Network Security SECRETS

According to a recent network security survey, 70% of companies who responded admit to a security infringement in the past year; 24 say the loss per incident was more than $100,000. Your valuable information could be next! Learn how to safeguard your network from threats of viruses, data theft, and other security hazards, with Network Security SECRETS an invaluable reference from network security experts David J. Stang and Sylvia Moon.

Inside, you'll discover:

• The hottest information on data encryption, including DES, RSA, and DSS
• 100 top security myths debunked
• No-cost common sense tips and techniques to secure your data
• Model security policies you can put to use immediately to safeguard crucial files and information
• Simple self-tests that help you analyze how secure your network is today
• Where your network is most vulnerable, and how to prevent everyday threats to your network and your valuable files
• How viruses threaten networks and how to prevent, detect, and recover from them
• How to increase the security of any computer network, with specific advice for users of NetWare, LANtastic, VINES, LAN Manager, UNIX, and more. Also includes coverage of Windows NT and DOS
• How to secure your connections to the outside world

Network Security SECRETS is your network security encyclopedia, covering more problems and solutions than any other source. You'll learn secrets for rock-solid network protection that even most experts don't know.

• Part I:Building a Roadmap
1. An Overview of the Risks
• Back/Trap Doors
• Bumbling
• Denial of Use
• Emanations
• Embezzling
• Failure to Use
• Fire and Natural Disasters
• Forgery
• Fraud
• Hardware Failure
• Impersonation
• Inaccurate or Dated Information
• Intentional Data or Program Damage
• Logic Bombs
• Misrepresentation
• Misrouting
• Network Analyzers
• Occupational Hazards
• Radiation risks
• Repetitive motion/carpal tunnel syndrome
• Overload
• Piggybacking
• Piracy
• Programming Errors
• Sabotage
• Scavenging
• Simulation and Modeling
• Superzapping
• Theft
• Theft of equipment
• Theft of information
• Theft of service
• Trojan Horses
• Version Control
• Viruses
• Wiretapping
2. Thinking About Risks
• Terminology
• Risk Management
• Some Principles of Risk Management
• The Psychology of Risk Taking
• Perceived versus actual threats
• Underreporting
• Underworry
• Understanding rare events
• Some Basic Facts about Risks
• Some Basic Facts about Risk Analysis
• Benefits of performing a risk analysis
• When to use a risk analysis
• Participants in the risk analysis
• Choosing Risk Reduction Strategies
• Frequency versus severity of loss
• Cost benefit analysis
• Assessing Risk Reduction Strategies
• Endnotes
3. Assessing Your Risks
• The Effects of Architecture
• Creating categories
• Previous Studies
• Executive Information Network study: frequency
• Coopers & Lybrand study: severity
• Safeware study: frequency and severity
• Delphi Panels
• How Delphi works
• Delphi panel example
• Survey results
• Commentary
• Ranking Methods
• Auditing Approaches
• Feature Scoring
• Certification
• Division C: discretionary protection
• Division B: mandatory protection
• Division A: verified protection
• Shortcomings of the Orange Book approach
• Another Orange Book?
• The Red Book
• Definitions and acronyms
• Evaluation, certification, and accreditation
• Two types of networks
• Network security architecture and design
• Protocol layer approach
• Part II security services
• Importance of network security architecture and design
• Risk management
• TNI Part II security requirements
• Specification and evaluation of security services
• Evaluation ratings
• Assurance
• Functionality
• Interconnecting AIS
• Interconnecting Rule
• Risk factors
• Reactions to the Red Book
• Computing a Risk Index
• Questionnaire and Checklist Approaches
4. Risk Management/ Measurement Tools and Services
• How to Select a Risk Analysis Tool
• Overview
• Fundamental elements of a risk analysis tool
• Site-specific selection criteria
• The selection process
• Tools
• @RISK
• ALRAM (automated Livermore risk analysis methodology)
• Application control matrix
• ARES 1.1 (automated risk evaluation system)
• BDSS (Bayesian decision support system)
• Buddy System
• CONTMAT (control matrix)
• CONTROL-IT
• CRAMM (CCTA risk analysis and management methodology)
• CRITI-CALC
• GRA/SYS
• IST/RAMP (International Security Technology/risk analysis management program)
• Janber
• LAVA (Los Alamos vulnerability and risk assessment)
• LRAM (Livermore risk analysis methodology)
• MARION
• MicroSecure Self assessment
• MINIRISK
• PRISM
• Quickrisk
• RANK-IT
• RA/SYS (risk analysis system)
• RISKPAC
• RiskWatch
• SOS (security online system)
• Services
5. What Are Your Risks? A Self-Test
• Protecting the Office
• Protecting Workstations
• Protecting the Server
• Protecting Applications and Data
• Protecting Network Printers
• Protecting the Cable between the Workstations and the Server
• Protecting Connections with the Outside World
• Part II: Some Threats in More Detail
6. The Players
• Administrators
• Computer Security Professionals
• LAN Managers
• Users
• Different viewpoints
• Whose fault is it?
