did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781597490351

Network Security Evaluation Using the Nsa Iem

by ; ; ;
  • ISBN13:

    9781597490351

  • ISBN10:

    1597490350

  • Format: Paperback
  • Copyright: 7/30/2005
  • Publisher: Elsevier Science
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $66.95 Save up to $2.01
  • Buy New
    $64.94
    Add to Cart Free Shipping Icon Free Shipping

    PRINT ON DEMAND: 2-4 WEEKS. THIS ITEM CANNOT BE CANCELLED OR RETURNED.

Supplemental Materials

What is included with this book?

Summary

Network Security Evaluation provides a methodology for conducting technical security evaluations of all the critical components of a target network. The book describes how the methodology evolved and how to define the proper scope of an evaluation, including the consideration of legal issues that may arise during the evaluation. More detailed information is given in later chapters about the core technical processes that need to occur to ensure a comprehensive understanding of the networks security posture. Ten baseline areas for evaluation are covered in detail. The tools and examples detailed within this book include both Freeware and Commercial tools that provide a detailed analysis of security vulnerabilities on the target network. The book ends with guidance on the creation of customer roadmaps to better security and recommendations on the format and delivery of the final report. * There is no other book currently on the market that covers the National Security Agency's recommended methodology for conducting technical security evaluations * The authors are well known in the industry for their work in developing and deploying network security evaluations using the NSA IEM * The authors also developed the NSA's training class on this methodology

