The Binomial Bookstore

INTRANET SECURITY:
STORIES FROM THE TRENCHES
by Linda McCarthy

Security consultant Linda McCarthy shows:
- How breaches occurred
- What steps were taken to deal with them - and how well they worked
- What steps could have been taken to prevent the crisis

"There's nothing academic about network security when it's late at night and some
hacker is rummaging through your R&D files. If you don't want that 3 a.m. phone
call, and you don't want your company's strategic plans in tomorrow's Wall Street
Journal, now's the time to prevent it from happening to you.

"In this book, you'll watch as real network administrators track hacker intrusions.
You'll see firsthand how companies struggle with security problems caused by poor
training, lack of management support, hidden agendas, and careless intranet
development.

"You'll find checklists of preventive security measures you can take right now-and
lists of tools that can help. Above all, you'll find insight into the all-too-human
security flaws that make corporate intranets an easy target for hackers."

=========================================

"There has always been a sizeable gap between what is written about security and
what actually happens in the real world -no one ever talks about the last time they
were broken into, when they had a significant security incident, the multitude of
problems that the last security audit found, or the unpleasant fact that their
organization's security policy doesn't exist. This is unfortunate; anecdotes are a very
useful and rich way of learning - without history, we are lost. Linda McCarthy's
book not only blends statistics with real life stories to good effect, but discusses and
documents crucial items such as the importance of a security policy, the impact of
organizational politics, and actual transcripts of breakins. Read the book-it will help
you understand security in the real world. And when all is said and done, that's
saying quite a lot, isn't it?" - Dan Farmer, Security Researcher

"This book combines a wealth of sobering real-life experience with practical
suggestions. If you've ever been in the frustrating position of having to illustrate
WHY computer security is necessary, this book gives you all the arguments you
need and more. In addition to accurate and scary war stories, it is chock-full of
practical advice that anyone can benefit from. " - Marcus J. Ranum, CEO, Network
Flight Recorder

"The next time you are sued for a network security failure, you should assume that
the lawyer taking your deposition will have read Linda's book and the first question
is likely to be whether you have too." - Fred Chris Smith, Trial Attorney, Santa Fe,
New Mexico

"This book drives home the awareness of how little is being done to protect one of
the most important company assets a company can have: 'the information asset'
and it illustrates the lack of total commitment to information security - it's an eye
opener. " - Bob Shotwell, Founder of KAO Systems

