By Erik Pace Birkholz, Foundstone, Inc.
Special Foreword by Stuart McClure, Foundstone, Inc.
INTERNAL NERWORK SECURITY GUIDE
 |
| Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle |
To my four parents (Dad and Peg, Mom and Art), thank you for a life bursting with opportunity,
support and love.
Thank you to all the people that have considered me a friend throughout the different
stages of my life: LBI, NYC, HB represent! Especially the eight guys that I consider my best
friends: Dave, Paul,TJ, Rains,Turtle, Alex, Rex, and Cole.
Stuart and Joel, your friendship and mentorship have been priceless.The doors that you
opened for me have made an unmistakable mark on my career and my future. I will pay it forward.
To the old school members of the National Attack and Penetration Team, thank you for
the good old days that paved the road toward a bright future for so many of us.Thank you
to Tom Lee, Director of IT at Foundstone and to Janet, my Consulting Mom for keeping
things running smoothly as I spend week after week traveling around the country and the world.
Thank you to Jeff and Ping Moss, for creating and growing the Black Hat Briefings. I
appreciate the opportunity to have been a part of such great conferences.
Thank you to Maurice “Mo” Smith (World Heavyweight Muay Thai, Kickboxing and
Ultimate Fighting Champion), who has almost as many questions for me about computers as
I do for him about fighting. As it turns out, fighting isn’t so different than security assessment;
strategies for attack and defense.Thank you for the training, skills, and the confidence.
I hope it has been reciprocal.
Thank you to my technical editors, Eric Schultze and Mark Burnett and to each special
contributor and contributing author for dedicating a part of your already overworked life to
make this massive book a reality.
Finally, thank you to Andrew and the rest of the Syngress team for the guidance and
inspiration.The Special Ops Team has been mobilized!
—Erik Pace Birkholz
Special Ops Founder & Lead Author
Erik Pace Birkholz
erik@SpecialOpsSecurity.com
Erik Pace Birkholz (CISSP, MCSE) is a Principal Consultant and
Lead Instructor for Foundstone, Inc. Since 1995, Erik has performed internal security assessments, penetration tests, host security reviews,Web application assessments, and security training
around the world. Erik is a contributing author of four of the six books in the international best selling series, Hacking Exposed, Network Security Secrets & Solutions (Osborne/McGraw-Hill).
In 2002, Erik was invited by Microsoft to present Hacking
Exposed: Live! to over 500 of their Windows developers at their
corporate headquarters in Redmond,WA. Later that year, he was invited to present to over 3,000 Microsoft employees from around the globe at the 2002 Microsoft Global Briefings.
Evaluated against over 500 presentations by over 9,500 attendees, his presentation was rated first place. Based on that success, he was a VIP Speaker at the Microsoft MEC 2002 conference.
Throughout his career, Erik has presented hacking methodologies and techniques to members of major United States government agencies, including the Federal Bureau of Investigation, National Security Agency, and various branches of the Department of Defense.
He has presented at all three Black Hat Windows Security Briefings,Microsoft, and The
Internet Security Conference (TISC). Before accepting the role of Principal Consultant at
Foundstone, he served as Assessment Lead for Internet Security Systems (ISS), a Senior
Consultant for Ernst & Young’s National Attack and Penetration team, and a Consultant for KPMG’s Information Risk Management Group.
Erik holds a bachelor’s of Science degree in Computer Science from Dickinson
College in Carlisle, PA. In 1999, he was named a Metzger Conway Fellow, an annual award presented to a distinguished Dickinson alumnus who has achieved excellence in his or her field of study.
Erik is the lead author and technical editor for the Special Ops project. Erik created the concept for
the book and is primarily responsible for assembling the authoring team.
His contributions include Chapters 1, 2, 3, and 9.
Technical Editor and Contributor
Mark Burnett is an independent security consultant and freelance writer who specializes in
securing IIS. He is co-author of Maximum Windows Security (ISBN: 0672319659) and Dr.Tom
Shinder’s ISA Server and Beyond: Real Word Solutions for Microsoft Enterprise Networks (Syngress
Publishing, ISBN: 1-931836-66-3). Mark is a regular contributor to many security-related
magazines, newsletters, and Web publications. As editor of www.iissecurity.info, Mark shares
his own unique research as well as that from security researchers around the globe.
Mark is also the contributor of Chapter 10, Securing IIS.