Table of Contents

Prologue Why the IEM? 1(1)
Taking a Look Back
1(3)
A Flexible Baseline
4(1)
Terms and Topics
4(3)
Defense in Depth
5(1)
Layered Security
5(2)
Introducing the INFOSEC Evaluation Methodology
7(16)
Introduction
8(1)
What Is the IEM?
8(5)
Tying the Methodologies Together
9(4)
What the IEM Is Not
13(4)
The IEM Is Not an Audit or Inspection
15(1)
The IEM Is Not a Risk Assessment
16(1)
Standards and Regulations
17(2)
Lack of Expertise
17(1)
Certification Does Not Give You Expertise
18(1)
Summary
19(1)
Solutions Fast Track
19(1)
Frequently Asked Questions
20(3)
Before the Evaluation Starts
23(26)
Introduction
24(1)
The Evaluation Request
24(6)
Why Are Evaluations Requested?
24(1)
Compliance With Laws and Regulations
24(3)
Response to Suspicious Activities
27(1)
Third-Party Independent Reviews of Security Posture
28(1)
It's The Right Thing To Do
29(1)
How Are Evaluations Requested?
29(1)
Validating the Evaluation Request
30(3)
Sources of Information for Validation
31(1)
Validating with the Customer
31(1)
Publicly Available Information
32(1)
Understanding the Level of Effort
33(1)
The Formal Engagement Agreement
33(11)
Nondisclosure Agreements
34(1)
Engagement Agreement Composition
34(1)
Minimum Engagement Agreement Contents
34(2)
Understanding the Pricing Options
36(2)
Additional Engagement Agreement Contents
38(2)
Dealing with Contract Pitfalls
40(1)
``Scope Creep'' and Timelines
40(1)
Uneducated Salespeople
41(1)
Evaluations 101
41(1)
Bad Assumptions
42(1)
Poorly Written Contracts
42(2)
Customer and Evaluation Team Approval
44(1)
The Customer Approval Process
44(1)
The Evaluation Team Approval Process
44(1)
Summary
45(1)
Solutions Fast Track
45(1)
Frequently Asked Questions
46(3)
Part I Pre-Evaluation
49(120)
Setting Expectations
51(20)
Introduction
52(1)
Objectives of the Pre-Evaluation Phase
52(2)
Understanding Concerns and Constraints
54(7)
What Are the Requirements?
55(1)
Other Significant Regulations
55(2)
Budgetary Concerns
57(1)
Cyber-Insurance
58(1)
System Accreditation
58(1)
FISMA
58(1)
DoD Information Technology Security Certification and Accreditation Process
59(1)
National Information Assurance Certification and Accreditation Process
59(1)
Defense Information Assurance Certification and Accreditation Process
60(1)
Response to Suspected Threats or Intrusions
60(1)
Obtaining Management Buy-In
61(3)
Obtaining Technical Staff Buy-In
64(1)
Establishing Points of Contact
65(2)
Summary
67(1)
Solutions Fast Track
68(2)
Frequently Asked Questions
70(1)
Scoping the Evaluation
71(28)
Introduction
72(1)
Focusing the Evaluation
72(6)
The Power of Expectations
72(1)
What Does the Customer Expect for Delivery?
73(1)
Adjusting Customer Expectations
73(1)
When Scoping Fails
74(1)
``Scope Creep'' and Time Lines
74(1)
Uneducated Salespeople
75(1)
Bad Assumptions
76(1)
Assumption Topic Areas
77(1)
Poorly Written Contracts
77(1)
Identifying the Rules of Engagement
78(6)
Customer Concerns
78(1)
Stating the Evaluation Purpose
79(1)
Customer Constraints
79(1)
Impact Resistance and Acceptable Levels of Invasiveness
79(3)
Establishing the Evaluation Boundaries
82(1)
Physical Boundaries
82(1)
Logical Boundaries
83(1)
Critical Path and Critical Components
84(1)
Finding the Sources of Scoping Information
84(8)
Customer
85(1)
The Scoping Questionnaire
85(5)
Evaluation Requestor
90(1)
Customer Senior Leadership
91(1)
Administrative Customer Contact
91(1)
Technical Customer Contacts
91(1)
Evaluation Team
91(1)
Evaluation Team Lead
91(1)
Evaluation Team Members
91(1)
Validating Scoping Information
92(1)
Staffing Your Project
92(3)
Job Requirements
92(1)
Networking and Operating Systems
92(1)
Hardware Knowledge
93(1)
Picking the Right People
93(2)
Summary
95(1)
Solutions Fast Track
96(1)
Frequently Asked Questions
97(2)
Legal Principles for Information Security Evaluations
99(48)
Introduction
100(1)
Uncle Sam Wants You: How Your Company's Information Security Can Affect U.S. National Security (and Vice Versa)
100(4)
Legal Standards Relevant to Information Security
104(7)
Selected Federal Laws
104(1)
