Now, the world's leading information security response organization has written the ultimate guide to system and network security for working administrators. SEI's Computer Emergency Response Team (CERT) offers a practical, start-to-finish approach to developing secure networks, covering every stage of the process: planning, implementation, maintenance, intrusion detection, response, recovery, and beyond. Reflecting CERT's role as the world's #1 computer security response team, this book presents up-to-the-minute information on new attacks, viruses, and other IT security threats. Coverage includes: establishing effective security practices and policies, deploying firewalls, securing network servers and public web servers, security desktop workstations, intrusion detection, response, and recovery. This book not only shows how to enhance computer security today: it shows how to learn from experience to build even more secure systems tomorrow. For all system and network professionals, and other IT professionals concerned with security.



Extras

"Open Sesame" or Not? Use the Right Access Controls

How Do You Know If Something's Amiss? Characterize Your Systems

Stick to the Essentials: Configuring Servers Securely

Author's Site

Click below for Author's Site related to this title:
Author's Web Site



Sample Content

Online Sample Chapter

Detecting Signs of Intrusion

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
allench1.pdf

allench6.pdf

Preface.

1. The Handbook of System and Network Security Practices.

I. SECURING COMPUTERS.

2. Securing Network Servers and User Workstations.
3. Securing Public Web Servers.
4. Deploying Firewalls.

II. INTRUSION DETECTION AND RESPONSE.

5. Setting Up Intrusion Detection and Response Practices.
6. Detecting Signs of Intrusion.
7. Responding to Intrusions.
Appendix A. Security Implementations.
Appendix B. Practice-Level Policy Considerations.
Index.

Preface

As the Internet and other international and national information infrastructures become larger, more complex, and more interdependent, the frequency and severity of unauthorized intrusions into systems connected to these networks are increasing. Therefore, to the extent possible and practical, it is critical to secure the networked systems of an organization that are connected to public networks.

The CERT© Guide to System and Network Security Practices is a practical, stepwise approach to protecting systems and networks against malicious and inadvertent compromise. The practices are primarily written for mid level system and network administrators--the people whose day-to-day activities include installation, configuration, operation, and maintenance of systems and networks. The practices offer easy-to-implement guidance that enables administrators to protect and securely operate the systems, networks, hardware, software, and data that comprise their information technology infrastructure. Managers of administrators are intended as a secondary audience; many practices cannot be implemented without active management involvement and sponsorship.

CERT security practices address critical and pervasive security problems. Practice topic selection is based on CERT's extensive data on security breaches (21,756 in 2000) and vulnerabilities (774 in 2000), that provide a field of vision not available to other security groups. Our practices fill the gap left by the usual point solutions (typically operating-system-specific) or general advice that lacks "how to" details. With CERT security practices, an administrator can act now to improve the security of networked systems.

By implementing these security practices, an administrator will incorporate solutions and protection mechanisms for 75-80 percent of the security incidents reported to CERT. Each practice is written as a series of technology-neutral "how to" instructions, so they can be applied to many operating systems and platforms. However, an administrator can only implement a solution using a specific host operating system. Therefore, we have included examples of technology-specific implementation details in a separate appendix as these tend to become outdated much sooner than the technology-neutral practices.

Throughout the book, emphasis is placed on planning as a precursor to implementing, wherever possible. Ideally, the following risk analysis activities need to occur before deciding what actions to take to improve security:

Identify and assign value to information and computing assets
Prioritize assets
Determine asset vulnerability to threats and the potential for damage
Prioritize the impact of threats
Select cost-effective safeguards including security measures

In our observation and as reflected in this book, system and network security is an ongoing, cyclical, iterative process of planning, hardening, preparing, detecting, responding, and improving, requiring diligence on the part of responsible administrators. Configuring and operating systems securely at one point in time do not necessarily mean that these same systems will be secure in the future. And no level of security can ensure 100% protection other than disconnecting from public networks and, even then, the threat of attack from insiders still exists.

To get the most out of this book, you should already know how to install and administer popular operating systems and applications, and be familiar with fundamental system security concepts such as establishing secure configurations, system and network monitoring, authentication, access control, and integrity checking.

The book is organized into two parts and two appendices:

Part I: Hardening and Securing the System. Preventing security problems in the first place is preferable to dealing with them after the fact. This part of the book covers the practices and policies that should be in place to secure a system's configuration. Guidelines for securing general purpose network servers and workstations are contained in Chapter 2, followed by chapters containing additional guidance on securing public web servers and deploying firewalls.