Technical Editor
Eric Schultze is the Director of Product Research and Development at Shavlik
Technologies, LLC where he manages Shavlik’s product vision and implementation. Eric
most recently served as a program manager for the Microsoft Security Response Center and
a senior technologist in the Trustworthy Computing team at Microsoft Corporation. In those
roles he managed the Microsoft security patch and bulletin release process and developed
security solutions for Microsoft products, including patch management and deployment solutions.
Before joining Microsoft, Eric co-founded Foundstone, Inc., where he directed their
Ultimate Hacking: Hands On training program. His experiences in assessing, penetrating, and
securing Microsoft technologies formed the basis of Foundstone’s audit and assessment
methodologies for Windows operating systems. Prior to starting Foundstone, Eric was a
Senior Manager in Ernst & Young’s national Attack & Penetration group, where he was
widely recognized as the firm’s expert on Microsoft security. Eric is a contributing author to
Hacking Exposed, Network Security Secrets & Solutions (ISBN: 0072121270) and is a frequent
speaker at industry events such as Black Hat, CSI, MIS, SANS, and NetWorld+Interop. Eric
received a bachelor’s of Arts degree in Psychology and Sociology from Amherst College.
Foreword
In the fast-paced, caffeine-powered, and sometimes reckless world of computer security, the
security analogy of a “hard crunchy outside and soft chewy inside,” a staple of the security
community today, is uncannily apropos as we spend millions to protect and fortify the outside
perimeter network and nary spend a dime to address internal threats. However, as convenient
as it may be to leave internal systems free from controls, it’s a disaster once someone “bites”
through to that unprotected inside; consider, too, the potential damage (whether intentional
or not) that could be generated by those employees or partners who have legitimate access
to the center. Lackadaisical attention to the soft and chewy inside could compromise your
security at any time.The authors of Special OPs: Host and Network Security for Microsoft,
UNIX, and Oracle immerse you in this analogy of intranet security and “the soft chewy
inside” so frequently neglected in today’s security oration. In this book, you will find the
critical pieces to securing your vital internal systems from attackers (both friend and foe) and
a near complete picture to understanding your internal security risk.
The task of securing the inside of your organization is daunting and unenviable: so many
systems, so many vulnerabilities, so little time.You must manage a myriad of system frailties and
control the day-to-day cyber mayhem.You must be able to allocate your meager IT security
resources to the battles that matter most.You may feel you cannot possibly do it all. At the end
of the day, if the right assets are not secure from the right risks with the right measures, you
might wonder what you really are accomplishing. Motion does not equal progress, and effort
does not equal execution.Although you may be keeping everything under control in the short
run, eventually some breach will test that control. Management does not care about how many
vulnerabilities exist, how difficult they are to fix, or how diversely controlled they are; all they
care about is an accurate answer to the questions “Are we secure?” and “Are we getting
better?” If you cannot answer those vital questions in the positive, eventually you and your
company will cease to thrive.
This book emphasizes a process that will help you answer those questions affirmatively, by
teaching you first how to identify and understand your assets, your vulnerabilities, and the
threats that face you, and then how to best protect those assets against those threats. Much of
this approach can be attributed to Pareto’s Principle, or the 80/20 Rule.This law is often
applied to computer security with the phrase “80 percent of the risk is represented by 20 percent
of the vulnerabilities.” Simply stated, focus on correcting the few most vital flaws and you
will reduce the vast majority of your risk.
NOTE
_____________________________________
At the turn of the last century, an Italian economist named Vilfredo Pareto made
the observation that 20 percent of the people in Italy owned 80 percent of its
wealth. This rather simplistic examination became the infamous Pareto’s
Principle, or the 80/20 Rule.
__________________________________________________
Following this principle requires two things: first, that the quality of the data collection is
solid, and second, that your methods of analyzing that data are equally solid.
The first variable in collecting solid data, asset inventory, is one of the most underestimated
drivers of security. Understanding what assets exist, where they are located (for
example, from what country, to what building, and in what room), and what criticality and
value they hold, is vitally important in calculating your security risk and can help you create
a stellar security management program.
The second variable involves identifying vulnerabilities.The ability to derive an accurate
vulnerability picture of your enterprise is critical to collecting clean baseline data.To do this,
you must reduce false positives (reporting vulnerabilities present when there actually are
none) and eliminate false negatives (not reporting a vulnerability present when there actually is one).
