For IT managers needing a good general background on securing systems, Internet Lockdown may be the book. At 312 pages, it's relatively small, so you can quickly browse and study essential information. The chapters are clearly written, with frequent cross-references to details covered in other chapters.
Author Tim Crothers, a security engineer at ITM Technology, has plenty of personal experience to draw on. He uses it to make the technical discussions relevant—and to show you how security administration is a constant balancing act between accepting human fallibility and creating too many controls.
Crothers tells the story of how, when teaching a security class, he searched the Web for queryhit.htm. This sample Web site search page comes installed with Microsoft's IIS. In earlier days, leaving this page unmodified gave anyone browsing the Web access not only to the contents of the Web site but to all the file contents of the server.
By searching for "#filename=*.exe," for example, you could discover all the system's executables. And what one can list, one can access. Sure enough, during that class Crothers found 1600 instances of queryhit.htm. Within minutes he was able to view executables on the server for the U.S.A. Comptroller of the Currency.
Moral of the story? Don't leave default values of the server unmodified, and apply patches, even if they don't seem pertinent. While preparing this review, I searched for queryhit.htm on Google and got 850 hits. Several sites let me pull up all server files.
Though the need to configure security for servers out of the box is common knowledge, the number of queryhit.htm hits is a sobering reminder that common knowledge isn't always acted upon.
Through 10 chapters, Internet Lockdown (which covers security for systems, networks, and applications as well as the Internet) walks the reader through the maze of security. Here are some highlights.
Chapter 1 introduces general concepts about enterprise security. As Crothers says, wisely, "security is about enabling business," and "security is a process, not a product." After introducing basic ideas, he discusses ways to reduce risk, including a final step of purchasing insurance coverage against information theft, business interruption, and loss of reputation.
Chapter 2 runs through an attack from a hacker's point of view (a longtime pro, Crothers doesn't like the negative connotations the term hackers has gained, but he's willing to put up with it).
Chapter 3 discusses security policies and procedures. This chapter will surely reduce the time it takes companies to create or review an IT procedure manual and employee policies. The samples are boilerplate, so you can simply plug in your company's name.
The right policies will save your company time, income, and business. Consider, for example, this excerpt of the suggested procedure for virus and worm incidents:
"Do not power off or reboot systems that may be infected. There are some viruses that will destroy disk data if the system is power-cycled or rebooted. Also, rebooting a system could destroy needed information or evidence."
Such practical, user-friendly, nonbureaucratic language is one of this book’s strengths. Further sections warn the IT staff to quickly isolate the infected system from the company network and give a list of people to notify.
Chapters 4-7 delve into security controls. One chapter each is devoted to system, network, application, and Internet level controls.
Especially helpful are the sections on the often confusing topics of encryption, firewalls, and packet filtering. Chapter 6's explanation of how to combat buffer overflows was especially helpful.
Chapter 7 discusses two important types of NIDS (Network Intrusion Detection Systems): signature-based and analysis-based. Signature-based systems such as snort work like antivirus programs by detecting the profiles of known attacks. As you might expect, the success of a signature system depends upon the quality of the signatures. In addition, this type of NIDS can never be 100-percent foolproof, as it is always slightly behind developments. Finally, signature systems can miss attacks when they are slowed down by clever hackers or when the system is overloaded. That's not to say signature-based systems are bad, Crothers writes, just that they’re one prong of a two-prong protection scheme, which includes analysis-based systems such as Shadow.
Chapter 10 provides a practical exam on topics covered. Four appendices list common ports, acronyms, tools covered in the chapters, and checklists.
A few drawbacks
Two drawbacks in this book might be the lack of a CD and of a companion Web site. But clearly, Internet Lockdown is meant to be an introduction, not a bible with tools. For that kind of dense information, see the more comprehensive Hacking Exposed books or others of their type (I reviewed Hacking Exposed in March).
In addition, the meat of the book concerns configuring UNIX and NT systems, though Linux is mentioned as well. You'll need another source to learn about advanced Windows 2000 and XP security tools and hacker exploits.
Though Internet Lockdown: Internet Security Administrator's Handbook may be too general for some, it's a valuable and clear overview of the topic of security administration. Use it as a program guide for staff meetings and workshops; use the Chapter 10 test to pepper your meetings with "pop quizzes" that will keep your IT staff thinking about how to stay prepared for the inevitable security breach.