CERT (www.cert.org) has released a comprehensive guide for protecting information systems.
As most security books nowadays, the CERT guide starts with quoting CSI/FBI 2001 survey statistics which indicate the ever increasing growth of cybercrime and other network abuse. Now that the 2002 survey is out, even more evidence of this alarming trend is available.
The book is organized around the prevention-detection-response principle. Part I covers securing computers and Part II describes detection and response capabilities in a non-platform specific way. Ample appendices cover Solaris security implementation (such as installing intrusion detection systems and other security functionality) and practical security policy considerations. Even some relevant physical security topics are covered. Another valuable resource is security checklists given in the end of each chapter. The need for a comprehensive enterprise security policy is also emphasized.
A lot of advice given in the book is well-known or common sense. However, it is the implementation of the described measures and not simply knowing them that will make your company secure.
The book is not without minor shortcomings. The first thing is that the book is a "what" book as opposed to a "how" book. The book is a huge list of good recommendations on system security, infrastructure design and migration strategies (such as a firewall migration strategy). However, it leaves the "real-life" problems (which are often considered the most important) to the implementer.
"Establish a password change policy" and "ensure that users follow it." And what if they don't? A big part of the security process starts at that point. Another part that is left to the implementer is prioritizing and assessing risk. Probably CERT authors are saving it for their next book on OCTAVE risk management.
Similarly, it is a great idea to patch vulnerabilities immediately after the vendor releases a patch. Yes, it is true that every patch should be evaluated and tested in a realistic test environment, before the production system are backed up and patched. However, it was calculated and reported that large companies (especially those that are Microsoft-only), will not have had time to complete the previous round of patching before the next patch is released using their system and network staff. Thus the real-world experience will run counter to the book's excellent advice.
Suggestions to increase system audit trails present the same challenge. It is important to be able to track what happened on the system by looking at the system logs. Near real-time log analysis presents an effective way to prevent system problems from getting out of hand. However, a tremendous amount of audit information is produced by security devices and few companies can afford a dedicated intrusion analyst.
Overall, reading the book will not make you more secure, but intelligently following the given recommendation while paying attention to your enterprise peculiarities will.
Anton Chuvakin, Ph.D., is a senior security analyst with netForensics (www.netforensics.com), a security information management company that provides real-time network security monitoring solutions.
Book: CERT Guide to System and Network Security
Author: Julia H. Allen
Publisher: Addison-Wesley, 2001