The final variable is in understanding the threats to your system. A vulnerability by itself
is not a critical risk—only when a hacker takes that vulnerability, writes a solid exploit, and
begins using it does it become a critical risk.To understand the nature of the threats most
relevant to you, you need to know the current activities of the underground, how they work
and communicate, and how they eventually exploit known weaknesses.Without understanding
those threats, your data (that is, your assets and known vulnerabilities) does not exist
in a context of security management.
Only when your data collection has enabled you to understand the threats to your system
can you go about the task of securing it.This book provides you with the tools and techniques
that can help you analyze your data and determine the vital fixes necessary to harden
the “chewy inside” of your network according to Pareto’s Principle.You will never be 100
percent secure from attackers, but you can be 100 percent sure that you are applying your
resources to the battles that will matter the most.
Data for its own sake holds little value.Too many trees have died in the service of security
vulnerability reports that attempt to provide a “complete picture of your risk.” In actuality,
those reports often provide little beyond a confusing mix of irrelevant or conflicting
concerns, combined with an avalanche of unqualified data.Without an effective, dynamic,
robust interface to your data, and without acting upon Pareto’s Principle, you may never
shore up your true internal risk.
The definition of insanity is doing the same thing over and over again while expecting a
different result—so if you’ve been caught in the vicious cycle of generating too much unfiltered
data, don’t let the failures of the past go unheeded. Read this book, heed its warnings,
and take steps to effectively manage your security today.
—Stuart McClure, President & CTO Foundstone, Inc.
Co-Author, Hacking Exposed Fourth,Windows 2000, and Web Hacking Editions
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 17,345 KB |
Pages
|
1042 p |
File Type
|
PDF format |
ISBN
| 1-931836-69-8 |
Copyright
| 2003 by Erik Pace Birkholz |
Contents
Foreword xxiii
Chapter 1 Assessing Internal Network Security
Introduction 2
Creating Opportunity for Curiosity and Mastery 2
Where Is the Cavalry? 3
DEFCON 1 4
Identifying Threats to Internal Network Security 5
Internal Network Security Assessment Methodology 6
Enumerating Business Operations 6
Asset Inventory 8
Prioritizing and Selecting Scope 8
Assessing Host and Network Vulnerabilities 9
Remediating Vulnerabilities 12
Documenting Findings for Management 13
Implementing Secure “Gold Standard” Baselines 14
Summary, Solutions Fast Track, Frequently Asked Questions 18
Chapter 2 Inventory and Exposure of Corporate Assets
Introduction 22
Performing Asset Inventory 23
Basic Asset Inventory Tools and Techniques 23
Wardialing to Discover Corporate Assets 31
Wardialing Tools and Techniques 32
Managing Asset Exposure 38
A Scenario Requiring Host Exposure Assessment 39
Exposure Mitigation Recommendations 43
Summary, Solutions Fast Track, Frequently Asked Questions 45
Chapter 3 Hunting for High Severity Vulnerabilities (HSV)
Introduction 50
Internal Network Security Is about Resource Management 50
Characteristics of Vulnerability Assessment Products 52
Standard Features 52
Selecting a Commercial Tool 55
Exploring Commercial Vulnerability Scanning Tools 56
FoundScan Enterprise Vulnerability Management System 57
QualysGuard Intranet Scanner 59
ISS Internet Scanner 60
Typhon II 61
Retina 61
Exploring Freeware Vulnerability Scanning Tools 62
Nessus 63
Fire & Water Toolkit 64
LanGuard Network Security Scanner (LNSS) 65
whisker 65
LHF Tool Suite 66
NBTEnum for Windows Enumeration and Password Testing 67
Sensepost’s Quick Kill Script 68
Using SPIKE to Identify Discover High-Severity Vulnerabilities 68
Other Miscellaneous Resources 73
Case Study: Attacking Windows Domains 74
Target Selection in the Windows Domain 75
The Simple (But Effective) Windows HSV Attack 76
Summary, Solutions Fast Track, Frequently Asked Questions 80
Chapter 4 Attacking and Defending Windows XP Professional
Introduction 86
Upgrading to XP Professional versus XP Home 87
Windows XP Features 88
Bundled Applications 89