Part II: Intrusion Detection and Response. Even the most secure network perimeter and system configurations cannot protect against every conceivable security threat. Administrators must be able to anticipate, detect, respond to, and recover from intrusions, and understand how to improve security by implementing lessons learned from previous attacks. This part of the book covers practices required to do so.

Appendix A: Security Implementations. The Appendix contains examples of several procedural and tool-based implementations that provide technology-specific guidance for one or more practices (the applicable implementations are referenced in the practices they support). The implementations chosen for this book are specifically geared for Sun Solaris (UNIX) operating environments, given CERT experience. These implementation examples are intended to be illustrative in nature and do not necessarily reflect the most up-to-date operating system versions. The most current versions of over seventy UNIX and Windows NT implementations and tech tips are available on the CERT web site.

Appendix B: Policy Considerations. This Appendix contains all of the security policy considerations and guidance that are presented throughout the book. Having this material in one location may aid you in reviewing and selecting policy topics and generating policy language. You can also treat this Appendix, along with the checklists appearing at the end of each Chapter, as an overall summary of the entire book.

The most effective way to use this book is as a reference. We do not intend that you read it from cover to cover, but rather than you review the introductory sections of each Part and Chapter and then refer to those Chapters and practices that are of most interest.

The web site addresses (URLs) used in this book are accurate as of the publication date. In addition, we have created a CERT web site that contains all URLs referenced in the book. We plan to keep these URLs up to date, provide book errata, and add new references after book publication. At this book site (http://www.cert.org/security-improvement/practicesbk.html), you will find links to all references, information sources, tools, publications, articles, and reports for which a URL exists and is mentioned in the book. We also regularly refer to CERT advisories, incident notes, vulnerability notes, technical tips, and reports, all of which can be found at the CERT web site, http://www.cert.org. We sometimes use the phrase "the CERT web site" to refer to this URL.

The content in The CERT© Guide to System and Network Security Practices derives from Carnegie-Mellon University's Software Engineering Institute (SEI) and CERT Coordination Center. CERT/CC, established in 1988, is the oldest computer security response group in existence. The Center provides technical assistance and advice to sites on the Internet that have experienced a security compromise and establishes tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders. The Software Engineering Institute is a federally funded research and development center with a broad charter to improve the practice of software engineering.

The material that serves as the primary content for this Guide has been posted and updated on the CERT web site over a period of 5 years. It has been reviewed and used by external security experts in commercial, federal government, and university-level academic organizations and by SEI staff members. All materials are periodically reviewed (and tested, where appropriate) for accuracy and currency.

020173723XP04062001

Index

Acceptable use policy
: elements of, 72-73
: importance of, 72
: policy considerations regarding, 404-405
: user education in, 73
Access
: controlling, 51, 55-58, 115
: enforcement of privileges, 31
: policy considerations regarding, 58-59
: restricting, 146-147
Access controls, 90, 402, 406
: levels of, 90-91
: policy considerations regarding, 93
: software, 92-93
Access log, 94
Accounts
: managing, 52
: types of, 51
ActiveX, 49
Address-based authentication, 107
adm/lastlog file (Solaris), 337
adm/log/asppp.log (Solaris), 336
adm/messages file (Solaris), 338
adm/sulog file (Solaris), 337
adm/utmp file (Solaris), 337
adm/utmpx file (Solaris), 337
adm/wtmp file (Solaris), 337
adm/wtmpx file (Solaris), 337
Administrator accounts, 51
Advisories, 15
: subscription to, 17
Agent log, 95
Alerts, 159-160, 206
: configuration of mechanism of, 263, 410
: reviewing, 239
: Snort, 393-394
: types of, 159
Anomalies
: disposal of, 264
: documentation of, 262
: investigation of, 262
: policy considerations regarding, 264
: response to, 263-264
Anomaly detection, 206
Anti-spoofing rules, 152-153
Anti-virus tools, 65
: updating of, 66
Application proxies, 125, 126, 129-130
Architectural trade-off analysis, 136-137
Archiving
: of distribution media, 222
: of log files, 220
: of operating systems, 222
: of security-related patches, 222-223
: of test results, 224
ARP (address resolution protocol), 242
ARPWATCH, 256
Asset information, protection of, 211
Assets, defined, 13
Attack, defined, 14
Attack signature detection, 205
Auditing, as part of intrusion detection and response, 212
AUSCERT, 16
Authentication, 105
: address-based, 107
: alternative systems of, 54-55
: basic, 108
: plan, 30-31
: policy considerations regarding, 113, 406
: reauthentication, 53
: technologies for, 107-110
: types of, 30
: user, 51-55, 106, 115, 401-402
: using hardware-based access controls, 51
Authentication servers, 24
Automatic replication mechanisms, 60
Availability of services, 24, 25
: assuring, 136-137