• Distinguishing between users
• Hackers
• Scope of the problems
• Handles
• Organization
• Subgroups
• Rarity
• Origins of the term hacker
• Beliefs
• The hack
• Personal qualities
• Hacker age
• Some motives
• Some hackers
• To catch a hacker
• Reacting to hacking
• Is the victim to blame?
• Breaking and entering
• The buck stops where
• How much self-defense is necessary?
• Other Outsiders
• Apportioning Blame
• Endnotes
7. How Network Type Affects Risks
• Bus Networks
• Dial-Up Networks
• Heterogeneous Networks
• Security concerns
• Appropriate controls
• Local Area Networks
• Security strengths
• Security concerns
• Mesh Networks
• Security concerns
• Appropriate controls
• Packet-Switched Networks
• Ring Networks
• SNA Networks
• Star Networks
• Security strengths
• Security concerns
• Appropriate controls
8. Some Facts About Viruses
• Virus Basics
• What is a virus?
• What a virus infects
• How a virus infects a boot sector
• How a virus infects a file
• Who writes viruses?
• Where do viruses come from?
• How do we get viruses?
• Creation of new viruses
• How common are viruses?
• What damage do they do?
• What are the dollar costs of the damage?
• Which viruses are most common?
• Are the most commonly used products the best?
• Common-sense Defense
• Preventing infection
• False alarms
• The real thing
9. Virus Dangers to NetWare LANs: Fact versus Fiction
• Virus Basics
• How We Tested
• A Basis for Understanding
• What Common File Viruses Do on NetWare
• NetWare-Specific Viruses
• Booting the Workstation with a Boot Virus
• Booting the Server with a Boot Virus
• Attacks from the Server
• Protecting the Server with NetWare
• Part III: Some Solutions In More Detail
10. Common-Sense Defense
• Preventing Total Loss with Backup
• Help Users Help Themselves
• Prevent Theft
• Prevent Boot Viruses
• Prevent File Viruses
• Add Access Control to PCs
• Prevent Software Piracy
• Prevent Unintended Information Disclosure
• Secure the Server
• Use the Security Features of the Network Operating System
• Prevent Outsider Attacks
• Don't Contribute to Premature Hardware Failure
• Prepare Hardware for Disaster
• Learn the Basics of Data Recovery
• Set Policies
11. Overview of Network Security Controls
• Physical Access Controls
• Logical Access Controls
• Organizational Controls
• Personnel Controls
• Operational Controls
• Application Development Controls
• Workstation Controls
• Server Controls
• Data Transmission Protection
• Self-Test: Are You Secure?
• Physical access controls
• Logical access controls
• Organizational controls
• Personnel controls
• Operational controls
• Application development controls
• Workstation controls
• Server controls
• Data transmission protection
• Endnotes
12. Access Control and Access Control Products
• The Problem of Access Control in a Network
• Defining what needs to be secured
• Mobile computing
• An Open Security Architecture for Access Control
• A model of moving data
• Why is an architecture needed?
