Average Customer Review:
 ( 12 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
14 of 14 found the following review helpful:
 The book is chock full of good adviceAug 15, 2001
By Ben Rothke
"Author of 'Computer Security: 20 Things Every Employee Should Know'"
After reading the CERT Guide to System and Network Security Practices, you may feel as if you've been speaking with your mother about computer security, as most of the advice detailed in the book is common sense. But, as Voltaire astutely noted, common sense is not so common. The truth is that there is really nothing new in this book that CERT (Computer Emergency Response Team...) has not been saying in one way or another for the last decade. But that should not in the least underscore the importance of the book, as it provides an excellent treatment of securing information assets. In fact, the book subtly echoes the sentiment of George Santayana, who stated that "those who cannot remember the past are condemned to repeat it." This is true with information security. As even with all of the strides that have been made and new security technologies that have been developed, a large percentage of security breaches are the result of systems that were either incorrectly configured or ineffectively secured. While many people erroneously think that a firewall is the foundation of information security, the truth is that an effective set of information security policies and procedures are. In fact, policy is such a critical element within the effective and successful operation of information technology systems, that systems can't be effective unless they are deployed in the context of working policies that govern their use and administration... As an example, Marcus Ranum defines a firewall as "the implementation of your Internet security policy. If you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do." The sad fact is that most firewalls permit so much traffic through that it is often difficult to tell where the firewall ends and the router begins... The truth be told, when Mother in her infinite wisdom says something, it is good advice. When a consultant says the same thing, it is called a Best Practice. Some of the best practices that CERT has long recommended are: using effective passwords, ensuring systems are patched against recent vulnerabilities, hardening the operating system, removing unnecessary services, protocols, and accounts, and more. None of these recommendations is exactly rocket science; even so, this aspect of Security 101 is overlooked in many, if not most, organizations... The beauty of the book is that it is vendor agnostic. It doesn't cover the specific details of the operating system or software application; rather, it focuses on the policies and procedures needed to make that system secure. With that, the book will be current, even with operating systems' changes and upgrades. Many computer books today have scores, if not hundreds, of pages of screen prints and source code, which often only serve to increase their page count. This book has none of that, and is instead a systematic and methodical method of how to secure networks. The book is a good complement to Security Engineering by Ross Anderson. While Security Engineering lays the foundation for the engineering aspect of information systems security, the CERT guide builds on that framework. The book details the underpinning to securing information assets, namely: Hardening, Preparing, Detecting, Responding, and Improving. Each chapter in the book builds on those pillars and does not leave a stone unturned when it comes to securing systems. The beauty of the book is that even though it is completely vendor agnostic, its topics are germane to every network operating system. If your mother were involved with information security, she would tell you to read this book. Listen to her.
17 of 18 found the following review helpful:
 Use this book as a guide to general best practicesAug 24, 2001
By Richard Bejtlich
"TaoSecurity"
I am a senior engineer for network security operations. I read The CERT Guide (TCG) to learn the CERT's priorities for improving security. If you want an exciting, ground-breaking read, avoid TGC. If you want a likely standard for "due diligence" and "reasonable care," give this book a try.
TGC is built using directive language. Instruction follows instruction: "Do this. Don't do this, etc." Look beyond the verbage and you'll see lots of sound general advice on operating system hardening, firewall deployment, and detecting/containing intrusions. Note I said "general advice." While the lack of product-specific techniques will preserve TGC's shelf life, it forces sys admins to check other references for the details.
Julia Allen tells us "The most effective way to use this book is as a reference. We do not intend for you to read it from cover to cover." Also, some material is internally duplicated "for the sake of completeness." These two factors make me wonder if anyone will ever read TGC in its entirety. I ended up taking Julia's advice and skimmed sections I found useful. Of particular interest was the extensive documentation on TCPDump (pages 376-85). Having used the tool for years, I was happy to see so much detail compiled in one place.
This book isn't a security officer's dream come true; that title hasn't been written yet. TGC is best used preparing a network to meet standards of "due diligence" or "reasonable care." I am not a lawyer, but this technology-neutral book is perfectly suited as a courtroom reference. Should an organization be sued for failing to adequately protect its computing assets, its lack of adherence to the CERT Guide's standards could prove damaging.
Unfortunately, I don't see many organizations meeting this standard. The documentation called for by TGC may exceed that required of government agencies defending classified systems. A dedicated security policy office would be needed, leaving the security and system admins free to implement technical solutions.
If you've got the time, manpower, and know-how to deploy systems according to best practices, don't leave TGC behind. If you're struggling to manage security without those resources, use TGC to convince management you're not meeting industry standards. (Disclaimer: I received my review copy from the publisher.)
