Author: Jason Andress
Pros: Clear account of theory
Cons: Not practical enough for some readers
Reviewed by: Alex Armstrong
This book has the subtitle, "Understanding the fundamentals of InfoSec in theory and practice". Does it deliver?
As the inclusion of the word "Basics" in the title suggests, this book is intended as a primer and it doesn't assume any foreknowledge on the part of reader. Accordingly it opens with a chapter asking "What is Information Security". After a bit of background and definitions this chapter introduces a couple of models for discussing security issue (the CIA triad and the Parkerian hexad) and takes you briskly through types of attacks; the differences between threats, vulnerabilities and risks; and physical, logical and administrative controls. The chapter concludes with a look at the concept of defense in depth using multiple layers of defense.
Chapter 2 covers identification and authentication looking at multifactor authentication and the use of biometrics and hardware tokens. Authorization and access control are the next topics. Chapter 3 includes discussion of the most common access control models: discretionary, mandatory, role-based, attribute-based access controls, including the use of CAPTCHA, and multilevel access control where the Bell La Padula, Biba, Clark-Wilson and Brewer and Nash models are introduced. Measures of accountability and the use of auditing are discussed in Chapter 4.
Chapter 5 is on cryptography, which as Jason Andress points out, is an integral part of computer use and the transactions done using them. Before looking at cryptography as applied to computer networks he treats us to the historical background including the Caesar cipher, cryptographic machines including the Jefferson disk invented in 1795 and the Enigma machines used to secure German communications in World War II. He also introduces Kerckhoffs' principles. Once we get to modern cryptographic tools, three main cryptographic algorithms are discussed: symmetric key (aka private key) cryptography; asymmetric key cryptography and hash functions; digital signatures and certificates are also covered. The practical uses of cryptography are divided into two categories: protecting data at rest and in motion, where the network connection, as well as the data itself, can by protected by encryption.
Chapter 6: Operations Security again opens with history - this time looking at the ideas of Sun Tzu, the Chinese military general who lived in the sixth century BC and whose book, The Art of War is "considered to be a bible" for operations security, including information security. Coming forward in time the ideas of George Washington are mentioned before arriving at the Vietnam War where the term operations security and its acronym OPSEC was coined.
The chapter considers five major steps: identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; application of countermeasures. The chapter also includes the three Laws of OPSEC as formulated by Kurt Haas of the DOE. The first two are stated as questions:
- If you don't know the threat, how do you know what to protect?
- If you don't know what to protect, how do you know you are protecting it?
The third is
- If you are not protecting it (the information) ... THE DRAGON WINS!
The chapter concludes with a look at operations security in our personal lives.
Physical security is the topic of Chapter 7 and it looks at people, buildings and equipment as well as at data - so it covers topics such as safety of people and evacuation of premises. In considering data it looks at the weaknesses inherent in different types of physical media, the aspect of availability and also the problem of making data inaccessible when it is no longer required.
The final three chapters look at security of networks, operating systems and applications and it is these that will most concern professional developers. In the first, Network Security, the fact that this is a recent book is apparent with a reference to network outages during the civil unrest associated with regime change in Egypt at the start of 2011. The chapter then looks at the implementation of firewalls and intrusion detection systems and the use of virtual private networks (VPNs). It also considers security tools including Kismet, the Nmap scanner, packet sniffers such as Wireshark and honeypots.
Operating system hardening is discussed in the next chapter with six main ways suggested:
- removing unnecessary software
- removing or turning off unessential services
- making alterations to common accounts
- applying the principle of least privilege
- applying software updates in a timely manner
- making use of logging and auditing functions
The chapter also touches on protecting against malware, software firewalls and host intrusion detection. It concludes with a look at some appropriate tools; port scanners such as Nmap, vulnerability tools such as Nessus and exploit frameworks such as Metasploit.
Chapter 10 on applications opens with an account of a specific breach of security. This slight deviation from the format serves to motivate the look at vulnerabilities in the software development process including buffer overflows, race conditions, input validation attacks, authentication attacks and cryptographic attacks. Next comes Web security - both client-side and server-side and then database security - protocol issues; unauthenticated access; arbitrary code execution and privilege escalation. Again there's discussion of tools and as well as sniffers it covers fuzzing tools and Web application analysis tools such as Burp Suite. It is the inclusion of such tools that gives these final three chapters greater "practicality" than previous ones.
Overall, this book follows a logical progression and makes good use of heading and subheadings so that the material is easy to follow; diagrams are included where helpful. Boxouts are also used to good effect - you'll find Alerts for points you need to pay attention to and More Advanced for ones you can skip. The boxouts used towards the end of each chapter for "Real World" topics allow the author to break out of textbook style and relate the material to a wider context. The chapters then conclude with a Summary followed by Exercises - a list of questions that serve as a check that you have understood the main points covered. No answers are provided so if you are stumped use the index or re-read before moving on.
This book is aimed at beginners and is equally suitable as a course text or for self-study. The developer should, of course, have a working knowledge of the topics it covers and this is a good place to start if you need an overview of the basics.