CONTENTS
Foreword
Acknowledgments
About the Author
Introduction
Chapter 1 Visitors in the Night
An Unwanted Guest
Day 1: A Nice Night for a Hack
Day 2: Out of Sight, Out of Mind
Day 3: The Hack is Back
Days 4 to 7: Waiting to Exhale
Day 8: Too Little, Too Late
Day 9: Just the Facts
Summary: It Can Come from Within
Let's Not Go There...
Focus on Prevention
Prepare for the Worst
React Quickly and Decisively
Follow Up
Checklist
Final Words
Chapter 2 The Bogus Box
Out-of-the-box Security
Day 1: False Security from a Box
Two Years Later: It Was Bound to Happen Eventually
+ Two Weeks: Once Is Never Enough
+ Three Weeks: No Quick Fix
The Saga Continues: A Disaster Awaits
Summary: Would You Hire this ISP?
Let's Not Go There...
Know Your Risks
Avoid Out-of-the-box Installations
Audit Your Network
Know the People Who Know Your Data
Assign or Acquire Adequate Funding for Security
Don't Export Read/Write Permissions to the World
Remove Old Accounts
Forbid the Use of Crackable Passwords
Apply Security Patches
Follow Policies and Procedures
Get Help
Use Training
Checklist
Final Words
Chapter 3 Executive Nightmare
Can You Hear Me At The Top?
Day 1: Not a Security Measure in Sight
A Year Later: The Hacks Continue
Summary: Take an Active Approach
Let's Not Go There...
Commit to Security from the Top Down
Speak Softly and ACT LOUDLY
Keep Levels of Management to a Minimum
Report Back!
Set Security as a Management Goal
Provide or Take Training as Required
Make Sure that All Managers Understand Security
Check that System Administrators Communicate Needs Clearly
Checklist
Final Words
Chapter 4 Controlling Access
The Never-ending Network
Day 1: An Ill Fated Plan for Outside Access
A Few Weeks Later: Dave's Big Mistake
The Next Day: Who's job is Security, Anyway?
Over the Next 29 Days: And the Hacker Wanders Quietly
+ One Month: A Spot Audit Spots the Hacker
Audit Day 1: Follow the Network Map to Follow the Security Hole
Audit Day 2: An Unenforced Policy is a Useless Policy
The Last Audit Day: The Wrong Man for the Job is Worse than No Man
for the Job
Summary: Close the Door to the Competition
Let's Not Go There...
Use Standard Architecture Designs
Track External Connections
Take Responsibility for Your Territory
Require Approval for External Connections
Enforce Policies and Procedures
Disable Unnecessary Services
Stress the Importance of Training
Follow Through
Don't Connect Unsecured Systems to the Internet Checklist
Final Words
Chapter 5 What You Don't Know
Sink or Swim?
Initial Contact: A Good Sign
Day 1: Don't Put Your Security Eggs in One Basket
Day 2: The Penetration Begins
Day 3: Sink or Swim Always Means Sink
Summary: Can't Afford the Power of Negative Training
Let's Not Go There...
Have Management Send the Right Security Message
Educate Executive Management
Protect the Security Training Budget
Make Security a Management Requirement
Make Training a System Administrator Requirement
Attend Security Seminars
Have Brown Bag Lunches
Disseminate Security Information
Join Security Aliases
Write White Papers
Write for Newsletters
Develop Tools into Products
Checklist
Final Words
Chapter 6 Risking the Corporation
Trauma Zone 104
Day 1: An Unscheduled Audit
A Game of Risk is a Game of Strategy
Phase One: Dress the Part
Phase Two: Infiltrate Physical Security
Phase Three: A Walk Through the System Park
Day 2: Patient Records at Risk
Summary: Look Before You Leap
Let's Not Go There...
Assess Risks
Classify Systems
Forbid Out-of-the-box Installations
Don't Be Too Trusting
Learn from the Past
Target Budget Cuts
Conduct Security Audits
Hold Management Accountable
Don't Set Yourself Up
Include Training in Right-sizing Budgets
Keep Score
Checklist
Final Words
Chapter 7 Not My Job
Come On In, The Door's Open
Day 1: Why Can't We Lock the Hackers Out?
Day 2: The Usual Suspects
Stuck on Band-Aides for Job Security
Moving On
When You Hear "Don't Worry," Start Worrying
My Last Day: Breaking the News
Summary: Ask Not What Your Company's Security Can Do for You
Let's Not Go There...
Define Roles and Responsibilities
Develop Firewall Policies and Procedures
Feed Your Firewall
Read Your Audit Logs
Use Detection Software
Respond Quickly!
Require Proof of Security
Conduct Audits
Get Educated
Checklist
Final Words
Chapter 8 For Art's Sake
Policies? What Policies?
In the Beginning: A Conflict Arises
Day 1: In Search of Tangible Evidence
Day 2: Whose Side Are You On. Anyway?
System Admins: It's Not Our Problem, It's Theirs
Security Team: It's Not Our Problem, It's Theirs
Summary: Security is the Casualty of War
Let's Not Go There...
Put Someone in Charge of Policies and Procedures
Delineate Cross-organizational Security Support
Don't Wait for Miracles
Question Processes
Know When to Cry "Uncle"
Be Responsible
Checklist
Final Words
Chapter 9 Outsourcing the Store
I Did It My Way
Day 1: On the Surface, Everything Appears Normal
Day 2: A Skeleton Key to Success
Cracking the Case
Lifestyles of the Untrained and Inexperienced
Days 3 and 4: The Fix Is Up to Them
Summary: Stop! Look! Audit!
Let's Not Go There ...
Conduct Audits
Do It Right
Do It Regularly
Use the Freebies
Fix the Problems You Find
Kill the Sink-or-Swim Trainers
Checklist
Final Words
Chapter 10 What They See Can Hurt You
E-mail or See Mail?
Personal Data in 30 Seconds Flat
Summary: You Have the Right to Waive Your Right to Privacy
Let's Not Go There...
Use Encryption!
Encourage Your Friends to Encrypt
Add Encryption to Your Security Budget
Promote Strong Cryptography Everywhere
Watch for Other E-mail Hazards
Final Words
Chapter 11 A Hacker's Walk Through the Network
A Hacker's Profile
The Real Hackers
About Those Tools
Walking with the Hacker
What the Hacker Was Doing...
Conclusion
Appendix A People and Products to Know
Software You Need to Know About
Free Software
Security-related Organizations
Product Vendors
Forum of Incident Response and Security Teams (FIRST)
Security Incident Investigators
Consulting Firms
Acronyms
Glossary
Index

ABOUT THE AUTHOR
"Linda McCarthy has broken into thousands of systems on corporate intranets to
demonstrate how easily an intruder could shut down executive networks, kill
manufacturing processes, or even crash world-wide computer operations. She
provides consultive services to executive managers to help them understand the
levels of risk on their networks. Linda has also taught courses in hardware
architecture, system administration, and UNIX security She currently leads a global
security research and development team at Sun Microsystems, Inc."

1997, 260 pages. Order #DR288, $32.75

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.