This complete new guide to auditing network security is an indispensable resource for security, network, and IT professionals, and for the consultants and technology partners who serve them.
Cisco network security expert Chris Jackson begins with a thorough overview of the auditing process, including coverage of the latest regulations, compliance issues, and industry best practices. The author then demonstrates how to segment security architectures into domains and measure security effectiveness through a comprehensive systems approach.
Network Security Auditing thoroughly covers the use of both commercial and open source tools to assist in auditing and validating security policy assumptions. The book also introduces leading IT governance frameworks such as COBIT, ITIL, and ISO 17799/27001, explaining their values, usages, and effective integrations with Cisco security products.
Autorentext
Christopher L. Jackson, CCIE No. 6256, is a security technical solutions architect in the U.S. Channels organization with Cisco and is focused on developing security consulting practices in the Cisco partner community. Throughout his career in internetworking, Chris has built secure networks that map to a strong security policy for a large number of organizations including UPS, GE, and Sprint. Chris is an active speaker on security for Cisco through TechwiseTV, conferences, and web casts. He has authored numerous whitepapers and is responsible for a number of Cisco initiatives to build stronger security partners through security practice building.
Chris is a highly certified individual with dual CCIEs (Routing and Switching & Security), CISSP, ISA, seven SANS GIAC certifications (GSNA, GCIH, GCFW, GCIA, GCUX, GCWN, and GSEC), and ITIL V3. Chris also holds a bachelors degree in business administration from McKendree College. Residing in Bradenton, Florida, Chris enjoys tinkering with his home automation system and playing with his ever-growing collection of electronic gadgets. His
wife Barbara and two children Caleb and Sydney are the joy of his life and proof that not everything has to plug into a wall outlet to be fun.
Inhalt
Introduction xxi
Chapter 1 The Principles of Auditing 1
Security Fundamentals: The Five Pillars 1
Assessment 2
Prevention 3
Detection 3
Reaction 4
Recovery 4
Building a Security Program 4
Policy 5
Procedures 6
Standards 7
Security Controls 7
Administrative Controls 7
Technical Controls 8
Physical Controls 8
Preventative Controls 8
Detective Controls 8
Corrective Controls 8
Recovery Controls 9
Managing Risk 9
Risk Assessment 10
Risk Mitigation 14
Risk in the Fourth Dimension 16
How, What, and Why You Audit 17
Audit Charter 17
Engagement Letter 18
Types of Audits 19
Security Review 19
Security Assessment 19
Security Audit 20
The Role of the Auditor 20
Places Where Audits Occur 21
Policy Level 21
Procedure Level 21
Control Level 22
The Auditing Process 22
Planning Phase: Audit Subject, Objective, and Scope 22
Research Phase: Planning, Audit Procedures, and Evaluation Criteria 23
Data Gathering Phase: Checklists, Tools, and Evidence 23
Data Analysis Phase: Analyze, Map, and Recommend 24
Audit Report Phase: Write, Present, and File the Audit Report 24
Follow-Up Phase: Follow up, Follow up, Follow up! 25
Summary 25
References in This Chapter 26
Chapter 2 Information Security and the Law 27
IT Security Laws 27
Hacking, Cracking, and Fraud Laws 29
Computer Fraud and Abuse Act 29
Access Device Statute 31
Electronic Communications Privacy Act 34
Title I: Wiretap Act 34
Title II: Stored Communications Act 37
Title III: Pen/Trap Statute 38
Intellectual Property Laws 39
Digital Millennium Copyright Act 39
Economic Espionage Act 41
CAN-SPAM Act of 2003 42
State and Local Laws 43
Reporting a Crime 44
Regulatory Compliance Laws 46
SOX 46
HIPAA 48
Privacy Rule 50
Security Rule 51
Transactions and Code Sets Standard Rule 52
Identifiers Rule 52
Enforcement Rule 52
GLBA 54
PCI DSS 55
Summary 59
References in This Chapter 60
Federal Hacking Laws 60
State Laws 60
Chapter 3 Information Security Governance, Frameworks, and Standards 61
Understanding Information Security Governance 61
People: Roles and Responsibilities 64
Information Security Governance Organizational Structure 65
Board of Directors 65
Security Steering Committee 65
CEO or Executive Management 66
CIO/CISO 66
Security Director 66
Security Analyst 66
Security Architect 66
Security Engineer 67
Systems Administrator 67
Database Administrator 67
IS Auditor 67
End User 67
Spotting Weaknesses in the People Aspect of Security 67
Process: Security Governance Frameworks 68
COSO 68
Control Environment 69
Risk Assessment 70
Control Activities 70
Information and Communication 70
Monitoring 70
COBIT 71
ITIL 75
Technology: Standards Procedures and Guidelines 76
ISO 27000 Series of Standards 76
NIST 78
Center for Internet Security 80
NSA 80
DISA 81
SANS 82
ISACA 83
Cisco Security Best Practices 84
Summary 85
References in This Chapter 86
Web Resources 86
Chapter 4 Auditing Tools and Techniques 87
Evaluating Security Controls 87
Auditing Security Practices 89
Testing Security Technology 91
Security Testing Frameworks 92
OSSTMM 93
ISSAF 93
NIST 800-115 94
OWASAP 94
Security Auditing Tools 95
Service Mapping Tools 96
Nmap 96
Hping 100
Vulnerability Assessment Tools 101
Nessus 101
RedSeal SRM 105
Packet Capture Tools 111
Tcpdump 111
Wireshark/Tshark 114
Penetration Testing Tools 116
Core Impact 116
Metasploit 120
BackTrack 127
Summary 128
References in This Chapter 128
Security Testing Frameworks 128
Security Testing Tools 129
Chapter 5 Auditing Cisco Security Solutions 131
Auditors and Technology 131
Security as a System 132
Cisco Security Auditing Domains 133
Policy, Compliance, and Management 134
Infrastructure Security 135
Perimeter Intrusion Prevention 136
Access Control 136
Secure Remote Access 137
Endpoint Protection 138
Unified Communications 139
Defining the Audit Scope of a Domain 139
Identifying Security Controls to Assess 141
Mapping Security Controls to Cisco Solutions 143
The Audit Checklist 144
Summary 150
Chapter 6 Policy, Compliance, and Management 153
Do You Know Where Your Policy Is? 153
Auditing Security Policies 154
Standard Policies 158
Acceptable Use 158
Minimum Access 158
Network Access 158
Remote Access 159
Internet Access 159
User Account Management 159
Data Classification 159
Change Management 160
Server Security 161
Mobile Devices 161
Guest Access 161
Physical Security 161
Password Policy 162
Malware Protection 162
Incident Handling 162
Audit Polic…