防御安全手册：构建低成本高效率的安全防护

需积分: 10 178 浏览量更新于2024-07-19 4 收藏 29.25MB PDF 举报

"Defensive Security Handbook 2017.4.pdf" 是一本专注于网络安全防御的手册，由 Lee Brotherston 和 Amanda Berlin 合著。本书旨在帮助那些预算有限，无法建立或外包信息安全（InfoSec）项目的组织，提供基础到进阶的安全实践指南，通过实际步骤、工具、流程和理念来提升安全防护能力，而无需大量成本。本书覆盖了多个关键领域的安全问题，包括但不限于： 1. 数据泄露和灾难应对：提供了应对数据泄露和灾难事件的策略，帮助组织快速响应并降低损失。 2. 合规性管理：讨论了如何满足各类法规要求，确保组织在法律和政策框架内运营。 3. 网络基础设施与密码管理：讲解了构建安全网络架构的技巧，以及如何实施有效的密码策略。 4. 脆弱性扫描：介绍了自动化工具和手动方法来识别系统中的弱点，以便及时修复。 5. 渗透测试：阐述了如何模拟黑客攻击，以检测和增强系统的防御能力。书中每一章都针对特定问题提供详细的步骤指导，适合网络工程师、系统管理员和安全专业人士阅读。内容以易理解、可操作的模块呈现，便于读者分阶段提升安全水平。作者 Lee Brotherston 和 Amanda Berlin 提倡的防御性安全方法，强调以实用且经济的方式增强基础设施的安全性，无论组织规模大小，都可以从中获益。他们结合丰富的经验和行业最佳实践，为读者提供了一套全面的自我提升方案。本书的出版商 O'Reilly Media, Inc. 是知名的科技图书出版商，提供了在线版本，方便读者随时随地学习。此外，书中的编辑、设计、校对等团队为内容的质量和可读性做出了贡献，确保读者能够从中获得高质量的学习体验。《防御性安全手册》是一本实用的指南，对于那些需要自己动手提高网络安全的企业和个人来说，是一份不可多得的参考资料。通过阅读和应用书中的建议，读者将能够逐步建立一套强大的安全防护体系，保护组织免受日益严峻的网络威胁。

For this reason, many companies that are only now embarking on their information

security program have taken the route to promote someone from another role such

as a system administrator or architect to an information security practitioner role.

Another common practice is hiring a more junior information security professional

into a role than would normally be the case, and expect the newly appointed

employee to learn on the job. This situation is precisely what this book is intended to

address.

A large number of issues encountered by companies with an immature information

security program can be remedied, or at least vastly reduced, with some basic security

hygiene. The knee-jerk reaction to the task of inheriting a new and immature security

department can be to buy as many devices with pretty blinky LEDs as possible, in the

hope that they will remedy issues. Some people would rather pay another company to

set up an outsourcing agreement, which can be leveraged in order to assist. Both of

these options require money. Many organizations that are new to information secu‐

rity do not have the budget to undertake either of these solutions to the problem—

using the tools that are already in the environment may well be all you have.

Our Goal

Our goal is to not only make this a standard that can be applied to most enterprise

networks, but also be a little entertaining to read along the way. There are already

deep-dive standards out there from a variety of government and private organiza‐

tions that can drone on and on about the validity of one security measure or the next.

We want this to be an informative dialog backed by real-life experiences in the indus‐

try. There will be good policy, best practices, code snippets, screenshots, walk‐

throughs, and snark all mixed in together. We want to reach out to the masses—the

net admins who can’t get approval to hire help; directors who want to know they

aren’t the only ones fighting the battles that we see day in and day out; and the people

who are getting their hands dirty in the trenches and aren’t even close to being ready

to start down the path of reading whitepapers and RFCs.

Who This Book Is For

This book is designed to serve as a Security 101 handbook that is applicable to as

many environments as possible, in order to drive maximum improvement in your

security posture for the minimum financial spend. Types of positions that will be able

to take away knowledge and actionable data from this include upper-level CIOs,

directors, security analysts, systems administrators, and other technological roles.

xiv | Introduction

Navigating the Book

We have deliberately written this so that you do not have to adopt an all-or-nothing

approach. Each of the chapters can serve as a standalone body of knowledge for a

particular area of interest, meaning that you can pick and choose which subjects work

for you and your organization, and ignore any that you feel may not apply. The aim is

not to achieve compliance with a particular framework or compliance regime, but to

improve on the current situation in sensible, pragmatic, manageable chunks.

We have purposefully ordered this book to begin with the fundamentals of starting or

redesigning an information security program. It will take you from the skeleton steps

of program creation on a wild rollercoaster ride into the depths of more technical

topics.