Security Focused Features 95
Attacking XP Professional 98
Profiling Windows XP Professional 99
The Windows XP Professional Target 99
Exploiting Windows XP Professional 106
Attacking Complementary XP Professional Applications 124
Attacking Terminal Services 125
Attacking MSSQL and Oracle 125
Attacking Internet Information Services 125
Attacking Domain Controllers 126
Attacking DNS Servers 126
Defending XP Professional 127
Verifying NTFS Usage 128
Securing Your Local Security Policy 129
Securing System File and Directory Permissions 140
Restricting Anonymous Connections 141
Disabling Unnecessary Services 149
Creating IP Security Policies on Local Computers 150
Securing User Accounts 152
Installing and Configuring Anti-Virus Software 153
Installing Initial System Patches and Hotfixes 154
Maintaining a Good XP Security Posture 155
Automating Maintenance Patches 155
Managing Your Software Restriction Policy 156
Verify Shared Resources and Connections 158
Anti-Virus 158
Log Storage and Monitoring 159
Summary, Solutions Fast Track, Frequently Asked Questions 164
Chapter 5 Attacking and Defending Windows 2000
Introduction 172
Windows 2000 Basics 173
Kernel Protection Mechanisms 174
Disk File System Basics and Recommendations 176
Creating, Using, and Maintaining Users and Groups in Windows 2000 178
Windows 2000 Security Essentials 185
What Is Vulnerable in Windows 2000? 186
Providing Basic Security Levels in Windows 2000 190
Attacking Windows 2000 206
System Identification Methods 207
Authentication Attack Methods 220
Attacks Using Common and Known Vulnerabilities 221
Defending and Hardening Windows 2000 222
Evaluate Your Needs and Current Status 223
Secure Your Equipment and OS 225
Securing Access Control Methods 226
Eliminating Unnecessary Components 229
Using Tools and Methodologies to Analyze Weaknesses
and Configuration Changes 230
Tracking and Applying Updates, Service Packs, and Patches 233
Summary, Solutions Fast Track, Frequently Asked Questions 237
Chapter 6 Securing Active Directory
Introduction 244
Reviewing Active Directory Basics 245
Logical Organization of Information in Active Directory 246
System Files and Backing Up Active Directory 250
Group Policies and IntelliMirror 251
Modes of Operation 252
Schema 253
Global Catalog 254
LDAP 255
DNS Integration with Active Directory 257
Multi-Master Replication 262
Conducting Attacks on Active Directory 263
Reconnaissance 264
Active Attacks 272
Hardening Active Directory 283
Protecting Data 283
Protecting the Schema 287
Protecting Replication 289
Auditing of Active Directory Access 291
Filtering of Active Directory–Related Traffic 292
Summary, Solutions Fast Track, Frequently Asked Questions 297
Chapter 7 Securing Exchange and Outlook Web Access
Introduction 304
Introducing Exchange 2000 305
Windows 2000 Dependencies 305
Exchange 2000 Components 307
Understanding the Basic Security Risks Associated with Exchange 2000 310
Guess My Account and UPN Name! 311
Exchange 2000,Windows 2000, and Active Directory 312
Exchange 2000 Administrative Rights 312
Mailbox Rights 316
Denial of Service and Exchange 316
Types of File Vulnerabilities 318
Vulnerability of Transmitted Data 320
Message Authenticity 322
Event Service and Event Sinks 323
Message Relay via SMTP 323
Preventing Exchange Security Problems 325
The W2K/IIS Platform Must Be Solid 325
Dedicate Servers to Specific Functions 327
Disable Unnecessary Services 328
Tightening Mailbox Security 331
Enabling SSL for Internet or Remote Clients 332
Locking Down an IIS/OWA Server 337
Imposing Limits 338
Protecting Critical Files 342
Network Analysis Risk Reduction 344
Denying Client Access 345
Stopping Viruses 348
Exchange 2000 and Firewalls 354
SMTP Security 361
Auditing for Possible Security Breaches 366
Windows 2000 Event Auditing 366
Exchange 2000 Event Auditing 368
Logging Internet Client Access 370
Securing MAPI Clients 376
Enabling Message Encryption (S/MIME) 378
Following Best Practices 379
Summary, Solutions Fast Track, Frequently Asked Questions 385
Chapter 8 Attacking and Defending DNS
Introduction 394
History 394
Reviewing the Mechanics of DNS 396
DNS Records 396
Packet-Level Communication 399
DNS Lookup Process 401
Authoritative Answers 411
Domain and IP Registrars 415
Exploiting DNS 417
Zone Transfers 418
Version Discovery 419
DoS Attacks 420
Cache Poisoning 420