Gramm-Leach-Bliley Act
104(1)
Health Insurance Portability and Accountability Act
105(1)
Sarbanes-Oxley
106(1)
Federal Information Security and Management Act
107(1)
FERPA and the TEACH Act
107(1)
Electronic Communications Privacy Act and Computer Fraud and Abuse Act
107(1)
State Laws
108(1)
Unauthorized Access
108(1)
Deceptive Trade Practices
108(1)
Enforcement Actions
109(1)
Three Fatal Fallacies
109(1)
The ``Single Law'' Fallacy
109(1)
The Private Entity Fallacy
110(1)
The ``Pen Test Only'' Fallacy
110(1)
Do It Right or Bet the Company: Tools to Mitigate Legal Liability
111(6)
We Did our Best; What's the Problem?
111(1)
The Basis for Liability
112(1)
Negligence and the ``Standard of Care''
112(1)
What Can Be Done?
113(1)
Understand your Legal Environment
113(1)
Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation
113(1)
Use Contracts to Define Rights and Protect Information
114(1)
Use Qualified Third-party Professionals
114(1)
Making Sure Your Standards-of-Care Assessments Keep Up with Evolving Law
115(1)
Plan for the Worst
116(1)
Insurance
116(1)
What to Cover in IEM Contracts
117(13)
What, Who, When, Where, How, and How Much
117(1)
What
117(3)
Who
120(3)
When
123(1)
Where
124(1)
How
125(1)
How Much
125(1)
Murphy's Law (When Something Goes Wrong)
126(2)
Where the Rubber Meets the Road: The LOA as Liability Protection
128(2)
Beyond You and Your Customer
130(1)
The First Thing We Do? Why You Want Your Lawyers Involved From Start to Finish
130(7)
Attorney-Client Privilege
132(1)
Advice of Counsel Defense
133(1)
Establishment and Enforcement of Rigorous Assessment, Interview, and Report-Writing Standards
133(1)
Creating a Good Record for Future Litigation
134(1)
Maximizing Ability to Defend Litigation
134(1)
Dealing with Regulators, Law Enforcement, Intelligence, and Homeland Security Officials
135(1)
The Ethics of Information Security Evaluation
136(1)
Solutions Fast Track
137(2)
Frequently Asked Questions
139(1)
References
140(7)
Building the Technical Evaluation Plan
147(22)
Introduction
148(1)
Purpose of the Technical Evaluation Plan
148(3)
The IEM TEP as an Agreement
149(1)
The TEP as Road Map
150(1)
Building the Technical Evaluation Plan
151(11)
Source of the Technical Evaluation Plan Information
151(1)
TEP Section I: Points of Contact
152(1)
Evaluation Team Contacts
152(1)
Customer Contacts
153(1)
TEP Section II: Methodology Overview
153(1)
Purpose of the IEM
153(1)
Description of the IEM
153(1)
Evaluation Tools to Be Used
154(1)
TEP Section III: Criticality Information
155(1)
Organizational Criticality Matrices
155(1)
System Criticality Information
156(1)
TEP Section IV: Detailed Network Information
157(1)
TEP Section V: Customer Concerns
158(1)
TEP Section VI: Customer Constraints
158(1)
TEP Section VII: Rules of Engagement
159(1)
Evaluation Team Requirements
159(1)
Customer Requirements
159(1)
TEP Section VIII: Coordination Agreements
160(1)
Level of Detail of Recommendations
160(1)
List of Agreed-On Deliverables
160(1)
The Coordination Agreements Section: A Catchall
161(1)
TEP Section IX: Letter of Authorization
161(1)
TEP Section X: Timeline of Events
161(1)
Customizing and Modifying the Technical Evaluation Plan
162(1)
Modifying the Ten NSA-Defined Areas
162(1)
Level of Detail
162(1)
Format
163(1)
Getting the Signatures
163(1)
Customer Approval
163(1)
Evaluation Team Approval
163(1)
Summary
164(1)
Solutions Fast Track
164(2)
Frequently Asked Questions
166(3)
Part II On-site Evaluation Phase
169(144)
Starting Your On-site Efforts
171(28)
Introduction
172(1)
Preparing for the On-site Evaluation Phase
172(5)
Scheduling
173(1)
Day One Accomplishments
173(1)
Day Two Accomplishments
173(1)
Day Three Accomplishments
174(1)
Day Four Accomplishments
174(1)
Day Five Accomplishments
174(1)
Administrative Planning
175(1)
Technical Planning
176(1)
IAM vs. IEM
177(3)
Vulnerability Definitions
177(1)
On-site Evaluation Phase Objectives
178(1)
Verification of ``Known'' and ``Rogue'' Components
178(1)
Discovery of Technical Vulnerabilities
179(1)
Validation = Value Add?
180(1)
IEM Baseline Activities