Back doors, 277, 290, 295
Backups, 403
: encryption in, 60
: importance of, 147, 295
: after intrusion, 274, 288
: plan for, 59-61
: policy considerations regarding, 62
: procedures for, 31-32, 223-224
: storage of files, 60
: tools for, 61
: types of, 32
: before updating software, 41
: utility of, 223
: of Web content, 32, 114, 407
Banners
: importance of, 36
: setting up, 238-239
Basic authentication, 108
: features of, 110
Basic border firewall, 132-133
: with untrustworthy host, 133
Bibliography, 423-429
Biometric devices, as authentication tool, 30, 54
Boot disks, archiving, 222
Breach. See Intrusion
Buffer overflows, 101
Bugtraq, 16

CERIAS, 17, 181
CERT
: publications of, 14-16
: statistics on intrusions, xix, xx
CERT/CC, 17
Certificate authorities (CAs), 108
CGI (Common Gateway Interface) scripts, 85-86
: security issues in, 97-98
CGI-BIN directory, 103
Chain of custody, 284
Character input, standardizing, 101-102
Characterization
: components of, 207-209
: development and maintenance of, 211-212
: iterative nature of, 206
: policy considerations regarding, 211, 414
: of systems, 198-199
: trust assumptions for, 207
: updating, 263-264
CIAC, 17
CLF (Common Log Format), 95
COAST, 181
Cold backups, 32
Combined Log Format, 95-96
Common Vulnerabilities and Exposures, 17
Communication
: information dissemination procedures, 279
: after intrusion, 278-279, 297, 418-419
: with other affected sites, 280-281
: policy considerations regarding, 281-282
: security of, 225-226, 280
Computer crime
: incidence of, 1
: perpetrators of, 2-3
Computer deployment plan, 28-36
: policy considerations regarding, 35-36
: security issues addressed in, 399-400
: updating of, 35
Computer Incident Advisory Capability, 17
Computer security
: checklist for, 74-78
: and computer deployment plan, 28-36
: configuration and, 27
: importance of, 2-4
: information sources regarding, 14-18
: maintenance of, 27
: and physical access, 70-71, 404
: planning for, 27
: policy considerations regarding, 35-36, 71
: and servers, 36-39
: table of practices for, 27
: user awareness of, 27
Computer Security Institute, 17
Computers
: configuration of, 21
: identifying purpose of, 28
: location of, 71
: network connection of, 34
: physical access to, 70-71
: securing of, 19-20, 26-27
Confidentiality, 23
Configuration
: files, 291
: integrity of files, 348
: for local hosts, 345-346
: for log files, 345
: for loghost, 346-347
: for logsurfer, 353-354
: testing, 347-348
Connection time-outs, 91
Connectivity
: new, 172
: replacement, 172
Containment
: aspects of, 285
: and backup systems, 288
: decisionmaking regarding, 285-286
: monitoring, 288
: objectives of, 286
: policy considerations regarding, 288-289, 420
: quarantine procedures, 287-288
: system shutdown, 286-287
crack, 53
Credit card information, security of, 112
cron/log file (Solaris), 340
Cryptographic checksumming, 46, 48, 63
: advantages of, 59
: in secure remote administration, 69
CSI, 17
CSIRT (computer security incident response team), 192
CVE, 17

