Defensive Security Handbook
by Lee Brotherston and Amanda Berlin
Copyright 2017 Lee Brotherston and Amanda Berlin. All rights reserved.
Printed in the United States of America.
Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.
OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .
- Editors: Courtney Allen and Virginia Wilson
- Production Editor: Melanie Yarbrough
- Copyeditor: Kim Cofer
- Proofreader: Eliahu Sussman
- Indexer: Ellen Troutman-Zaig
- Interior Designer: David Futato
- Cover Designer: Karen Montgomery
- Illustrator: Rebecca Demarest
- April 2017: First Edition
Revision History for the First Edition
- 2017-03-31: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781491960387 for release details.
The OReilly logo is a registered trademark of OReilly Media, Inc. Defensive Security Handbook, the cover image, and related trade dress are trademarks of OReilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-491-96038-7
[LSI]
Foreword
Spend any time in the information security world, and it will become quickly evident that most of the press and accolades go to those folks working on the offensive side of security. From finding new vulnerabilities, creating exploits, breaking into systems, bug bounties, the occasional cable TV show, and capture the flag contests, the red teams get all the glory. But there is moremuch moreto the security world than just offense.
Being on the defensive side, the blue team, can seem a lonely, unappreciated battle. But doing defense is a vital, noble, and worthwhile pursuit. We defenders matter, greatly, to the future of our organizations and the jobs and livelihoods of our coworkers. When the bad guys win, people lose their jobs, organizations are distracted from their core goals, and the bad guys are often enriched to continue their nefarious pursuits. And, like something out of a cyberpunk novel, with the trend of the Internet of Things, soon actually lives may be at threat when the bad guys are successful.
So many of us got our start in the security world as tool engineers, running perhaps a firewall or IDS platform for our employer. Though those skills are highly valued, moving beyond them to a more holistic view of defensive security can sometimes be a challenge without the right resources to bring a bigger picture view. As we continue to experience a shortage of valuable information security defensive talent, we will need more folks than ever to continue to learn and grow into the defensive security role; and to do it well, they need a holistic view of the security landscape.
Another challenge we often face is that a great deal of the narrative around defenses, technology, threats, and thought leadership in the defensive security world comes from the vendors themselves, and their snazzy demos and marketing presentations. Though a lot can be learned from vendors in the space, as they are laser focused on the problems organizations are trying to solve, they also have a sometimes narrow view of the world. IT Security Vendors will often define the problem set as the problem they can solve with their technology, not necessarily the problem an organization actually has. Countering that view with a holistic view of defensive security is vital to helping organizations become as secure as they can be.
This is why I am so honored to write the forward for the Defensive Security Handbook. The world of security is changing rapidly, and we need more folks on the defensive side, learning from the best practices and the hard-won lessons of those who came before. This book does a great job of laying out key principles and skills, and giving a broad overview of the complex and growing landscape of the defensive security side of the world. Amanda Berlin and Lee Brotherston have laid out an overview of the multifaceted world of defensive security. Certainly, whole books have been written on tiny segments of the topics covered, but this handbook does a marvelous job of giving a defensive security professional an overview of the myriad of skill sets necessary to be successful. This handbook is a great primer for those new to the world of information security defense, those who want to expand their skills into more areas, and even those who have many years in the industry and are looking to make sure they are covering all their bases.
I think youll find this a valuable resource to keep nearby and reference throughout your career. Best of luck on your path, and remember to keep fighting the good fight. Even when it may seem lonely and tough, remember what you are doing matters, and there are many out there who can and will help. Amanda and Lee have done a great job sharing their experience; now its up to us to learn from their experience.
Andrew Kalat
Cohost of the Defensive Security Podcast
February 2017
Introduction
Over the last decade, technology adoption has exploded worldwide and corporations have struggled to keep pace. Usability and revenue creation have been the key motivating factors, often ignoring the proactive design and security required for long-term stability. With the increase of breaking news hacks, record-breaking data leaks, and ransomware attacks, it is our job to not only scrape by with default installs but to secure our data and assets to the best of our abilities. There will always be cases where you will walk into an environment that is a metaphorical train wreck with so many fires that you dont even know where to start. This book will give you what you need to create a solid and secure design for the majority of situations that you may encounter.
Modern attacks can occur for many different motivations and are perpetrated by people ranging from organized crime groups seeking to monetize breaches, through to hacktivists seeking to enact retribution on the organizations they deem to be immoral or counter to public interest. Whatever the motivation and whomever the attacker, a large number of attacks are organized and carried out by skilled individuals, often with funding.
This change in landscape has led to many organizations engaging in a game of InfoSec catch-up, often realizing that their information security program has either not received the executive backing that it required or simply never existed in the first place. These organizations are seeking to correct this and begin along the path to initiating or maturing their information security efforts. There is, however, a problem.
Information security is an industry that is currently undergoing a period of negative unemployment; that is, that there are more open positions than there are candidates to fill those positions. Hiring people is hard, and hiring good people is harder. For those seeking employment, this is can be an advantageous situation; however, it is a high risk for employers seeking to hire someone into an information security position as they would be instilling a certain amount of trust with possible high dollar assets to a new hire.