3 Books Security Folks Should Be Reading This Spring

I just wanted to drop 3 books here that I think infosec folks should check out this spring. As always, reading current material is an excellent way to keep your skills moving forward and allows you new perspectives on business and security matters. Even books from outside the security domain are useful for insights, new perspectives or indirect references.

Here’s what I suggest you check out this spring:

1. Antifragile by Taleb – This book will set your mind on fire if you are a traditional risk assessment person. It is astounding, though often difficult to read, but the ideas are a logical conclusion of all the previous Taleb theories from the Black Swan series. Beware, though, the ideas in this book may change the way you look at risk assessment, prediction and threat modeling in some radical ways! Long and tedious in spots, but worth it!

2. Linked: The New Science of Networks by Barabasi & Frangos – This book is an excellent mathematical and scientific discussion of networks, both logical and physical. It describes the sciences of graph theory, link analysis and relational mapping through easy to read and quite entertaining story telling. Given the rise of Internet of Things environments, social networks and other new takes on old-school linked networks, this is a great refresher for those who want to re-cover this territory with modern insights.

3. Hacking Exposed 6 by Scambray – That’s right, go old-school and go back and learn how penetration techniques from some of the best general hacking books in the industry. HE6 is an excellent book for covering the basics, and if there is anything all infosec folks need, it is a strong grasp of the basics. Learn and master these techniques in your lab. Work through the examples. Go ahead, we’ll wait. Have fun, and learn more about how bad guys still pwn stuff. Lots of these techniques or variants of them, are still in use today!

There you go, now get reading! 🙂 

Book Review: VMware vSphere and Virtual Infrastructure Security

VMwarevSphereandVirtualInfrastructureSecurity
VMware vSphere and Virtual In!astructure Security: Securing the Virtual Environment (Prentice Hall) is written by Edward L. Haletky with the assistance of our friend, Tim Pierson. Another friend, Christofer Hoff, wrote the Forward. Pierson is currently working with us to integrate the power of HPSS in his security courses. (Very cool!) Hoff is a forward thinking security professional who is respected among his peers. The book immediately confronts the security issue with VMware. Chapter 2 presents the “anatomy of an attack.” Attack perspectives are from a Pentester, a hacker, a script kiddie, and a disgruntled employee.

Chapters 6, 7, and 8 focus on deployment, management, operations and virtual machine security. Some common operational issues are discussed to protect and audit your environment. Chapter 9 is especially useful, posing real-world questions discussed on the VMware VMTN Communities forums. The latter part of the book features a patch for Linux, a security hardening script, and an assessment script output. A reading list and links are included in the final section. A great addition to your IT library from Amazon for $40.56.

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

Book Review: Computer Security and Cryptography

fsecuritym444a6d61

Computer Security and Cryptography (Wiley) by Alan G. Konheim, is a great resource to understand and implement data security systems. Chapters are organized to help develop technical skills, describe a cryptosystem and method of analysis, and provide problems to test your grasp of the material and ability to implement practical solutions.

The book begins with the history of cryptography and moves into the theory of symmetric and public-key cryptography. Chapter 18 focuses on cryptography application. Included is Unix password encipherment, password cracking and protecting ATM transactions.

With consumers becoming increasingly wary of identity theft and companies struggling to develop safe, secure systems, this book is essential reading for professionals in e-commerce and information technology. Written by a professor who teaches cryptography, it is also ideal for students. Available at Amazon for $90.00.

Book Review: Hardware Based Computer Security Techniques to Defeat Hackers

193396_cover.indd

Hardware Based Computer Security Techniques to Defeat Hackers (Wiley) by Roger Dube, maps out solutions for hardware devices used by the Intelligence and Defense communities. Dube begins with an overview of the basic elements of computer security and then covers areas such as cryptography, bootstrap loading, and biometrics. 

   Chapter Twelve does a good job of covering “tokens,” such as a key card or photo ID. The computer security mantra, “something you have and something you know” is true with securing tokens. Issues such as cost, usability and lockout must be evaluated when considering the use of tokens as part of the user-authentication process.

   The book not only discusses the solutions but devotes a chapter at the end to explain how to implement them. A good investment for the CIO and IT Administrator. Available through Amazon for the sale price of $71.96. (retail $89.95)

IT Compliance and Controls by James J. DeLuccia, IV

  IT Compliance and Controls: Best Practices for Implementation is a timely book that takes a good look at IT internal controls and answers the question, “How much is enough?” Along with providing protection for their organizations, the CIO/CTO needs to address compliance issues identifying appropriate controls and its relationship with the global market. Author James J. DeLuccia, IV presents field-tested ideas forged from the fires of direct experience with clients who are daily hammering out their technology to become competitive business models.  