Buffer Overflow 421
Alternative Compromise Techniques 422
Securing DNS 422
Restricting Zone Transfers 423
Restricting Version Spoofing 424
Alleviating DoS Damage 424
Protecting Against Cache Poisoning 425
Preventing Buffer Overflows 425
Using Bogon Filters 425
Securely Installing and Configuring DNS Daemons 425
Berkeley Internet Name Domain (BIND) 427
Microsoft Windows 2000 DNS Service (MSDNS) 436
DJBDNS 440
Summary, Solutions Fast Track, Frequently Asked Questions 447
Chapter 9 Attacking and Defending Microsoft Terminal Services
Introduction 454
Crash Course in Terminal Services 455
Terminal Services on Windows 2000 455
Windows XP Remote Desktop 456
Windows Server 2003 456
Terminal Server Clients 458
Using Terminal Server Tools 464
Attacking Terminal Servers 471
Locating Terminal Servers 471
Port Scanning 471
Identifying Hidden Terminal Servers 472
Finding Windows Servers with Access to Other Segments 473
Enumerating Users and Logon Rights 474
Application Server Attacks 481
Defending Terminal Servers 488
Install Current Patches 489
Secure the Operating System 489
Set Strong Windows Passwords 489
Use High Encryption for Sessions in Windows 2000 491
Set Strongest Usable Terminal Server Permissions 491
Use the Principle of Least Privilege 495
Remote Administration Mode Specific Defenses 497
Rename the Administrator 497
Remote Administration Specific Group Policy Settings 497
Disable TSInternetUser and Remove Licensing Service 498
Application Server Mode Specific Defenses 498
Case Study: Attacking Terminal Server 500
Summary, Solutions Fast Track, Frequently Asked Questions 504
Chapter 10 Securing IIS
Introduction 512
Knowing the Enemy 512
Knowing What the Enemy Wants 513
Knowing What the Enemy Doesn’t Want 513
Learning from the Past 514
Script Source Access 514
Information Disclosure 515
Denial of Service 515
Buffer Overflows 516
Directory Traversal 516
Cross-Site Scripting 517
Preparing the Operating System 517
Partitioning Hard Drives 517
Installing the OS 518
Preparing the File System 519
Installing IIS 520
Installing Hotfixes 522
Locking Down COM and Database Access 523
Securing Web Services 528
Running the IIS Lockdown Wizard 528
Securing IIS Global Settings 533
Securing the Default and Administration Web Sites 534
Disabling Internet Printing 536
Disabling or Securing the FrontPage Server Extensions 537
Configuring URLScan 538
Securing Web Sites 544
Building a Directory Structure 544
Setting Master WWW Properties 545
Securing by Content Type 551
Authenticating Users 557
Using Anonymous Authentication 558
Using Basic Authentication 558
Using Digest Authentication 559
Using Integrated Windows Authentication 560
Using Client Certificate Mapping 561
Publishing Web Content 562
Staging and Review 563
Setting File Attributes 563
Building File Checksums 563
Moving Content versus Updating Content 563
Summary, Solutions Fast Track, Frequently Asked Questions 565
Chapter 11 Hacking Custom Web Applications
Introduction 572
Using the Source 574
Locating Possible Interactivity 575
Pinpointing Attack Vectors 576
Information Gathering 577
Directory Traversal 580
Command Execution 582
Database Query Injection 583
Cross Site Scripting 588
Parameter Passing 589
State Tracking 595
Executing and Examining 598
Countermeasures and Counter-Countermeasures 600
Using Automation 608
Summary, Solutions Fast Track, Frequently Asked Questions 612
Chapter 12 Attacking and Defending Microsoft SQL Server
Introduction 620
The Evolution of SQL Server 620
Overcoming a Sybase Past 621
Understanding SQL Server Editions 621
Understanding SQL Server Security Basics 624
Explaining SQL Server Instances 624
Authentication Types 626
Network Libraries 628
Understanding SQL Security Principles 630
Attacking SQL Servers 634
Discovering SQL Servers to Attack 634
Acquiring an Account 640
Escalating Your Privileges 643
Defending SQL Servers 648
Planning for a Secure Installation 649
Configuring a Secure SQL Server 650
Monitoring and Maintenance 656
A Case Study:Things Going Badly 661
Writing Secure Applications for SQL Server 662
Injecting SQL 662
Defending Against SQL Injection 664
Summary, Solutions Fast Track, Frequently Asked Questions 674
Chapter 13 Attacking and Defending Oracle
Introduction 682
The Oracle Architecture 682
Downloading Patches 684
Attacking the Listener 684