Daemon dialers, 210
Data collection
: identifying data for, 204-206
: iterative nature of, 206
: management of, 216-221, 414
: policy considerations regarding, 221
: prioritization of, 200
: protection of, 220
: table of practices for, 201-204
: updating configurations, 264
Data storage, locations for, 343-347
Data traces, storage of, 262
Database services, 86
Databases
: difficulty of monitoring of, 254
: restoration of, 295
Default gateway, changing, 175
Denial-of-service (DoS) attacks, 3, 91
: effects on log files, 348
: mitigating the effects of, 91-92
: types of, 348
DFNCERT, 17
DHCP (Dynamic Host Configuration Protocol), 173, 174
DHCP/BOOTP (dynamic host configuration protocol/boot protocol), 242
Digest authentication, 113
Digital watermarking, 113-114
Digital signatures, 109, 113
Directories
: characterization of, 208-209
: policy considerations regarding, 254
: protection of, 93
: unexpected changes in, 251-252, 253-254, 416
: verification of, 252
Directory services, 86
Distribution media
: archiving, 222
DMZ network, 133-134
DNS (Domain Name Service), 318
DNS spoofing, 107
Documentation of unusual behavior, 262
Drivers, device, 42
Dual firewall, 134-135
Dynamic packet filtering, 130-131
Dynamic rules, in logsurfer, 356-357

ELF (Extended Log Format), 95-96
Encryption, 54, 105
: of backup files, 60
: of files, 58
: importance of, 106
: of log files, 220
: policy considerations regarding, 113, 406
: technologies for, 107-110
Error log, 95
: analysis of, 97
Escape characters, 101
Ethernet, 34
Evidence
: chain of custody of, 284
: protection of, 195-196, 235, 283-284
External programs. See Plug-ins, Scripts

File directory listings, protecting, 93
File systems
: characterization of, 208-209
: compromised, 287
: encryption of, 58
: policy considerations regarding, 254
: unexpected changes in, 251-252, 253-254, 416-417
: verification of, 252
Filtering, as part of intrusion detection and response, 212
Firewall systems
: architecture of, 124-125
: checklist for, 178-181
: designing, 124-127, 407
: documenting environment for, 127
: enabling private traffic in, 174-178
: evolution of, 131-132
: implementation of, 173-177
: inside and outside, 149-150
: installation of, 171-172, 408, 411
: policy considerations regarding, 138, 178
: preparing for use, 170-171
: testing of, 160-171, 410-411
: transition to, 173-174, 411
Firewalls, 83-84
: architectural considerations of, 136-137
: defined, 121
: deployment of, 123
: dual, 134-135
: functions of, 127-132
: hardware requirements for, 139-140
: improvement after intrusion, 292
: indications for use of, 138
: installing and configuring, 144-147
: logging and alert mechanisms, 410
: need for, 122-123
: ongoing monitoring of, 171
: online resources regarding, 181
: operating system for, 145-146
: policy considerations regarding, 147
: procurement for, 141-142
: security of, 138
: site of application of, 124
: software requirements for, 140
: table of practices for, 123
: testing components for, 141
: topology of, 132-135
: training for use of, 142-254
: vendor support for, 143-144
FIRST (Forum of Incident Response and Security Teams), 17, 224-225
FTP (File Transfer Protocol), 29
: disabling of, 45

German Computer Emergency Response Team, 17
Group identities, establishing, 90
Guest accounts, 51

Handshake protocol, 108

Hardening, 9-10
Hardware
: auditing of, 255
: for firewall, 139-140
: inventorying, 210-211
: policy considerations regarding, 256
: security of offline, 35
: unauthorized, 70, 255-256, 417
Host machine, 42, 400
: configuration files for, 345-346
: cryptographic checksumming of, 46
: functions of, 43-44
: limiting access to, 44
: and network security, 43
: policy considerations regarding, 46
: remote services, 45
: software for, 45-46
Hot backups, 32
HTTP (HyperText Transfer Protocol), 29