    DeLuccia lays a foundation by examining the importance of internal IT controls defining US government oversight measures. He then explains why silo IT strategy wastes time and resources, offering a better solution in having an IT enterprise control environment.

     The third section of the book covers implementation, focusing on risk analysis, technology strategy orchestration, life cycle management, access and authorization,  and other areas. Available through Amazon for an affordable $40. A very useful book for the CIO, CTO, IT auditors, audit managers, and IT managers.

Book Review: The Handbook of Information and Computer Ethics

 Another serious textbook, The Handbook of Information and Computer Ethics is an ambitious in-depth look at the dizzying playground where technology meets  human behavior. The book is a compilation of varying professors in philosophy and technology, offering their take on issues such as privacy and anonymity, hacking, and responsibility and risk assessment. 

The editors, Kenneth E. Himma and Herman T. Tavani, explore the relationship between the internet and one’s ability to co-exist with it ethically.  Himma especially has an interesting definition of the term “hacker” and ponders if the concept of trespassing means the same as the  term “digital intrusion.”

The chapter on responsibilities for information on the internet is challenging by questioning who truly owns it. Another chapter explores the issue of Software Development Impact Statements. (SoDIS) It is a fascinating book. For $100 (On sale at Amazon!), you can stretch your mind with all types of scenarios. A great book to pass along to your network staff.

Book Review: Hacking Exposed: Linux Third Edition

ISECOM, the renowned research organization for security, has again “made sense” of securing a Linux network against attacks. The book is a thorough guide to understanding how to “separate the asset from the threat” and block hackers from playing in the ultimate playground of Linux.  The authors take you from the elements of security, to hacking the system, to hacking the users. 

What is particularly helpful are the case studies. If you or your company’s employees need to travel and access your company’s website via wireless connection, you’ll be especially interested in the case study in Chapter Eight, where a hacker tracks a signal to a hotel’s access point and creates legit-looking error pages in order to obtain the account information of the user. Also helpful are their usual attack and countermeasure icons, which further define how to pinpoint areas of risk.

Security teams looking to evaluate their areas of vulnerability within Linux will be forearmed with the powerful arsenal of preventative approaches covered in this edition. All of the material is new, based upon the most recent and thorough security research. The hacking and countermeasure are based on the OSSTMM, the security testing standard, and cover all known attacks on Linux as well as how to prepare the system to repel unknown attacks. A pretty good buy for the $49.95 cost.

Book Review: Security for Wireless Ad Hoc Networks

Authors: Anjum & Mouchtaris
Publisher: Wiley
Cost: $75.00
Rating: 3 out of 5

This book reads like a PHD thesis. It is long on technical and mathematic detail and a little short on real-world scenarios. The examples are well researched and deeply technical. While the reading is a little tedious, those seeking an in depth understanding of wireless security will benefit greatly from this book.

At just under 250 pages it’s likely to take longer than a weekend to complete the read, but especially if you’re a mathematical genius, this book should be right up your alley. One of the highlights of the book is the content that relates to intrusion detection systems. The section did an excellent job of explaining various techniques and architectures for wireless intrusion detection. This content will be especially interesting to engineers and vendors in the wireless security space.

Book Review: Security Power Tools

Authors: Burns, Granick, Manzuik, Guersch, Killion, Beauchesne, Moret, Sobrier, Lynn, Markham, Iezzoni, Biondi

Publisher: O’Reilly

$59.99

Rating: 4 out of 5 stars (****)

If you are tired of reading some Harry Potter or some such thing, and decide to devour 780+ pages of information security how-to, this is a pretty good candidate.

The book covers everything from legal and ethical issues to pretty deep knowledge of the tools and techniques used to do infosec work. It won’t make you an expert, but it is a much friendlier manual than the included docs for a whole lot of tools.

My favorite section is chapter 10, which covers the art and science of shell code, custom exploits and some great tools for making this often tough job a whole lot easier. The diagrams and code examples in this chapter alone make the book worth the money for the reference shelf, and you would get all of the rest too!

All in all, the book is easy to read, the examples are clear and easily understood. The graphics are clean and crisp, which makes it much simpler to follow along on your own systems. Basically, as with most O’Reilly books, the layout and design is excellent.

Check it out if you are getting tired of wizards and such. The ROI is likely higher and you might even learn a new skill or two to help you in the day. In the end, that should be the measure of a good security book – right?