The CERT® Guide to System and Network Security Practices [Paperback]

Julia H. Allen (Author)

Book Description

ISBN-10: 020173723X | ISBN-13: 978-0201737233 | Publication Date: June 17, 2001 | Edition: 1

Now, the world's leading information security response organization has written the ultimate guide to system and network security for working administrators. SEI's Computer Emergency Response Team (CERT) offers a practical, start-to-finish approach to developing secure networks, covering every stage of the process: planning, implementation, maintenance, intrusion detection, response, recovery, and beyond. Reflecting CERT's role as the world's #1 computer security response team, this book presents up-to-the-minute information on new attacks, viruses, and other IT security threats. Coverage includes: establishing effective security practices and policies, deploying firewalls, securing network servers and public web servers, security desktop workstations, intrusion detection, response, and recovery. This book not only shows how to enhance computer security today: it shows how to learn from experience to build even more secure systems tomorrow. For all system and network professionals, and other IT professionals concerned with security.

Editorial Reviews

Amazon.com Review

Black-hat hackers--that is, malicious people who want to break into your networks and machines--are proliferating, it's true. But the number of systems available for them to attack is growing at an even faster clip, which means you can head off a lot of attacks on your Internet-connected resources by following the advice in The CERT Guide to System and Network Security Practices. Julia Allen has distilled a series of "best practices" documents from the CERT Coordination Center (a clearing-house for information about computer attacks) into readily absorbable advice on computer security. She shows how to configure systems for inherent resistance to attack, how to set up logs and intrusion detection tools as early and reliable tripwires, and, to a lesser extent, how to deal with an attack in progress.

Allen's approach is not focused on the details of particular operating systems, applications, or items of equipment, though she does include some such information in a sizable appendix. Most of the time, procedural outlines are phrased generically ("Disable the serving of Web server file directory listings"). It's up to you to figure out what the steps mean, specifically, in terms of your hardware and software. The advice is carefully researched and therefore valuable. If implemented carefully, Allen's recommended practices should deter all but the most determined hackers from harassing your systems. --David Wall

Topics covered: Techniques for hardening computers and networks against compromise by malice-minded hackers, detecting break-ins and other attacks when they occur, and designing security policies to minimize potential damage. Specific advice has to do with locked-down workstations, servers in DMZs, firewalls, and intrusion detection utilities.

From the Inside Flap

As the Internet and other international and national information infrastructures become larger, more complex, and more interdependent, the frequency and severity of unauthorized intrusions into systems connected to these networks are increasing. Therefore, to the extent possible and practical, it is critical to secure the networked systems of an organization that are connected to public networks.

The CERT© Guide to System and Network Security Practices is a practical, stepwise approach to protecting systems and networks against malicious and inadvertent compromise. The practices are primarily written for mid level system and network administrators--the people whose day-to-day activities include installation, configuration, operation, and maintenance of systems and networks. The practices offer easy-to-implement guidance that enables administrators to protect and securely operate the systems, networks, hardware, software, and data that comprise their information technology infrastructure. Managers of administrators are intended as a secondary audience; many practices cannot be implemented without active management involvement and sponsorship.

CERT security practices address critical and pervasive security problems. Practice topic selection is based on CERT's extensive data on security breaches (21,756 in 2000) and vulnerabilities (774 in 2000), that provide a field of vision not available to other security groups. Our practices fill the gap left by the usual point solutions (typically operating-system-specific) or general advice that lacks "how to" details. With CERT security practices, an administrator can act now to improve the security of networked systems.

By implementing these security practices, an administrator will incorporate solutions and protection mechanisms for 75-80 percent of the security incidents reported to CERT. Each practice is written as a series of technology-neutral "how to" instructions, so they can be applied to many operating systems and platforms. However, an administrator can only implement a solution using a specific host operating system. Therefore, we have included examples of technology-specific implementation details in a separate appendix as these tend to become outdated much sooner than the technology-neutral practices.

Throughout the book, emphasis is placed on planning as a precursor to implementing, wherever possible. Ideally, the following risk analysis activities need to occur before deciding what actions to take to improve security:

Identify and assign value to information and computing assets Prioritize assets Determine asset vulnerability to threats and the potential for damage Prioritize the impact of threats Select cost-effective safeguards including security measures

In our observation and as reflected in this book, system and network security is an ongoing, cyclical, iterative process of planning, hardening, preparing, detecting, responding, and improving, requiring diligence on the part of responsible administrators. Configuring and operating systems securely at one point in time do not necessarily mean that these same systems will be secure in the future. And no level of security can ensure 100% protection other than disconnecting from public networks and, even then, the threat of attack from insiders still exists.

To get the most out of this book, you should already know how to install and administer popular operating systems and applications, and be familiar with fundamental system security concepts such as establishing secure configurations, system and network monitoring, authentication, access control, and integrity checking.

