Slashdot Log In
Assessing Network Security
from the what-if-you-press-this-button-here dept.
| Assessing Network Security | |
| author | Ben Smith, David LeBlanc, Kevin Lam |
| pages | 592 |
| publisher | Microsoft Press |
| rating | 8/10 |
| reviewer | Anton Chuvakin |
| ISBN | 0735620334 |
| summary | Great pentesting book |
Assessing Network Security starts with a nice overview of key principles of security (definitely not news for industry practitioners, but nice anyway), and then goes on to defines vulnerability assessment, penetration testing and security audit. A critically important section on reporting the findings is also nicely written, and shows that the authors are knowledgeable, and interested in showing a complete security process rather than just the looking-for-leaks part.
The authors then go into developing and maintaining pentesting skills, including advice on choosing training and resources (nice for those starting in the field). The actual pentesting process is split into non-intrusive (combining the usual "intelligence gathering" with port scans, sweeps and various host queries) and intrusive tests (such as running a vulnerability scanner, brute-forcing passwords, DoS testing and others). Some entries seem to belong in both categories (such as sniffing) but are placed into the intrusive section, for whatever reason. Up-to-date content (wireless, Bluetooth and web assessment, for instance) is well represented.
The authors also include a fairly insightful social engineering testing section (touching on dumpster diving and other non-network assessment methods). My favorite chapter was the one presenting various case studies - examples of specific threats/tests against Web, email, VPN and domain controller systems.
Among other features that I liked in Assessing Network Security were 'notes from the field' sidebars with fun stories related by authors, and FAQs at the end of each section. On the down side, the book is somewhat Windows-focused (although it is amazingly vendor-neutral in most respects, considering the source). The book is also somewhat dry, although the sidebars provide some needed relief when the text gets too process-oriented at times.
Assessing Network Security is largely about methodology, but I'd have preferred to see a bit more technical content, since it is a 600-page volume. I think the checklists present in the Appendix are a great step in that direction.
Overall, I enjoyed the book and think it is both a great guide and a reference for most security professionals, especially for those starting to be involved with penetration testing.
Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a security information management company and maintains the security portal info-secure.org. He wrote Security Warrior and contributed to Know Your Enemy, 2nd Edition . You can purchase Assessing Network Security from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
FP - obilgatory NS at redmund? (Score:3, Funny)
What about... (Score:5, Funny)
(http://vinc.iclod.com/)
What about Kama Sutra?
Seriously though, this book is written by three Microsoft security researchers, I guess that said enough.
Is this a case of do as we say, not as we do.
Re:What about... Linux code? (Score:5, Insightful)
(http://vincent.vanscherpenseel.nl/ | Last Journal: Sunday March 13 2005, @05:13AM)
Assumption is the mother of all fuck-ups. You consider the security researchers incompetent because they are (or were) part of the Microsoft team?
So, because some Linux kernel coders make mistakes which lead to 'r00t3d' boxes, all Linux kernel coders are incompetent?
I think you're thinking a little bit simplistic here.
Re:What about... Linux code? (Score:5, Interesting)
(http://slashdot.org/)
No, I think he's being a lot simplistic here, but that's just part of the larger mindset of Slashdot. "Linux GOOD! Microsoft BAD!" It's become the sheep's favorite thing to say during intense meetings on this Animal Farm we call Slashdot. You can lead a zealot to the truth, but you cannot make him think.
Re:What about... Linux code? (Score:4, Interesting)
The story of The Man in the Tinfoil Hat [trilobyte-mag.com] is a poignant one here... The relevant quote is (emphasis mine)...
As the author of that article puts it further down:
"If MS (and all its staff) is not evil and incompetent, then the zealots are crazy."
I am a Linux user and advocate, but I still find these assertions silly...
Now, if they'd only... (Score:3, Funny)
(http://192.168.0.255/)
Karma be damned... (Score:5, Funny)
(http://www.grub.net/blog/index.html | Last Journal: Wednesday June 27, @08:48AM)
"I've read some pretty bad books on penetration testing [...] Assessing Network Security comes to us direct from the bunkers of Redmond."
Nah, too easy.
"Microsoft security" (Score:5, Funny)
remember now (Score:5, Funny)
remember guys, often times computers are like women.
this is not one of them
Re:remember now (Score:5, Funny)
(http://www.slashdot.org/~lukewarmfusion/journal/ | Last Journal: Tuesday August 02 2005, @02:49PM)
@microsoft.com (Score:4, Informative)
Ben Smith [winnetmag.com],
David LeBlanc [winnetmag.com]
Windows (Score:2)
(http://www.shuttertalk.com/)
Why am I not surprised? :)
A book on security from microsoft... ? (Score:5, Funny)
Wouldn't that be sort of like George Bush writing an english book?