180(7)
Port Scanning
181(1)
SNMP Scanning
182(1)
Enumeration and Banner Grabbing
183(1)
Wireless Enumeration
183(1)
Vulnerability Scanning
184(1)
Host Evaluation
185(1)
Network Device Analysis
185(1)
Password Compliance Testing
186(1)
Application-Specific Scanning
186(1)
Network Sniffing
186(1)
Other Activities
187(1)
The Role of CVE and CAN
187(1)
The In-Brief
188(6)
Presenting the TEP
189(3)
Cultural Sensitivity
192(2)
Summary
194(1)
Solutions Fast Track
195(1)
Frequently Asked Questions
196(3)
Network Discovery Activities
199(46)
Introduction
200(1)
Goals and Objectives
200(3)
Results as Findings and Evaluation Task Attributes
201(1)
System Mapping
202(1)
Tool Basics
203(1)
Expected Usage and Requirements
204(1)
Port Scanning
204(12)
Nmap
205(1)
NMAP Options
206(3)
SuperScan
209(4)
ScanLine
213(1)
SolarWinds
214(1)
Port Scan System Mapping
215(1)
SNMP Scanning
216(6)
SolarWinds
217(1)
SNMPSweep
217(1)
MIB Walk
218(1)
MIB Browser
219(1)
SNScan
220(1)
WS_Ping Pro-Pak
220(2)
SNMP Scan System Mapping
222(1)
Enumeration and Banner Grabbing
222(12)
Nmap
223(3)
THC-Amap
226(1)
NBTScan
226(2)
SuperScan
228(2)
WS_Ping Pro-Pak
230(1)
UNIX Enumeration
230(1)
Telnet
231(1)
DNS Queries
232(2)
Enumeration and Banner-Grabbing System Mapping
234(1)
Wireless Enumeration
234(6)
Wireless Enumeration Obstacles
235(1)
Kismet
236(1)
NetStumbler
237(2)
Wireless Encryption Evaluation
239(1)
Wireless Enumeration System Mapping
239(1)
Summary
240(1)
Solutions Fast Track
241(2)
Frequently Asked Questions
243(2)
Collecting the Majority of Vulnerabilities
245(32)
Introduction
246(1)
Vulnerability and Attack Trends
247(4)
Vulnerability Scanning's Role in the IEM
250(1)
Conducting Vulnerability Scans
251(9)
Breaking Out the Scanning Tools
252(1)
Vulnerability Scanners: Commercial and Freeware
253(7)
Conducting Host Evaluations
260(10)
Host Evaluation Example Tools and Scripts
261(1)
Benchmark Scripts and Custom Scripts
262(3)
Host Evaluations: What to Look For
265(1)
Auditing
265(1)
File/Directory Permissions
266(2)
OS and Application Services
268(1)
User Rights Assignments
269(1)
Patch Management
269(1)
Mapping the Findings to the IEM Process
270(3)
Vulnerability Scans and Host Evaluations: Correlating the Data
270(2)
Summarize and Validate Findings
272(1)
Summary
273(1)
Solutions Fast Track
273(2)
Frequently Asked Questions
275(2)
Fine-Tuning the Evaluation
277(20)
Introduction
278(1)
Network Device Analysis
278(4)
Approaches Used in Network Device Analysis
278(1)
Evaluating the Perimeter Design and Defenses
279(1)
Evaluating Network Device Configurations
280(2)
Password-Compliance Testing
282(5)
Password-Compliance Testing Methods
282(2)
Methods of Obtaining the Password File
284(1)
Password-Compliance Testing Tools
285(2)
Application-Specific Scanning
287(4)
The DMZ
288(1)
Types of Applications to Be Scanned
288(3)
Network Protocol Analysis
291(3)
Why Perform Network Protocol Analysis?
291(1)
Introducing Network Protocol Analyzers
291(3)
Summary
294(1)
Solutions Fast Track
294(1)
Frequently Asked Questions
295(2)
The Onsite Closing Meeting
297(16)
Introduction
298(1)
Organizing the Meeting
298(4)
Time and Location
298(1)
Evaluation Team and Customer Involvement
299(1)
The Customer
299(1)
The Evaluation Team
300(1)
Presentation Needs
300(1)
The Agenda
301(1)
TEP Overview
302(3)
The Evaluation Process
302(1)
How Was Information Collected?
302(1)
The Tools
302(1)
Customer Documentation
303(1)
Customer Concerns
303(1)
What Is Driving the Evaluation?
304(1)
Customer Constraints
304(1)
Protecting Testing Data
304(1)
Setting Timelines
305(1)
Important Events During Testing
305(1)
Final Report Delivery
305(1)
Overview of Critical Findings
306(2)
How Does the Vulnerability Impact the System?
306(1)
What Is the Likelihood That a Threat Will Exploit the Vulnerability?
307(1)
Mapping to Business Mission and Objectives
307(1)
Positive vs. Negative Findings
307(1)
Points of Immediate Resolution
308(1)
Short Term vs. Long Term
308(1)
What Do You Do With the Information That You Have Collected?
308(1)
Summary
309(1)