The book is organized into two parts and two appendices:

Part I: Hardening and Securing the System. Preventing security problems in the first place is preferable to dealing with them after the fact. This part of the book covers the practices and policies that should be in place to secure a system's configuration. Guidelines for securing general purpose network servers and workstations are contained in Chapter 2, followed by chapters containing additional guidance on securing public web servers and deploying firewalls. Part II: Intrusion Detection and Response. Even the most secure network perimeter and system configurations cannot protect against every conceivable security threat. Administrators must be able to anticipate, detect, respond to, and recover from intrusions, and understand how to improve security by implementing lessons learned from previous attacks. This part of the book covers practices required to do so.

Appendix A: Security Implementations. The Appendix contains examples of several procedural and tool-based implementations that provide technology-specific guidance for one or more practices (the applicable implementations are referenced in the practices they support). The implementations chosen for this book are specifically geared for Sun Solaris (UNIX) operating environments, given CERT experience. These implementation examples are intended to be illustrative in nature and do not necessarily reflect the most up-to-date operating system versions. The most current versions of over seventy UNIX and Windows NT implementations and tech tips are available on the CERT web site. Appendix B: Policy Considerations. This Appendix contains all of the security policy considerations and guidance that are presented throughout the book. Having this material in one location may aid you in reviewing and selecting policy topics and generating policy language. You can also treat this Appendix, along with the checklists appearing at the end of each Chapter, as an overall summary of the entire book.

The most effective way to use this book is as a reference. We do not intend that you read it from cover to cover, but rather than you review the introductory sections of each Part and Chapter and then refer to those Chapters and practices that are of most interest.

The web site addresses (URLs) used in this book are accurate as of the publication date. In addition, we have created a CERT web site that contains all URLs referenced in the book. We plan to keep these URLs up to date, provide book errata, and add new references after book publication. At this book site (cert/security-improvement/practicesbk.html), you will find links to all references, information sources, tools, publications, articles, and reports for which a URL exists and is mentioned in the book. We also regularly refer to CERT advisories, incident notes, vulnerability notes, technical tips, and reports, all of which can be found at the CERT web site, cert. We sometimes use the phrase "the CERT web site" to refer to this URL.

The content in The CERT© Guide to System and Network Security Practices derives from Carnegie-Mellon University's Software Engineering Institute (SEI) and CERT Coordination Center. CERT/CC, established in 1988, is the oldest computer security response group in existence. The Center provides technical assistance and advice to sites on the Internet that have experienced a security compromise and establishes tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders. The Software Engineering Institute is a federally funded research and development center with a broad charter to improve the practice of software engineering.

The material that serves as the primary content for this Guide has been posted and updated on the CERT web site over a period of 5 years. It has been reviewed and used by external security experts in commercial, federal government, and university-level academic organizations and by SEI staff members. All materials are periodically reviewed (and tested, where appropriate) for accuracy and currency.

020173723XP04062001

See all Editorial Reviews

Product Details

• Paperback: 480 pages
• Publisher: Addison-Wesley Professional; 1 edition (June 17, 2001)
• Language: English
• ISBN-10: 020173723X
• ISBN-13: 978-0201737233
• Product Dimensions: 9.3 x 7.3 x 0.9 inches
• Shipping Weight: 1.8 pounds (View shipping rates and policies)
• Average Customer Review: 4.7 out of 5 stars  See all reviews (12 customer reviews)
• Amazon Best Sellers Rank: #316,470 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

14 of 14 people found the following review helpful:

5.0 out of 5 stars The book is chock full of good advice, August 15, 2001

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: The CERT® Guide to System and Network Security Practices (Paperback)

After reading the CERT Guide to System and Network Security Practices, you may feel as if you've been speaking with your mother about computer security, as most of the advice detailed in the book is common sense. But, as Voltaire astutely noted, common sense is not so common.

The truth is that there is really nothing new in this book that CERT (Computer Emergency Response Team...) has not been saying in one way or another for the last decade. But that should not in the least underscore the importance of the book, as it provides an excellent treatment of securing information assets. In fact, the book subtly echoes the sentiment of George Santayana, who stated that "those who cannot remember the past are condemned to repeat it." This is true with information security. As even with all of the strides that have been made and new security technologies that have been developed, a large percentage of security breaches are the result of systems that were either incorrectly configured or ineffectively secured.

While many people erroneously think that a firewall is the foundation of information security, the truth is that an effective set of information security policies and procedures are. In fact, policy is such a critical element within the effective and successful operation of information technology systems, that systems can't be effective unless they are deployed in the context of working policies that govern their use and administration...

As an example, Marcus Ranum defines a firewall as "the implementation of your Internet security policy. If you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do." The sad fact is that most firewalls permit so much traffic through that it is often difficult to tell where the firewall ends and the router begins...

The truth be told, when Mother in her infinite wisdom says something, it is good advice. When a consultant says the same thing, it is called a Best Practice. Some of the best practices that CERT has long recommended are: using effective passwords, ensuring systems are patched against recent vulnerabilities, hardening the operating system, removing unnecessary services, protocols, and accounts, and more. None of these recommendations is exactly rocket science; even so, this aspect of Security 101 is overlooked in many, if not most, organizations...

The beauty of the book is that it is vendor agnostic. It doesn't cover the specific details of the operating system or software application; rather, it focuses on the policies and procedures needed to make that system secure. With that, the book will be current, even with operating systems' changes and upgrades.