• OSA versus the proposed OSI security architecture
• Definitions of an open security architecture
• Security and control functions provided by OSA products
• Benefits of OSA
• Controlling Access to Mainframes
• Prerequisites
• Training
• Logging, monitoring, and reporting
• Accounts administration
• System design
• Evaluation of Microcomputer Access Control Products
• Perspective
• Problems
• Choosing products to review
• Disclaimer
• Review criteria
• System access control
• Audit trails
• LAN compatibility
• Disaster prevention and recovery
• Ease of use
• File access control
• Miscellaneous features
• Disclosure protection
• Protection from viruses and unauthorized changes
• Product information
• Comments on the products
• Vendor information
• Other product information
• SECUREcard/110
• SECUREcard(200
• SECUREcard/300
• SECUREcard/400
• Endnotes
13. Authentication: Passwords and Modern Variations
• Bypassing Password Systems
• TEMPSUP attacks
• NETCRACK attacks
• Attacking Everything with NetUtils
• Attacking files
• Finding information
• Defending the server from NetUtils
• Breaking Password Systems by Brute-Force Password Guessing
• Brute-force attacks with PASSTEST and NETCRACK
• Prevention against brute-force attacks
• Capturing NetWare Passwords with a Network Analyzer
• Attacks with Dictionaries
• Attacks by Guessing
• Trying usernames that have no passwords
• Preventing password guessing
• Attacks with Borrowed Passwords
• Password sharing
• Preventing password sharing
• Attacks by Algorithm Reversal
• Attacks with TSRs
• Preventing attacks by TSRs
• Detecting attacks by TSRs
• Attacks by Committee Meeting
• Attacks with LOGIN Trojans
• Attacks by Previously Authorized Users
• Some General Solutions to the Password Problem
• Application software passwords
• Speech synthesizers
• Signature in passwords
• Dial-back modems
• Tokens
• Personal attributes and biometric access control devices
• Password generators
• Guidelines for Password Management
• Security manager responsibilities
• User responsibilities
• Authentication mechanisms
• Password protection
• Endnotes
14. Encryption and Digital Signatures
• How Encryption Works
• Installing Encryption
• Data link layer encryption
• Transport layer encryption
• Application layer encryption
• Some Common Questions About Encryption
• What is authentication?
• What is public-key cryptography?
• What are the pros and cons of public-key versus secret-key cryptography?
• Are cryptographic systems patentable in the U.S.?
• Is cryptography exportable from the U.S.?
• Data encryption standard (DES)
• The regulation
• How DES works
• Security provided by DES
• DES cryptographic keys
• Endorsement of DES products
• DES references
• Some Common Questions about RSA and Public-Key Cryptosystems
• What is RSA?
• Why use RSA rather than DES?
• How secure is RSA?
• Are there hardware implementation of RSA?
• How much length does RSA add?
• How is RSA used for encryption in practice?
• How is RSA used for authentication in practice?
• Does RSA help detect transmission errors?
• Does RSA help protect against computer viruses?
• Is RSA in use today?
• Is RSA an official standard today?
• Is RSA a de facto standard today?
• DSS
• Kerberos
• Operation Times
• Example of Operation
• Message Authentication with X9.9
• Encryption's Fundamental Problems
• Endnotes
15. Fault-Tolerant Users, Storage, Power, and Networks
• What's the Problem?
• Fault-Tolerant Users
• Tips for preventing data loss
• Improving data recovery
• Daredevil Dave's eight swell tips for data recovery
• Hardware and Fault-Tolerance
• Service contracts
• Spare parts
• Two computers are better than one
• Swapping approaches
• Fault-Tolerant Storage
• Home-brewing redundancy
• Redundant arrays of inexpensive disks (RAID)
• Disk mirroring
• Disk duplexing
• Solid state disks
• Removable, swappable drives
• Backup
• Backup options: DAT's a fact!
• Backup systems
• Removable storage
• Fault-Tolerant Power
• More about the UPS and SPS
• Fault-Tolerant Power
• Weighing the Options
• Vendors
• Endnotes
16. Bulletin Boards and Security
• Why Call a BBS?
• Security for Callers
• BBS myth versus reality
• Legitimate concerns
• Benefiting from a BBS in Your Organization
• Setting up a secure BBS
• Legal issues
• Tips on setting up a secure BBS
• For more information
• Evaluating Security Features of BBS Software
• Why BBS security?