Solutions Fast Track
309(2)
Frequently Asked Questions
311(2)
Part III Post-Evaluation
313(88)
Post-Evaluation Analysis
315(20)
Introduction
316(1)
Getting Organized
316(3)
Analysis Needs
316(3)
Reporting Needs
319(1)
Categorization, Consolidation, Correlation, and Consultation
319(3)
False Positives and False Negatives
319(1)
Evaluation Perspectives
320(1)
External Exposures
321(1)
Internal Exposures
321(1)
System Boundaries
322(1)
Conducting Additional Research
322(3)
Resources
322(2)
Consulting Subject Matter Experts
324(1)
Other Team Members
324(1)
External Resources
324(1)
Analyzing Customer Documentation
325(2)
INFOSEC Policies and Procedures
325(1)
Previous Evaluations/VA/Penetration-Testing Results
326(1)
Developing Practical Recommendations
327(5)
Level of Detail
327(1)
Finding
328(1)
Description
328(1)
References
328(1)
Criticality Rating
328(1)
Business Impact
329(1)
Threat Likelihood
329(1)
Recommendations
330(1)
Tying in Regulations, Legislation, Organizational Policies, and Industry Best Practices
331(1)
Summary
332(1)
Solutions Fast Track
332(1)
Frequently Asked Questions
333(2)
Creating Measurements and Trending Results
335(22)
Introduction
336(1)
The Purpose and Goal of the Matrixes
336(1)
Information Types
337(3)
Common Vulnerabilities and Exposures
340(1)
NIST ICAT
341(1)
Developing System Vulnerability Criticality Matrixes
342(8)
Developing Overall Vulnerability Criticality Matrixes
350(2)
Using the OVCM and SVCM
352(1)
Summary
353(1)
Solutions Fast Track
353(2)
Frequently Asked Questions
355(2)
Trending Metrics
357(18)
Introduction
358(1)
Metrics and Their Usefulness
358(2)
Return on Investment
358(1)
How Do We Compare?
359(1)
The INFOSEC Posture Profile
360(9)
Defense in Depth
360(1)
Adversaries or Threats
360(1)
Protect
361(1)
Detect
361(1)
Respond
361(1)
Sustain
361(1)
People
361(1)
Technology
362(1)
Operations
363(1)
Developing the INFOSEC Posture Profile
364(5)
The INFOSEC Posture Rating
369(2)
Value-Added Trending
371(1)
Summary
371(1)
Solutions Fast Track
372(2)
Frequently Asked Questions
374(1)
Final Reporting
375(20)
Introduction
376(1)
Pulling All the Information Together
376(3)
The Team Meeting
377(1)
Research
377(1)
The SVCM and OVCM
378(1)
Review
378(1)
Making Recommendations
379(3)
Findings
380(2)
Recommendations
382(1)
Creating the Final Report
382(9)
Organizing the Data
383(1)
Discussion of Findings
383(1)
Final Report Delivery Date
383(1)
The Cover Letter
384(1)
The Executive Summary
384(1)
The INFOSEC Profile
385(1)
The Introduction
385(1)
INFOSEC Analysis
386(1)
Technical Areas
386(3)
The Conclusion
389(1)
Posture Description
390(1)
Posture Profile
390(1)
Security Practices
391(1)
Presenting the Final Report
391(1)
Summary
392(1)
Solutions Fast Track
392(1)
Frequently Asked Questions
393(2)
Summing Up
395(6)
Introduction
396(1)
The Pre-Evaluation Phase
397(1)
The Onsite Evaluation
398(1)
The Post-Evaluation Phase
399(2)
Appendix A Examples of INFOSEC Tools by Baseline Activity
401(16)
Port Scanning
402(1)
SNMP Scanning
403(1)
Enumeration and Banner Grabbing
404(2)
Wireless Enumeration
406(1)
Vulnerability Scanning
407(3)
Host Evaluation
410(1)
Network Device Analysis
411(1)
Password-Compliance Testing
411(2)
Application-Specific Scanning
413(2)
Network Protocol Analysis
415(2)
Appendix B Technical Evaluation Plan Outline and Sample
417(10)
Introduction
418(1)
Sample Technical Evaluation Plan
419(1)
Evaluation Points of Contact
419(1)
Methodology Overview
420(1)
Organizational and System Criticality Information
421(2)
The OUCH Mission
421(1)
OUCH Impact Definitions
421(1)
OUCH Organizational Criticality
422(1)
System Information Criticality
422(1)
Detailed Network Information
423(1)
Customer Concerns
423(1)
Customer Constraints
424(1)
Rules of Engagement
424(1)
Internal and External Customer Requirements
425(1)
Coordination Agreements
425(1)
Level of Detail of Recommendations
425(1)
Deliverables
425(1)
Other Agreements
425(1)
Letter of Authorization
425(1)
Timeline of Evaluation Events
426(1)
Index 427

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program