ICMP (Internet Control Message Protocol), 84, 153-154
ICSA, 17
IETF, 17
Implementations, 16
Improvement actions, 12
Incident, defined, 14
Incident notes, 16
Incident report
: components of, 260
: evaluation of, 260
: investigation of, 260-261
: policy considerations regarding, 261
: sources of, 258-259
: triage of, 259
Information dissemination, 279
: policy considerations regarding, 281-282
Information security policy
: characteristics of, 398
: topics covered by, 399
Information security risk analysis and assessment, defined, 13-14
Inside firewall systems, 149-150
Inspecting, as part of intrusion detection and response, 212
Installation
: of firewall, 144-147
: of firewall system, 171-172
: of operating system, 32-33
: of software, 145-146
Integrity checking, 42
: of configuration files, 348
: as part of intrusion detection and response, 212
: using Tripwire, 312-313
Integrity of information, 24, 25
Internet, threats from, 412
Internet Engineering Task Force (IETF), 17
Intrusion
: CERT statistics on, xix, xx
: communication after, 278-279
: consequences of, 232, 278
: containment of, 285-289
: curtailment of, 286, 420-421
: damage assessment, 277
: dangers of, 271
: defense against, 289-293
: defined, 14
: via hardware, 255-256
: identification of, 276-277
: investigation of, 260-261
: lessons of, 296-298
: plan for dealing with, 65-66
: preventing recurrence after, 285-298, 421
: reviewing reports of, 258-261, 417-418
: sniffers, 248-249
: sources from network, 241-242
: sources within system, 246-248
: unauthorized access to physical resources, 257-258
Intrusion detection, 11-12, 163, 186
: action after, 261-264
: analysis approaches to, 205-206
: approach to, 187-188
: checklist for, 265-268
: data collection for, 198-204
: documentation of procedures for, 192-194
: improvement of, 292-293
: keeping current, 197-198
: logging and, 157
: monitoring in, 189, 415-416
: need for, 186-187, 232
: policies and procedures for, 188-198, 411-414
: real-time, 205
: roles and responsibilities for, 195
: scale of, 233
: security of software used for, 234-237
: strategies for, 31
: table of practices for, 188, 233-234
: threat assessment, 190-191
: tools for, 212-216
: user training for, 196-197
Intrusion response
: approach to, 187-188, 271-272
: authority for, 191-192, 413
: checklist for, 228-230, 298-301
: collecting and protecting information during, 282-285, 419-420
: communication in, 225-226, 278-282, 418-419
: contact information for, 224-225
: containment, 285-289, 420
: documentation of, 283
: documentation of procedures for, 194-195
: elimination of intruder access, 289-293, 420-421
: information needed for, 273-274, 418
: initiation of, 263
: law enforcement and, 284-285
: legal review of procedures, 195-196
: logs and, 275-276
: need for, 186-187, 271
: policies and procedures for, 188-198, 411-414
: policy considerations regarding, 227, 278, 285, 293
: postmortem review of, 297-298
: resource kit for, 226
: resources for, 192, 414
: roles and responsibilities for, 195
: sequence of actions for, 191, 413
: system quarantine, 275
: table of practices for, 188, 270
: test systems for, 226
: tools for, 221-227, 415
: user training for, 196-197
IP forwarding, disabling, 86
IP routing
: addresses for, 148
: configuration for, 148-150, 408
: policy considerations regarding, 149
IP spoofing, 45, 86
IPSEC, 34
Isolated subnets
: policy considerations regarding, 88-89, 405
: server on, 83
: supporting services on, 85-86

Java, 49

Kerberos, 54
Keys, 70
: as authentication tool, 30

l0phtCrack, 53
LANs (local area networks), 34
LDAP (Lightweight Directory Access Protocol), 86
Legal considerations
: chain of custody, 284
: protection of evidence, 195-196, 235, 283-284
log/sysidconfig.log (Solaris), 339
Log files
: analysis of, 97
: archive and backup of, 220
: configuration of, 345
: difficulty of monitoring of, 254
: disk space required by, 348-349
: encryption and disposal of, 220
: examination after intrusion, 275-276
: format of, 95-96
: management of, 219
: permissions of, 344
: protection of, 217-218, 342-343, 345
: remote access to, 69
: rotation of, 219, 345, 365
: Snort, 394-395
: storage locations of, 344
: types of, 94-96
: under Solaris, 336-341
Log messages, 343-344
: analyzing, 349-366
: identification of, 349
: in logsurfer, 355-356, 357-358
logger(1), 347, 349
Logging
: configuration of, 157, 264, 410
: designing environment for, 158
: enabling, 96-97, 217
: information for, 94-96
: for intrusion detection, 198-200, 204-205
: management of, 216-221, 414
: options for, 158-159
: policy considerations regarding, 160, 221
: reasons for, 157
: support tools for, 160
: testing of, 169-170
: user notification of, 238-239
Loghost
: configuration file for, 346-347
: hostname for, 345
Login, 54
logsurfer, 304
: actions in, 355
: compared to swatch, 350
: configuring, 352
: configuration file structure of, 353-354
: contexts in, 355-356
: downloading and verifying, 351
: effort estimates for installation of, 350
: e-mail addresses used by, 362-363
: initial configuration of, 358
: installation of, 351-352
: limitations of, 353
: log message handling in, 357-358
: prerequisites for, 350
: quotes in, 354
: restarting after rotation of log files, 365
: rules syntax in, 356-357
: sample rules for, 358-362
: setup of, 362-366
: startup file for, 363-365
: Tripwire configuration for, 365-366
: user IDs in, 362
Love Letter Worm, 3

