter does provide a good overview of the fundamentals of endpoint protection and how to do it the right way.
Overall, Network Security Auditing is highly technical and detailed reference that makes for an excellent primary reference on the fundamental of information security. With ample amounts of checklist, coding references, detailed diagrams and just the right amount of screen shots, it makes an excellent guide that any member of an IT or security group should find quite informative.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know
You can purchase Network Security Auditing from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Chapters 1-3 provide an introduction to the principles of auditing, information security and the law, and governance, frameworks and standards. Each chapter is backed with a significant amount of information and the reader is presented with a thorough overview of the concepts.
Chapter 3 does a good job of providing the reader with the details of current frameworks and standards, including PCI DSS, ITIL, ISO 17799/27001 and others. Author Chris Jackson does a good job of explaining the differences between them and where they are best used. Given this is a Cisco-centric book, he also shows how the various Cisco security products can be integrated for such regulatory and standards support.
Throughout the book, the author makes excellent use of many auditing checklists for each area that can be used to quickly ascertain the level of security audit compliance.
Chapter 6 is perhaps the best chapter in the book on the topic of Policy, Compliance and Management, and the author provides an exceptionally good overview of the need for auditing security policies. This is a critical area as far too many organizations create an initial set of information security policies, but subsequently never take the time to go back and see if they are indeed effective and providing the necessary levels of data protection.
Jackson notes that accessing the effectiveness of a policy requires the auditor to look at the policy from the viewpoint of those who will interpreting its meaning. A well intentioned policy might recommend a particular course of action, but unless specific actions are required, there is little an organization can expect the policy to actually accomplish to help the organization protect its data assets if it is misinterpreted.
The chapter suggests that the auditor ask questions such as: is the policy implementable, enforceable, easy to understand, based on risk, in line with business objectives, cost effective, effectively communicated and more. If these criteria are not well-defined and delineated, then the policies will exist in text only, offering little information security protection to the organization.
Jackson also writes of the need to measure how well policies are implemented as part of a security assessment. He suggested using a maturity model as a way to gauge if the organization is in its evolution towards fully integrating security into its business process or if it already has a formal integration process in place.
In chapter 8 on Perimeter Intrusion Prevention, Jackson writes that protecting a network perimeter used to be a relatively easy task. All an organization would have to do is stick a firewall on its Internet connection, lock down the unused ports and monitor activity. But in most corporate networks today, the perimeter has been significantly collapsed. If you compound that with increased connectivity, third-party access, and more; and then bring in advanced persistent threats into the equation, it is no longer a simple endeavor to protect a network.
Chapter 8 provides detailed framework on how to perform a perimeter design review and assessment. As part of the overall review, the chapter details other aspects of the assessment including the need for reviews of the logical and physical architectures, in addition to a review of the firewall. Jackson also lists a large number of security tools that can be used to during an audit.
Chapter 11 covers endpoint protection with a focus on the end-user. Jackson notes that users never cease to amaze with their abilities to disappoint by opening suspicious file attachments, running untrusted Facebook applications, and much more. The book notes that organizations today face significantly higher levels of risk from endpoint security breaches than ever before due to our highly mobile and connected workforce.
The chapter details an endpoint protection operational control review that can be used to assess the organizations processes for identifying threats and performing proactive management of endpoint devices. While the chapter is quite Cisco-centric, with references to the Cisco SIO (Security Intelligence Operations) and a number of other Cisco products, the chapter does provide a good overview of the fundamentals of endpoint protection and how to do it the right way.
Overall, Network Security Auditing is highly technical and detailed reference that makes for an excellent primary reference on the fundamental of information security. With ample amounts of checklist, coding references, detailed diagrams and just the right amount of screen shots, it makes an excellent guide that any member of an IT or security group should find quite informative.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know
You can purchase Network Security Auditing from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
My God, its not a review of a book published by Packt.
"There ought to be limits to freedom." -George W. Bush
Send a copy to Sony?
Sounds like they could use a copy.
=================
Unix is very user friendly, it's just picky about who its friends are.
Does it discuss the continuous changes in the "information security and the law, and governance" areas?
Are the book editions updated and released faster than the politicians and judges can make it obsolete?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
You had me at "hymen".
I own this book and I work in CompSec. Despite the summary it's just another piece of Cisco-centric trash. If you already study or work in IT Security you won't find much in here that you can't find elsewhere and in a much better form.
The following should cause most security researchers to raise a skeptical eyebrow:
"Network Security Auditing is touted as the complete guide to auditing security, measuring risk, and promoting compliance. The book lives up to its promise and is a comprehensive reference to all things network security audit related."
Emphasis mine.
Seriously folks, nearly all security researchers know that even if a "complete guide" to security were written, it would almost immediately need to be amended. Security is a moving target, new topics of interest and new exploits are discovered nearly every day; Thus, as soon as this book was written another "security audit related" topic most likely needed to be added to the reference in order for it to "live up to its promise" of being a "comprehensive reference to all things network security audit related."
By which I mean: It most likely has never lived up to the promise the review alludes to.
Additionally, most experienced security researchers learn early on that there are exceptions to almost every rule, and to be very careful when speaking of absolutes in order to avoid making false statements especially concerning edge cases. Re-read what I've written for a demonstration. Statements that are worded in such absolute terms should be a red flag, tipping off security minded individuals that the statements are most likely false if not in a few instances, then in many of them...
--
Not even a 999 nonnillion bit encryption key is absolutely secure -- there's still a slim chance the attacker will guess correctly...
Thank you for this article. That’s all I can say. You most definitely have made this blog into something special. You clearly know what you are doing, you’ve covered so many bases.Thanks!
http://www.vegilt.com
christian louboutin
Hi, Just wanted to say this is a good book review about a good book. Why do all the comments have nothing to do with the book or the review? I am having that buck stop here!! Hope others step up to that plate. Mike