• Security evaluation questions
• The BBS mainframe
• Looking at the Dark Side
• Some of the files available
• A look at an underground document
• Resources for the underground
• Calling Some Good BBSs
• The Norman Data Defense Systems BBS
• Computer Security Laboratory, NIST
• Endnotes
17. Secure Connections to the World: Bridges, Routers, Gateways, and Firewalls
• Bridges and Routers
• Similarities between bridges and routers
• Differences between bridges and routers
• Brouters
• Advantages of bridges over routers
• Advantages of routers over bridges
• Products
• Security inadequacies of routers
• Gateways
• Case Study: Digital Builds a Network Firewall
• Abstract
• Design goals
• General configuration
• Electronic mail
• Telnet and FTP
• Other services
• Existing practice, different approaches, and Tar Baby
• Experiences and observations
• Dances with turkey
• Future work
• Conclusions
• Availability
• Acknowledgments
• Endnotes
18. Regulations, Standards and Network Security
• Standards Development
• Standard organizations
• What's wrong with standards
• Vendor/proprietary/de facto standards
• Open systems: variations on OSI
• International/nonproprietary/de jure standards
• Connectivity (Layers 1-4)
• Connectivity (Layers 5-7)
• Portability
• Data
• GUI (graphical user interface)
• Security Product Evaluation
• The Green Book: German Information Security Agency
• The White Book: ITSEC — Information Technology Security Evaluation Criteria
• Technical criteria for evaluation of commercial security products
• NIST and OSInet
• Guidelines
• Commission of the European Communities: Guidelines for an Informatics Architectures
• U.S. federal guidelines, directives, bulletins, and memos
• Legislation
• U.S. federal laws
• U.S. bills and legislative proposals
• Recommendations concerning virus legislation
• U.S. state laws
• British regulations
• What We Still Need
• Data classification standards
• Human understanding of how to
• Career paths and job rewards
• An Information Security Foundation
• Endnotes
• Part IV: A Look at LANs
19. Fault Tolerance and Network Operating Systems
• An Introduction to Fault Tolerance
• Data Protection Features to Look for
• FAT duplication
• Coping with surface defects
• Disk mirroring
• Disk duplexing
• File replication
• Transaction tracking
• UPS monitoring
• Automatic reconnection
• Salvaging and purging deleted files
• Other fault-tolerant features
• Vendor Information
20. Microsoft LAN Manager
• Overview
• Administration
• Remote administration
• Domains
• Network monitoring
• Remote workstation booting
• LAN Manager and SNMP
• NetView
• Server Security
• Directory protections
• Login scripts
• User accounts
• File protections
• Miscellaneous nifty features
• Windows for Workgroups
• Shared Resource Controls
• Remote Program Load
• Remote Access Service
• Local Security
• Auditing
• Fault Tolerance
• Endnotes
21. Securing IBM LAN Server Networks
• Installation
• Plan your network
• Setting up a domain controller
• Peer service
• Create users
• Guest accounts
• Access Control
• Security tips
• Local security
• Local permissions
• Privileged programs
• Audit trails
• VENDOR
• Peer services
• Cabling
• Fault tolerance
• UPS support
• Operations
• Disabling login
• Backup
• Endnotes
22. Network Security with LANtastic
• An Introduction to LANtastic
• LANtastic's Security Features
• Login security
• Access control list (ACL) security
• Audit trail security (server auditing)
• Vendor Information
23. NetWare Security
• Which NetWare?
• The security power of NetWare
• NetWare is not secure by default
• Initial Setup: SYSCON
• Accounting
• Group Information
• Supervisor Options
• User Information
• Understanding Attributes and Rights
• Understanding File-Level Protections
• Using file attributes to control access
• Viruses and file attributes
• Commands for changing or viewing file attributes
• Directory attributes
• Directory, file, and trustee rights
• Understanding Access Rights
• Constructing Directories
• Creating Workgroups
• Creating Workgroup Managers (NetWare 3.x)
• Testing
• Adding a user
• Understanding LOGIN
• Other Ways to Establish Security
• Create system login scripts
• Encrypted passwords
• Commands for Maintaining NetWare Security
• Fault-Tolerance Features of NetWare
• Redundant FATs
• Read-after-write verification and Hot Fix
• Realtime defragmentation
• The Transaction Tracking System (TTS)
• Disk mirroring
• Disk duplexing
• Uninterruptible power supply (UPS) support
• Creating a Secure NetWare Network
• System design
• Cabling
• Remote callers
• User regulations
• Creating directories and load applications
• Dave's Most Important Tips
• Lock the server!
• Back up everything!
• Odds and Ends
• BLEM WIT
• Directories
• File space reuse
• Protect the bindery
• Endnotes
24. Securing UNIX
• Exploring Some Background on UNIX
• Reviewing Some Worm Case Studies
• The Internet worm
• The WANK worm
• A variant of the WANK worm
• Regarding Privacy Issues
• Setting Up a Secure UNIX Configuration
• Account security
• Internetwork security
• File and directory security
• Monitoring and Managing Security
• Monitoring accounts
• Monitoring internetwork security
• Monitoring file security
• Beefing Up Security with Additional Software
• Public domain
• Commercial products
• Keeping Current
• Endnotes
25. Securing Banyan VINES
• Creating User Types
• Controlling Logins
• User login controls: MSUER
• Group login controls: MGROUP
• Securing the Server
• OPERATE and dial-in access lists
• Restricting internetwork access
• Controlling Access through Rights
• Rights for VINES, DOS, and OS/2
• Rights for Macintosh
• Inheriting rights
• Accessing rights
• Controlling Access through Attributes
• Generating Logs and Reports
• Generating Logs
• StreetTalk reports
• User access reports
• Securing the Console
• Part V: Time for Action!