Malicious code, 102
Mark messages, 347
MD5 algorithm, 113
Meta characters, 101
Model configuration
: case-by-case changes to, 63
: checksumming for, 63
: creation and testing of, 62
: replication of, 63
Modems
: documentation of, 34
: network connection with, 34
: unauthorized, 255
Monitoring
: of data streams, 189, 205-206
: of firewall, 171
: after intrusion, 288
: in intrusion detection and response, 212
: of network activities, 237-243, 415-416
: policy considerations regarding, 242-243
: of process activity, 246-247
: of system activities, 243-251, 416
: of user behavior, 247-248
Multiple-layer architecture, 124-125, 126, 167

Network clients
: functions of, 48-49
: security issues with, 49-50
: policy considerations regarding, 50
: software updates for, 50
Network error reports, 239-240
Network interface, 34
: promiscuous vs. nonpromiscuous, 249
Network mapping and scanning, 250
Network performance
: reviewing, 240
Network services
: clients for, 401
: identifying, 29
: software for, 29
Network Time Protocol (NTP), 126, 219
Network traffic
: characterization of, 207
: monitoring and inspection of, 163, 237-243, 415-416
: reviewing of, 241-242
Network traffic generators, 163
Network traffic logs, 256
Nonpromiscuous mode, 249
Notification, as part of intrusion detection and response, 206, 212
npasswd, 53

One-time passwords, 54
Operating system
: archiving of, 222
: installation of, 32-33
: object, device, and file access controls for, 56-59, 402
: requirements for using firewalls, 145-146
: restoration of, 223, 290
: updating of, 39-41, 400
OSPF (Open Shortest Path First), 173, 174
Outside firewall systems, 149

Packet filtering, 125, 126, 127-128
: configuration of, 150
: dynamic, 131
: policy considerations regarding, 408-410
Packet filtering rules, 150-151
: design of, 151-154
: documentation of, 154-155
: installation of, 155
: logging options for, 158-159
: policy considerations in, 155-157
Packet forwarding, disabling of, 147
Password security, 204
Passwords, 30
: one-time, 54
: policies regarding, 52-53, 55
: security of, 290
: writing policy regarding, 402
Patches
: archiving of, 222-223
: authentication of, 40
: vulnerability, 251
PGP (Pretty Good Privacy), 211
: described, 113
Physical resources
: audit of, 258
: tampering of, 258
: policy considerations regarding, 258
: unauthorized access to, 257-258, 417
Plug-ins
: security issues with, 98
: use with Web server, 100-105
Port 53, 84
Port 80, 84
Port 443, 84
Portscanners, 163
Preparation, 10-11
Privileges
: documentation of, 30
: enforcement of, 31
Probing, as part of intrusion detection and response, 212
Process accounting, 369
Process activity, monitoring, 246-247
Processes, characterization of, 208
Production environment, 168
: testing in, 166-169
Promiscuous mode, 249
Protocol violations, 241
Proxy servers, 129-130, 131
Public key cryptography, 108
Public servers, 24

Quotes, use in logsurfer, 354

R-commands, 33
Reauthentication, 53
Reconnaissance, detection of, 241
Record protocol, 108
Recovery
: procedures for, 31-32
: strategy for, 162
: testing of, 61
Redundancy, importance of, 136, 191, 412
Referrer log, 95
Regression-testing, 170
Reinstallation
: of system, 290
: tools for, 223
Reliability, importance of, 136
Remnant files, 227, 280
Remote administration, 67
: authentication and credentialing of administrators, 67-68
: cryptographic checksums in, 69
: log files and, 69
: policy considerations regarding, 69, 403-404
: security of confidential information, 68
: transferring information for, 68-69
Remote services, insecurity of, 45
Responding, 12
Restoration
: of application files, 291
: of availability of services, 295
: of operating system, 290
: policy considerations regarding, 296
: of system to normal operation, 293-296
: of user data, 295-296
Restricted information
: access requirements for, 106
: encryption of, 58
: protection of, 92
RIP (Routing Information Protocol), 173, 174
Risk analysis and assessment, defined, 13-14
Rootkit tool set, 235
Routers, 127-128
Routing table, updating, 176-177