'somewhat dry' (Score:5, Insightful)
(Last Journal: Monday June 14 2004, @01:58PM)
I never got more than a quarter of the way through that, i fell asleep every time i tried to pick it up.
i saw internal MS OLE training i saw Kraig Brockshmit did back in about 95 - jesus it was boring. we are talking boredom in an entirely new area of bordem till then undiscovered by man
When did M$ become a network device? (Score:3, Insightful)
(Last Journal: Friday November 05 2004, @11:11AM)
Re:When did M$ become a network device? (Score:4, Funny)
This is old news (Score:4, Funny)
From the Author: (Score:4, Funny)
(http://www.jacco2.dds.nl/)
From the referenced BN page [barnesandnoble.com]:
"I have been fascinated by leadership dynamics throughout my working career. [...] A concern is that we often get to hear the same leadership issues over and over again, yet leaders continue to lead with mediocrity and passiveness".
His Billness will not take this lightly! These guys can kiss their jobs at Microsoft Research goodbye! :-)
No grain of salt here (Score:5, Interesting)
No, I will take no grain of salt regarding his comments about the book in question, untill I have achieved a decent status in the matter I will refer to Mr. Chavaukin's comments eagerly!
Re:No grain of salt here (Score:4, Informative)
(http://austinfire.ca/)
This is what most security evaluations are assessed against. Threat Analysis/Risk Assessmeny (TARA) consultants are in high demand and can earn a lot of $$ these days.
Meanwhile, back at the MS penetration testing labs (Score:3, Funny)
Can it be, O brothers (Score:2, Funny)
Creation of the book (Score:1)
Next one invent some text around it.
Publish it and makes people pay for it.
So you make money from you're mistakes.
Funny:
I doubt most hackers who contributed to this masterpiece will ever see a paycheck. Probably they are mention in the hall of shame. (As ought to be)
Seriously, this might be a good book.
Great Source (Score:2, Funny)
Security From MS Press (Score:3, Insightful)
What's up with creating an inherently insecure system and selling a book on security? Shouldn't they use that same advice to create better products? Almost like the conspiracy theory of making someone ill and then selling them the cure.
Maybe the book brings up interesting points and great ideas...but it's like asking me to believe everything Baghdad Bob said.
more to security researchers than lab work (Score:5, Insightful)
The utility of the book comes from not just spreading the word about security, but having to do so in forums and formats that require it to be relevant, useable and correct.
As a security consultant and trainer myself I can attest to the gap between theory and practice and the need to put security issues in to terms that are able to be applied in the real world.
Comments above that assume that just because someone works for Microsoft, they don't know how things work in reality are generalisations made out of ignorance or jealousy. This book is a good example that the truth about Microsoft employees, like security, is often misunderstood.
oh christ (Score:1, Flamebait)
(Last Journal: Wednesday October 16 2002, @11:21PM)
Wait a minute...
Not all Microserfs are dolts (Score:3, Interesting)
(http://slashdot.org/~nurb432/ | Last Journal: Friday August 27 2004, @03:24PM)
I bet a lot of them do great work FOR the company, but its caught up and diluted by the much larger 'machine' that makes Microsoft go..
port scans? not in sp2 (Score:4, Insightful)
http://seclists.org/lists/nmap-hackers/2004/Jul-S
Open source tools? (Score:3, Interesting)
(http://byzantine.no/alex/)
I have a box on a public IP -- speaking as a person who cannot devote 24/7 to security, are there any good automated tools to verify its "openness" in terms of security vulnerabilities?
I'm not talking about just potential root exploits and the like, but also about things like file permissions, which I find are hard to get exactly right on Unix (read: Linux with no special ACL stuff installed), where the file system does not support inheritance of security attributes.
Many Linux distros come with a script that's run nightly to report potential vulnerabilities, changed files etc. There are also tools like Snort and Tripwire. I also use Munin and check it daily for signs of DOS attacks and other suspicious activity (eg., a sudden increase in the number of listening ports).
What other automated tools do people here recommend?
Re:Oxymoron (Score:1)
Nice amazon referrer link, (Score:5, Informative)
(http://fark.com/ | Last Journal: Thursday July 08 2004, @09:33AM)
Here's a whore free link [amazon.com] and some healthy capitalist competition to boot [pcprotection.ca].