26. Two Paradigms for Security
• A Paradigm Shift
• Lost in the Fog: A Look at the Broken Paradigm
• Explosion at the glue factory
• How the paradigm broke
• Would legislation help?
• Our users are broken
• We sold them hardship
• Apathy rules
• We guarded garbage
• Two Paradigms Compared
• Pushing paper versus power to the people
• Local responsibility, local enforcement
• They thought it was administrative
• New Jobs for Old Experts
• Tasks for the security expert
• Dividing the job
• Shifting paradigms
27. Planning for and Surviving Network Disasters
• Countermeasures
• Fire prevention, detection, suppression, and protection
• Water prevention, detection, and protection/correction
• Electric power supply
• Environmental support equipment
• Natural disasters
• Housekeeping
• Before D Day
• Contingency Planning
• Contingency plans
• Levels of contingency phases
• Contingency planning phases
• Management involvement
• Creating a Disaster Recovery Plan
• Endnotes
28. Computer and Computer Security Training
• What Is Training?
• Security Training and the Law
• Training content
• Training methods and trainers
• Audience
• Training program
• Training Costs and Benefits
• Training benefits
• Training costs
• Two factors affecting the amount of training required
• Tips for Trainers and Training Directors
• What trainees need
• Some learning principles
• Some training principles
• What should you train?
• Vendor presentations
• The future of training
• Training Materials
• Training guidelines
• Videos
• Security Training Courses
• Computer security basics
• Auditing
• Risk assessment
• Courses for federal agency employees and on federal regulations
• Microcomputer security
• Career, role, professionalism, and certification
• Security planning, contingency planning, and security management
• UNIX security
• Security training: How to
• Communications security
• LAN security
• Computer viruses
• Physical security
• Vendors of training products and services
• Glossary
• For Further Reading
• Endnotes
29. Security Policy and Mission Statements
• Policy Creation
• Purpose
• Audience
• Content
• Style
• Policy implementation
• A Draft Mission Statement
• Ethics
• A Draft Security Policy
• Technical requirements
• Implementation concerns
• Hardware concerns
• Data concerns
• Software concerns
• Human concerns
• Licensing
• Software Piracy and LANs
• The law
• Why piracy?
• Arguments against piracy
• Procedures to prevent piracy
• Piracy policy
• Endnotes
30. Network Management and Security
• Intruder Detection
• How to detect intruders
• Other benefits of auditing efforts
• Home-grown software
• Using NetWare's PAUDIT
• Detecting Network Faults
• Network Management Tools
• Tools for NetWare
• Tools for other LAN operating systems
• Tools for UNIX
• Tools for other environments
• Responding to Problems
• Social relations
• Fire drills
• If it's broken, should you fix it?
• Action plan
• Vendors
• Endnotes
• Part VI: Network Security Shareware and Free Software
• How to Use This Software
• What's on the Disks?
• APRITE/APRUN
• BACKEMUP
• BAGKEYS
• BLANK
• CMOS
• CRYPTA
• CRYPTDES
• CRYPTE
• CRYPTMPJ
• DELETE
• DISKUSED
  DO-FOR
• DOSWATCH
• DRLOCK
• DSEDIT
• ENVEDIT
• EQUIPCHK
• EQUIV
• FINDTEXT
• FULLDIR
• GENCON
• GLOSSARY
• IDLEBOOT
• JLOCK
• LANMENU
• LOGINCHK
• MCP
• MEMINFO
• NLMLOCK2
• NOBOOT
• NOSTOP
• NOVBAT
• ONEPAD
• OTL
• PASSWORD
• PASSWORDS (in PW.ZIP)
• PASSWRD
• PAUDIT2
• QUICK
• RANK-IT
• READEXE
• README
• REBOOT
• SCOPE (in KSCOPE.ZIP)
• SECOURSE
• SHOWINT
• SNORETIL
• SUPER
• TAKE FIVE (in TAKE5.ZIP)
• TESTBAK
• TSRBOOT
• VBASEABC
• VBASICS
• WHOHAS
• WINSUP
• Part VII: Appendixes
1. Conferences
• Past Conferences
• November, 1992
• January
• February
• March
• April
• May
• June
• July
• August
• Future Conferences, 1993
• September
• October
• November
• December
• Future Conferences, 1994
• Miscellaneous Conference Information
2. Vendors
3. Organizations
• Public Sector Organizations
• Private Sector Organizations
4. Glossary

A large piece of crap (with emphasis on large). Useless.