SANS Institute, 17
Scanning, as part of intrusion detection and response, 212
Script
: defined, 98
: use with Web server, 100-105
Securing Web servers
: authentication and encryption, 105-114, 115-116
: backup of site content, 32, 114, 407
: checklist for, 117-120
: cost-benefit tradeoffs in, 98
: importance of, 79, 81-82
: isolation, 83-89, 405
: logging, 94-97
: object, device, and file access controls, 89-94, 406
: protection levels, 90-91
: restricting information access, 92
: restricting user access, 114
: software access controls, 92-93
: table of practices for, 82
Security, 137, 138
: of communication, 225-226
: day-to-day administration and, 34-35
: login issues, 54
: password, 204
: sites for fixes and patches, 17
Security Focus, 16
Security policies, 5-6
: adoption of, 7
: enforcement of, 6
Security Portal, 17
Sensitive information
: access requirements for, 106
: encryption of, 58
: protection of, 92
Separation of duties, 43, 68
Servers
: applications of, 21
: backup procedures for, 60
: functionality requirements, 36, 37-38
: host machine of, 42-46, 400
: importance of security of, 21-23, 400
: operating costs of, 38-39
: policy considerations regarding selection of, 39
: product features of, 38
: security requirements, 37
: selection of, 400
: up-to-date software on, 41-42
: vulnerability of, 25
: Web, 79-120, 405
Service-level agreement, 144
Servlets, defined, 98
SET (Secure Electronic Transaction), 105
: benefits of, 112
: capabilities of, 109
: features of, 110
: use of, 110
S/HTTP (Secure Hypertext Transport Protocol), 105
: features of, 109, 110
Single-layer architecture, 124, 125, 166
Smart hubs, 88
SMTP (Simple Mail Transfer Protocol), 85
Sniffers, 248-249
: SSH to combat, 318-319
Snort, 305
: alerts in, 393-395
: building of, 388
: described, 386
: downloading and verification of, 387-388
: effort estimates for installation of, 386
: installation of, 389
: integration with other tools, 395
: log file directory of, 389
: prerequisites for, 387
: rules in, 390
: sample rules for, 390-391, 392-393
: testing correct operation of, 389
: testing of, 389
: Tripwire configuration of, 396
: writing of rules for, 391-392
Software
: drivers, 42
: for firewall, 140
: functionality of, 99
: installation of, 145-146
: integrity checking of, 105
: patches for, 146
: policy considerations regarding, 100, 105
: problems with, 101-102
: regulating access on Web server, 103-104, 406
: scanning of, 101
: security of, 234-237
: security implications of, 97-100, 406
: sources of, 99
: sterile technique for, 236-237, 415
: testing of, 101
: updating of, 39-41
: use with Web server, 100-105
Solaris servers, special procedures regarding, 33
Source routing, disabling, 86
spar, 304
: automated use of, 371
: building of, 368
: configuration of, 369
: described, 366
: downloading and verification of, 367
: effort estimates for installation of, 366
: installation of, 368-369
: integration with other tools, 371
: prerequisites for, 366-367
: testing correct operation of, 368
: testing of, 369
: Tripwire configuration for, 371-372
: use of, 370-371
SQL (Structured Query Language), 86
SSH (secure shell), 304
: building of, 321-322
: configuration of, 326-330
: configuration settings for, 321-322
: downloading of, 320
: effort estimates for installation of, 319
: host keys for, 323-324
: information resources about, 335
: installation of, 322-325
: password authentication for, 333
: prerequisites for, 319-320
: sshd daemon for, 324-325, 325-326
: Tripwire configuration for, 334-335
: unpacking of, 321
: user access to remote hosts, 332-333, 334
: user accounts for, 330-333
: user keys for, 330-332
: uses of, 318-319
: verification of download, 320-321
ssh_config file, 327
: options for, 327-329
sshd daemon
: starting, 324, 325
: stopping, 325, 326
: using telnet to connect to, 326
sshd_config file, 327
: options for, 329-330
SSL (Secure Socket Layer), 105
: certification and, 111-112
: composition of, 108
: future of, 109
: supporting use of, 111-112
Stateful inspection, 130
Strings, 354
Summaries, 16
swatch, 349, 358
: compared to logsurfer, 350
syslog files (Solaris), 339
syslogd
: actions associated with, 342
: caveats regarding, 349
: facilities of, 341
: function of, 341
: priorities of, 342
: and UDP network service, 348
System administrators, 4-5
: accounts for, 51
System behavior, characterization of, 207
System configuration files, 291
System error reports, 245
System files, write protection of, 237
System hardware, inventory of, 210-211
System information, recording of, 274
System monitoring, 243
: baseline values for, 244
: error reports and, 245
: performance statistics and, 245
: policy considerations regarding, 250-251, 416
: system alerts and, 244-245
: user notification for, 244
System performance
: characterization of, 207-208
: maximizing, 138
: reviewing statistics of, 245