Many people fail to realize that a large amount of work and implementation can be

performed in an enterprise before any major capital is spent. A common problem

faced in information security is not being able to get buy in from C-level executives.

A step in the right direction in getting a security budget would be to prove that you

have completed due diligence in your work. A large portion of this book includes

steps, tools, processes, and ideas to secure an environment with little-to-no capital.

After the skeleton steps of planning out the new and shiny security program, we

move on to creating a base set of policies, standards, and procedures. Doing so early

in the stages of your security program will give you a good starting point for growth

and maturation. Using policies as a method to communicate expectations allows you

to align people across your organization with regard to what is expected of them and

their role.

We included user education early on in the book as it is never too early to start teach‐

ing employees what to watch out for (and using them as a key role in detection).

However, depending on the current strength of your defenses, it should not be a

major focus until a strong foundation has been formed. Attackers aren’t going to

bother with human interaction if they can just connect remotely without one.

The book then moves on to planning and dealing with breaches, disasters, compli‐

ance, and physical security, all of which combine the management and organizational

side of information security with the physical tools and infrastructure needed to com‐

plete them. Being prepared in the case of any type of physical or technical emergency

can mean the difference between a smooth and steady recovery or a complete com‐

pany failure—and anything in between.

A good, solid ground-up design is just the beginning. Now that we’ve covered part of

the design of the overall program, we start to get into more technical categories and

security architecture, beginning with the two main categories of operating systems.

Both Microsoft and Unix have their pros and cons, but in regards to Microsoft, some

Introduction | xv

of what will be covered is installing the Enhanced Mitigation Experience Toolkit

(EMET), Group Policy best practices, and Microsoft SQL security. For Unix, we will

cover third-party updates and server/OS hardening, including disabling services, file

permissions, host-based firewalls, disk partitions, and other access controls. Endpoint

management also falls into this category. A common struggle that we see in corpora‐

tions includes bring your own device (BYOD) practices and mobile device manage‐

ment (MDM). We will also go into managing and implementing endpoint

encryption.

Two other important verticals that are often ignored (or not given as much love as

they should be) are networking infrastructure and password management. While

going over networking infrastructure, we will cover port security, disabling insecure

technologies, device firmware, egress filtering, and more. We will cover segmentation,

including implementing VLANs with ACLs to ensure the network isn’t flat, delega‐

tion of permissions, and Network Access Controls. We will then look into vulnerabil‐

ity scanning and remediation. While most enterprise vulnerability scanners are not

free, we talk about them in this chapter to prove their worth by using them for a free

trial period (to work toward the purchase of the entire product) or getting the most

out of a full version already in the organization.

Many organizations have their own development team; however, traditional training

for developers typically focuses on performance optimization, scalability, and intero‐

perability. Secure coding practices have only been included in software development

training in relatively recent years. We discuss techniques that can be used to enhance

the current situation and reduce the risk often associated with in-house development.

Purple teaming, which is the combination of both offensive (red team) and defensive

(blue team) security, can be difficult to implement depending on staffing and corpo‐

rate policies. It is a relatively new concept that has gained a significant amount of

attention over the last couple of years. Chapter 18 covers some basic penetration test‐

ing concepts, as well as social engineering and open source intelligence.

Finally, some of the most time-intensive security practices and devices are covered as

we go through IDS, IPS, SOC, logging, and monitoring. We have found that many

organizations feel as though these technologies are a one-time install or setup proce‐

dure and you can walk away feeling protected. It is well worth the time, effort, and

investment to have a continually in-progress configuration because your internal

environment is always changing, as are the threats you should be concerned about.

We won’t be making any specific vendor recommendations, but rather have opted to

discuss overall solutions and concepts that should stand the test of time a lot better

than a specific vendor recommendation for the current toolset.

Oh, and the Extra Mile...that’s the junk drawer where you will find our bits and pieces

of configuration ideas and advice that didn’t really have a home anywhere else.

xvi | Introduction

剩余283页未读，继续阅读

xinconan2

粉丝: 269
资源: 399

防御安全手册：构建低成本高效率的安全防护

Defensive Security Handbook: Best Practices for Securing Infrastructure

Defensive Security Handbook(O'Reilly,2017)

Defensive Security Handbook(O'Reilly,2017) （三种格式pdf，azw3，epub）

java中defensive copying是什么

Assert.notEmpty

Towards Deep Learning Models Resistant to Adversarial Attacks

(The Course class) Revise the Course class as follows: ■■ Revise the getSt

怎么确保一个集合不能被修改

提高对抗鲁棒性有什么方法

SQL注入如何避免？

最新资源