16 of 17 found the following review helpful:
A Security Officer's Dream Come TrueJul 05, 2001
By Mike Tarrani
"www.tarrani.com"
This book contains a security approach that is based on the collective experience and statistical analysis of the CERT Coordination Center. The contents of this book are authoritative and well structured. Structure is based on a five layer (or step) approach to securing information assets that consists of 52 distinct practices. The layers correspond to stages in a process that encompasses (1) hardening and securing assets, (2) developing and implementing detection and response practices [prepare], (3) intrusion detection, (4) intrusion response and (5) improve. Hardening and securing assets consumes nearly the first half of the book. The practices systematically address the essentials for securing servers and workstations, web servers and firewalls. Every facet is addressed from configuration advice to specific exposures. These are the minimum practices that need to be in place and if these practices are implemented and actively managed approximately 80% of common exposures will be eliminated. The remainder of the book leads you through setting up intrusion detection and response practices (including an excellent set of steps and considerations for establishing policies and procedures), how to detect signs of intrusion and how to assess the impact of the intrusion and respond appropriately. Two highlights are the appendices. Appendix A covers in great detail some of the finer points of securing Solaris 2.x (you will need to tailor this information for HP/UX, Linux and AIX). The reason Solaris is chosen is because it is one of the most widely used operating systems on the Internet. Among the finer points are: installing and configuring Tripwire, SSH, Logsurfer, Spar and Tcpdump; understanding system log files, and writing rrules and understanding alerts for Snort. URLs are provided to sites from which you can obtain the third-party security facilities, such as Tripwire, Logsurfer, etc. Appendix B is a concordance of practices and how they should map to a comprehensive security policy. This is especially valuable because you can check your own policies against each of the 52 practices to make sure all are covered in your security policy. This book is an important work that is an essential reference for anyone who is responsible for security. This responsibility extends beyond the role of security officer or team member into architecture, network operations and production support (to name a few areas that need to be closely involved). The book will give you the foundation for an effective, responsive security program, but needs to be augmented by keeping up with trends and emerging threats and exposures. To this end the URLs to CERT/CC and other security-related sites are a necessary adjunct to this book. It merits 5 stars and my rare recommendation as a "must have".
6 of 6 found the following review helpful:
Very useful, but not fun to readMay 06, 2003
By Dr Anton Chuvakin
"Dr. Anton Chuvakin"
CERT has released a comprehensive guide for protecting information systems. As most security books nowadays, the CERT guide starts with quoting CSI/FBI 2001 survey statistics which indicate the ever increasing growth of cybercrime and other network abuse. Now that the 2002 survey is out, even more evidence of this alarming trend is available.
The book is organized around the prevention-detection-response principle. Part I covers securing computers and Part II describes detection and response capabilities in a non-platform specific way. Ample appendices cover Solaris security implementation (such as installing intrusion detection systems and other security functionality) and practical security policy considerations. Even some relevant physical security topics are covered. Another valuable resource is security checklists given in the end of each chapter. The need for a comprehensive enterprise security policy is also emphasized. A lot of advice given in the book is well-known or common sense. However, it is the implementation of the described measures and not simply knowing them that will make your company secure. The book is not without minor shortcomings. The first thing is that the book is a "what" book as opposed to a "how" book. The book is a huge list of good recommendations on system security, infrastructure design and migration strategies (such as a firewall migration strategy). However, it leaves the "real-life" problems (which are often considered the most important) to the implementer. "Establish a password change policy" and "ensure that users follow it." And what if they don't? A big part of the security process starts at that point. Another part that is left to the implementer is prioritizing and assessing risk. Probably CERT authors are saving it for their next book on OCTAVE risk management. Similarly, it is a great idea to patch vulnerabilities immediately after the vendor releases a patch. Yes, it is true that every patch should be evaluated and tested in a realistic test environment, before the production system are backed up and patched. However, it was calculated and reported that large companies (especially those that are Microsoft-only), will not have had time to complete the previous round of patching before the next patch is released using their system and network staff. Thus the real-world experience will run counter to the book's excellent advice. Suggestions to increase system audit trails present the same challenge. It is important to be able to track what happened on the system by looking at the system logs. Near real-time log analysis presents an effective way to prevent system problems from getting out of hand. However, a tremendous amount of audit information is produced by security devices and few companies can afford a dedicated intrusion analyst. Overall, reading the book will not make you more secure, but intelligently following the given recommendation while paying attention to your enterprise peculiarities will. Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time he maintains his security portal info-secure.org
15 of 19 found the following review helpful:
The 480 pages seem like 1000.May 13, 2002
Before I started working at for a CERT team I bought this book to help familiarize myself with CERT proceures and policies. It has become a must-have reference for all the CERT members here. I showed my copy to my boss and he immediately orderd 24 more!
I found the section II (Intrusion Detection and Response) extremely straight-forward and informative. There is a "no BS" approach to intrusion detection, there are no pulled punches against any product, and the recommendations were so good that they became instant policy.
The only problems with this book are
1.) The chapter on securing desktops; it is incomplete.
2.) The updates on the Internet are not easy to obtain because the website is very obscure.
I wish that I had kept this book to myself at work, I might have a pay raise by now.
Along with "Microsoft Windows 2000 Security Handbook - Jeff Schmidt ISBN:0-7897-1999-1" This is a powerful protection tool for any network.
See all 12 customer reviews on Amazon.com
|
based on 12 reviews