Tampering, detection of, 257
TCP connections, 84
: security concerns regarding, 45
tcpdump, 304-305
: building of, 374
: configuration of, 375
: described, 372
: downloading and verification of, 373
: effort estimates for installation of, 372
: examples of use of, 383-384, 384-385
: installation of, 375
: integration with other tools, 385
: options in, 376-387
: prerequisites for, 373
: primitives in, 379-383
: qualifiers in, 379
: recommended use of, 376-383
: testing correct operation of, 374-375
: testing of, 375
: Tripwire configuration of, 385
: use of, 376-385
Tech tips, 16
Testing of firewall
: aspects of, 161
: of log files, 169-170
: monitoring and, 171
: planning for, 161-162
: policy considerations regarding, 171
: in production environment, 166-169
: regression, 170
: steps in, 160
: in test environment, 164-165
: tools for, 163-164
: vulnerability scanning, 170
Threat, defined, 13
Time stamps, 347
Tokens, as authentication tool, 30, 54
Transaction auditing, 254
Transfer log, 94
: analysis of, 97
Transparent proxies, 131
Trespassing, detection of, 257
Triage, 259
Tripwire, 41, 208-209, 304
: configuration files of, 310
: contents of database, 305
: described, 305-306
: downloading and verification of, 306, 307
: effort estimates for installation of, 306
: generation of database, 311-312
: history of, 317-318
: installation of, 308, 310
: integrity checking using, 312-313
: for Linux, 318
: open source versions of, 318
: paths for files, 309
: preparation for, 311
: prerequisites for, 307
: sample reports of, 313-318
: system settings of, 308
: testing of, 310-311
: unpacking of, 308
: verbose mode of, 313
Trojan horses, 274, 277, 287, 290
: coping with, 64-65
: defined, 64
TruSecure, 17

UDP (User Datagram Protocol), 84, 135
: security concerns regarding, 45
: and syslogd, 348
Updates
: archiving of, 41-42
: automated, 41
: evaluation of, 40
: importance of, 39
: installation of, 40
: of network service software, 50
: policy considerations regarding, 42
: problems caused by, 40-41
USENIX Advanced Computing Systems Association, 17
Users
: authentication of, 51-55, 106, 115, 401-402
: characterization of, 208
: education of, 52, 65-66, 106, 398
: fostering trust with, 107
: identification of, 29-30, 90
: identity of, 24
: monitoring of, 247-248
: notification of monitoring, 174
: privileges of, 30
: restrictions on, 114
/usr/adm link (Solaris), 336

/var/adm directory (Solaris), 336
/var/cron directory (Solaris), 340
/var/log directory (Solaris), 338
/var system directory (Solaris), 336
Viruses, 64, 287
: modus operandi of, 235
: policies regarding, 403
: tools to prevent/cure, 65, 66
: user education about, 65-66
VPN (virtual private network), 88
Vulnerabilities
: correcting, 292
: identifying, 100
Vulnerability detection, 163, 170
: for systems, 250
Vulnerability notes, 16

Warm backups, 32
Watermarking, digital, 113-114
Web content
: storage on secure host, 32, 114, 407
: policy considerations regarding, 116
: transfer of, 116
Web servers, 24
: alternative architectures for, 88
: compromised, 79, 81
: configuration of, 84-85, 87
: external software on, 103-105
: improper operation of, 81
: information stored on, 89
: isolation of, 83-89, 405
: securing of, 79-120
: server side include functionality of, 103
: use rules for, 90-91
: user and group identities for, 90
Whois, 225
Workstations, 400
: acceptable use policy for, 72-73, 404-405
: backup procedures for, 60
: cryptographic checksumming of, 48
: functions of, 46, 47-48
: importance of security of, 25
: on network, 46-47
: policy considerations regarding, 48, 66
: software on, 48



Updates

Submit Errata



More Information



InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address

CERT Guide to System and Network Security Practices, The

Book

About

Features

Description