External Procedure Services 685
Denial of Service When Redirection Occurs 687
Attacking the Database 687
Buffer Overflows in Authentication 688
Buffer Overflows in SQL 688
Left Outer Joins 689
PL/SQL 690
Java Stored Procedures 695
Attacking the Oracle Application Server 697
Vulnerabilities in Oracle 9iAS 2 698
OracleJSP 707
XSQL 709
SOAP Application Deployment 710
Defending Oracle 712
Securing the Listener 712
Securing the Database 715
Summary, Solutions Fast Track, Frequently Asked Questions 719
Chapter 14 Attacking and Defending Unix
Introduction 730
Attacking Unix 730
Information Gathering Attacks 730
Gaining Remote Access 733
Local Privilege Elevation 736
Engineering a Secure Unix System 737
System Information Gathering 737
System Design 740
Secure System Implementation 741
Platform-Specific Configurations 754
Access Control Lists 755
Role-Based Accounts 756
Auditing 758
Kernel Parameters 759
Kernel Modules 761
Service Configuration 762
Host-Based Intrusion Detection 765
Securing Inherited Systems 766
Evaluating Inherited Systems 766
The Process of Securing Inherited Systems 773
Summary, Solutions Fast Track, Frequently Asked Questions 776
Chapter 15 Wireless LANs: Discovery and Defense
Introduction 784
Introducing 802.11 785
The Standards 785
Components of a Wireless Network 786
Wireless Network Discovery 792
GPS and Mapping 793
Tools for Detecting 802.11 Networks 793
Finding 802.11 Networks from the Wired Side 799
SNMP and Other Management Services 799
802.11 Client Detection 805
Wireless Network Defense 809
Reviewing Basic Architecture Concepts 810
Implementing Wireless Security 810
Detecting 802.11 Attacks 815
Summary, Solutions Fast Track, Frequently Asked Questions 818
Chapter 16 Network Architecture
Introduction 826
Learning About Your Network’s Security Design 826
Analyzing Traffic Flow 827
Useful Tools for Gathering Data 829
Using Network Assessment Tools 835
Ensuring Physical Security 837
Creating a Secure Logical Layout 838
Firewalling the Internal Network 839
Defining the Perimeter and Internal Segments of your Network 839
Selecting the Correct Firewall 840
Implementing Access Control Lists 844
IDS Configuration and Placement 847
Types of Network and Host IDS 847
IDS Placement 852
IDS Tuning and Monitoring 853
Evolution of the IDS 853
Defending Against Layer 2 Attacks 854
MAC Flooding 854
ARP Spoofing 858
VLAN Jumping 862
Cisco Discovery Protocol Denial of Service 863
Managing the Secured Network 865
Summary, Solutions Fast Track, Frequently Asked Questions 876
Chapter 17 Architecting the Human Factor
Introduction 886
Balancing Security and Usability 886
Personnel as a Security Risk 888
The State of Internal Security 892
User Community Response 893
The Role of Virus Defense in Overall Security 894
Managing External Network Access 895
Gaining Control: Proxying Services 896
Handling Difficult Services 902
Managing Partner and Vendor Networking 907
Developing VPN Access Procedures 908
Developing Partner Extranets 913
Securing Sensitive Internal Networks 915
Protecting Human Resources and Accounting 916
Protecting Executive and Managerial Staff 917
Developing and Maintaining Organizational Awareness 920
Quantifying the Need for Security 921
Developing Effective Awareness Campaigns 922
Company-Wide Incident Response Teams 927
Summary, Solutions Fast Track, Frequently Asked Questions 931
Chapter 18 Creating Effective Corporate Security Policies
Introduction 938
The Founding Principles of a Good Security Policy 940
Safeguarding Against Future Attacks 941
Required: Management Support 943
Avoiding Shelfware Policies 943
Make Policies Readable 944
Make Policies Referable 946
Keep Policies Current 947
Balance Protection and Productivity 948
Recognize Your Value 948
Designate Policy Ownership 949
Obtain Management Support 950
Understanding Current Policy Standards 950
ISO17799 951
SAS70 952
Government Policy 953
Creating Corporate Security Policies 961
Defining the Scope 965
Discovering Current Policies 967
Evaluating Current Policies 969
Creating New Policies 976
Implementing and Enforcing Corporate Security Policies 983
Policy Distribution and Education 985
Policy Enforcement 987
Reviewing Corporate Security Policies 990
Summary, Solutions Fast Track, Frequently Asked Questions 995
Index 1005
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
