[ISN] Assessing Network Security

InfoSec News isn at c4i.org
Wed Nov 3 07:56:09 EST 2004


[ http://www.amazon.com/exec/obidos/ASIN/0735620334/c4iorg  - WK]

November 02, 2004

Anton Chuvakin writes "I've read some pretty bad books on penetration
testing; till now, nobody seemed to get this fun subject right! Good
news - this time somebody did. Assessing Network Security comes to us
direct from the bunkers of Redmond. Written by three Microsoft
security researchers, the book provides a great overview as well as an
in-depth coverage of assessing security via penetration testing
('pentesting'), scanning, IT audit and other means." Read on for the
rest of Chuvakin's review of the book.

Assessing Network Security  
Author: Ben Smith, David LeBlanc, Kevin Lam  
Pages: 592 
Publisher: Microsoft Press 
Rating: 8/10 
Reviewer: Anton Chuvakin 
ISBN: 0735620334  
Summary: Great pentesting book 

Assessing Network Security starts with a nice overview of key
principles of security (definitely not news for industry
practitioners, but nice anyway), and then goes on to defines
vulnerability assessment, penetration testing and security audit. A
critically important section on reporting the findings is also nicely
written, and shows that the authors are knowledgeable, and interested
in showing a complete security process rather than just the
looking-for-leaks part.

The authors then go into developing and maintaining pentesting skills,
including advice on choosing training and resources (nice for those
starting in the field). The actual pentesting process is split into
non-intrusive (combining the usual "intelligence gathering" with port
scans, sweeps and various host queries) and intrusive tests (such as
running a vulnerability scanner, brute-forcing passwords, DoS testing
and others). Some entries seem to belong in both categories (such as
sniffing) but are placed into the intrusive section, for whatever
reason. Up-to-date content (wireless, Bluetooth and web assessment,
for instance) is well represented.

The authors also include a fairly insightful social engineering
testing section (touching on dumpster diving and other non-network
assessment methods). My favorite chapter was the one presenting
various case studies - examples of specific threats/tests against Web,
email, VPN and domain controller systems.

Among other features that I liked in Assessing Network Security were
'notes from the field' sidebars with fun stories related by authors,
and FAQs at the end of each section. On the down side, the book is
somewhat Windows-focused (although it is amazingly vendor-neutral in
most respects, considering the source). The book is also somewhat dry,
although the sidebars provide some needed relief when the text gets
too process-oriented at times.

Assessing Network Security is largely about methodology, but I'd have
preferred to see a bit more technical content, since it is a 600-page
volume. I think the checklists present in the Appendix are a great
step in that direction.

Overall, I enjoyed the book and think it is both a great guide and a
reference for most security professionals, especially for those
starting to be involved with penetration testing.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a
security information management company and maintains the security
portal info-secure.org. He wrote Security Warrior and contributed to
Know Your Enemy, 2nd Edition.

More information about the ISN mailing list