What do you think?
Rate this book
Assessing Network Security
Don’t wait for an attacker to find and exploit your security vulnerabilities—take the lead by assessing the state of your network’s security. This book delivers advanced network testing strategies, including vulnerability scanning and penetration testing, from members of the Microsoft security teams. These real-world practitioners provide hands-on guidance on how to perform security assessments, uncover security vulnerabilities, and apply appropriate countermeasures. The companion CD features time-saving tools and scripts that you can use to reveal and help correct security vulnerabilities in your own network. Sharpen and advance your security assessment skills, including how Recognize and help counter common network threats, CD A Note Regarding the CD or DVD The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.
592 pages, Paperback
First published June 30, 2004
1 person is currently reading
9 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 of 1 review
October 7, 2023
482-Assessing Network Security-David LeBlanc- Technology-2004
Barack
2023/10/06
"Assessing Network Security", first published in 2004. It provides advanced network testing strategies including vulnerability scanning and penetration testing from members of Microsoft security teams. These real-world practitioners provide hands-on guidance on how to perform security assessments, discover security vulnerabilities, and apply appropriate countermeasures.
David LeBlanc studied at the Georgia Institute of Technology from 1990 to 1998. Worked at Microsoft from 1999 to 2020.
Table of Contents
1. Part I: Planning and Performing Security Assessments
2. Part II: Penetration Testing for Nonintrusive Attacks
3. Part III: Penetration Testing for Intrusive Attacks
4. Part IV: Security Assessment Case Studies
The author begins by introducing the importance of conducting a security assessment. Security is a delicate and complex topic because, unlike other fields, there are no intuitive outputs. Safety work has to deal with the invisible enemy - risk. When safety is done well, accidents are less likely to occur, and if they do occur, the damage they cause is relatively minor. However, humans tend to trust their senses: when we see a few accidents and small hazards, we tend to subconsciously think that safety work is not that important. It's like when we are healthy, we tend to let down our guard and indulge ourselves in behaviors that are detrimental to our health; but when illness strikes, we are willing to pay any price to restore health. This is human nature. Therefore, in order for organizations to truly take security seriously, they must first visualize the risks. Security assessment is an important means to achieve this goal, especially when we can quantify risks (such as viruses, vulnerabilities, or other hidden dangers), it is easier to arouse people's alert. Only when people are truly aware of the risks will they take necessary actions.
At the heart of the security issue is a trade-off. Generally speaking, the higher the theoretical security, the more complicated it may be to use; conversely, the higher the convenience of use, the weaker the theoretical security. An excellent plan often finds a relatively optimal balance point between the two. So, in a sense, when we talk about "security", we are actually discussing a relative concept, because the strength of security is relative. We can only discuss matters on a case-by-case basis. The same solution may achieve an acceptable level of safety under some conditions and may be unacceptable under other conditions. Looking further, many problems in real life are complicated because they often involve relative concepts rather than absolute concepts. The education we sometimes receive or the opinions we hear may be oversimplified and divide the world into black-and-white polarities. We need to be wary when we hear views like this. What people who hold this view may not express is their true intention, but maybe just for the convenience of expression, or maybe for some special purpose. Some people think that natural science is relatively simple, perhaps because it is relatively more absolute; while social science is more complex and difficult precisely because it involves more relativity issues.
Security is affected by many factors. Although there are many discussions on how to design more secure systems in theory, one factor that cannot be ignored in actual operation is the "human" factor. There is a specialized discipline in this area called "social engineering", which studies how to use human factors to break down the target's fortress. No matter how sophisticated a system is, it is still designed by people and requires people to implement and maintain it. If there is a problem in the human aspect, no matter how perfect the system is, it may become useless. For example, even if you have the best security measures in place, they will be ineffective if the keys are lost artificially. Since the complexity of human nature is difficult to completely overcome, in actual operations, we usually conduct more training to improve employees' safety awareness. For employees in sensitive positions, more restrictions and behavioral norms need to be set to ensure that the safety risks caused by human factors are minimized as much as possible. Thinking further, even if many things are designed to be almost perfect, if there is a problem with the person executing it, the final result may be greatly compromised. There is no absolute order, but due to the principle of "existence is reasonable", human factors can often exert unpredictable effects.
The author then discusses "safety principles." There are so many things in the world and the number of security incidents we may encounter, and it is unlikely that two security incidents will be exactly the same. In order to be able to deal with a wider range of scenarios, what we need to learn are "principles". Principles may be highly abstract or very specific. Assessing the merits of a principle can be carried out from many aspects, such as its applicability - whether a principle can only be applied to networks with various topologies, whether it can be applied to networks of various sizes, whether a security principle is applicable to different users, etc. The effectiveness of security principles can also be measured along multiple dimensions—for example, how well is a principle being implemented? What is the cost of realizing this principle? Is it operable? When we learn the principles proposed by others, we should not just passively accept and remember them, but we should also think about how to evaluate the pros and cons of these principles.
The author mentioned 7 principles of network security. First, keep your services running while keeping your information out of the reach of attackers. This means continuously providing services to end users while minimizing the attack surface available to attackers. The second principle is to ensure that the right users have access to the right information. Two key issues are involved: authentication and authorization. Authentication solves the problem of "who are you", while authorization solves the problem of "what permissions do you have" after confirming the identity. The third principle is to treat each layer of protection as a last line of defense, that is, considering the worst possibility in any situation, rather than relying on other options. The fourth principle emphasizes keeping records of accessed information, leaving traces of behavior. Even though we may not need these records in most cases, they are extremely important once they are needed. The fifth principle is to isolate resources as much as possible. In software engineering, there is a concept of "high cohesion and low coupling", which is to keep different components as independent as possible, so that even if one part is affected, other parts will not be affected. The sixth principle is to avoid making common mistakes. Although this principle may seem obvious, it is often ignored in practice. Finally, the seventh principle reminds us not to make the costs of the above actions too high, because no matter how good a strategy is, it will be difficult to implement if the cost is too high.
Displaying 1 of 1 review