Many computer books today have scores, if not hundreds, of pages of screen prints and source code, which often only serve to increase their page count. This book has none of that, and is instead a systematic and methodical method of how to secure networks. The book is a good complement to Security Engineering by Ross Anderson.

While Security Engineering lays the foundation for the engineering aspect of information systems security, the CERT guide builds on that framework. The book details the underpinning to securing information assets, namely: Hardening, Preparing, Detecting, Responding, and Improving. Each chapter in the book builds on those pillars and does not leave a stone unturned when it comes to securing systems. The beauty of the book is that even though it is completely vendor agnostic, its topics are germane to every network operating system.

If your mother were involved with information security, she would tell you to read this book. Listen to her.

17 of 18 people found the following review helpful:

4.0 out of 5 stars Use this book as a guide to general best practices, August 23, 2001

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: The CERT® Guide to System and Network Security Practices (Paperback)

I am a senior engineer for network security operations. I read The CERT Guide (TCG) to learn the CERT's priorities for improving security. If you want an exciting, ground-breaking read, avoid TGC. If you want a likely standard for "due diligence" and "reasonable care," give this book a try.

TGC is built using directive language. Instruction follows instruction: "Do this. Don't do this, etc." Look beyond the verbage and you'll see lots of sound general advice on operating system hardening, firewall deployment, and detecting/containing intrusions. Note I said "general advice." While the lack of product-specific techniques will preserve TGC's shelf life, it forces sys admins to check other references for the details.

Julia Allen tells us "The most effective way to use this book is as a reference. We do not intend for you to read it from cover to cover." Also, some material is internally duplicated "for the sake of completeness." These two factors make me wonder if anyone will ever read TGC in its entirety. I ended up taking Julia's advice and skimmed sections I found useful. Of particular interest was the extensive documentation on TCPDump (pages 376-85). Having used the tool for years, I was happy to see so much detail compiled in one place.

This book isn't a security officer's dream come true; that title hasn't been written yet. TGC is best used preparing a network to meet standards of "due diligence" or "reasonable care." I am not a lawyer, but this technology-neutral book is perfectly suited as a courtroom reference. Should an organization be sued for failing to adequately protect its computing assets, its lack of adherence to the CERT Guide's standards could prove damaging.

Unfortunately, I don't see many organizations meeting this standard. The documentation called for by TGC may exceed that required of government agencies defending classified systems. A dedicated security policy office would be needed, leaving the security and system admins free to implement technical solutions.

If you've got the time, manpower, and know-how to deploy systems according to best practices, don't leave TGC behind. If you're struggling to manage security without those resources, use TGC to convince management you're not meeting industry standards.

(Disclaimer: I received my review copy from the publisher.)

16 of 17 people found the following review helpful:

5.0 out of 5 stars A Security Officer's Dream Come True, July 5, 2001

By 

Mike Tarrani "www.tarrani.com" (Deltona, FL USA) - See all my reviews
(COMMUNITY FORUM 04)    (REAL NAME)   

This review is from: The CERT® Guide to System and Network Security Practices (Paperback)

This book contains a security approach that is based on the collective experience and statistical analysis of the CERT Coordination Center. The contents of this book are authoritative and well structured.

Structure is based on a five layer (or step) approach to securing information assets that consists of 52 distinct practices. The layers correspond to stages in a process that encompasses (1) hardening and securing assets, (2) developing and implementing detection and response practices [prepare], (3) intrusion detection, (4) intrusion response and (5) improve. Hardening and securing assets consumes nearly the first half of the book. The practices systematically address the essentials for securing servers and workstations, web servers and firewalls. Every facet is addressed from configuration advice to specific exposures. These are the minimum practices that need to be in place and if these practices are implemented and actively managed approximately 80% of common exposures will be eliminated.

The remainder of the book leads you through setting up intrusion detection and response practices (including an excellent set of steps and considerations for establishing policies and procedures), how to detect signs of intrusion and how to assess the impact of the intrusion and respond appropriately. Two highlights are the appendices. Appendix A covers in great detail some of the finer points of securing Solaris 2.x (you will need to tailor this information for HP/UX, Linux and AIX). The reason Solaris is chosen is because it is one of the most widely used operating systems on the Internet. Among the finer points are: installing and configuring Tripwire, SSH, Logsurfer, Spar and Tcpdump; understanding system log files, and writing rrules and understanding alerts for Snort. URLs are provided to sites from which you can obtain the third-party security facilities, such as Tripwire, Logsurfer, etc. Appendix B is a concordance of practices and how they should map to a comprehensive security policy. This is especially valuable because you can check your own policies against each of the 52 practices to make sure all are covered in your security policy.

This book is an important work that is an essential reference for anyone who is responsible for security. This responsibility extends beyond the role of security officer or team member into architecture, network operations and production support (to name a few areas that need to be closely involved). The book will give you the foundation for an effective, responsive security program, but needs to be augmented by keeping up with trends and emerging threats and exposures. To this end the URLs to CERT/CC and other security-related sites are a necessary adjunct to this book. It merits 5 stars and my rare recommendation as a "must have".