Defensive Security Handbook: Best Practices for Securing Infrastructure

Cover
Copyright
Table of Contents
Foreword to the First Edition
Preface
	Our Goal
	Who This Book Is For
	Navigating the Book
	Conventions Used in This Book
	O’Reilly Online Learning
	How to Contact Us
	Acknowledgments
		Amanda
		Lee
		Bill
Chapter 1. Creating a Security Program
	Laying the Groundwork
	Establishing Teams
	Determining Your Baseline Security Posture
	Assessing Threats and Risks
		Identify Scope, Assets, and Threats
		Assess Risk and Impact
		Mitigate
		Monitor
		Govern
	Prioritizing
	Creating Milestones
	Use Cases, Tabletops, and Drills
	Expanding Your Team and Skillsets
	Conclusion
Chapter 2. Asset Management and Documentation
	What Is Asset Management?
	Documentation
	Establishing the Schema
		Data Storage Options
		Data Classification
		Understanding Your Inventory Schema
	Asset Management Implementation Steps
		Defining the Lifecycle
		Information Gathering
		Change Tracking
		Monitoring and Reporting
	Asset Management Guidelines
		Automate
		Establish a Single Source of Truth
		Organize a Company-wide Team
		Find Executive Champions
		Keep on Top of Software Licensing
	Conclusion
Chapter 3. Policies
	Language
	Document Contents
	Topics
	Storage and Communication
	Conclusion
Chapter 4. Standards and Procedures
	Standards
	Procedures
	Document Contents
	Conclusion
Chapter 5. User Education
	Broken Processes
	Bridging the Gap
	Building Your Own Program
		Establish Objectives
		Establish Baselines
		Scope and Create Program Rules and Guidelines
		Provide Positive Reinforcement
		Define Incident Response Processes
	Obtaining Meaningful Metrics
		Measurements
		Tracking Success Rate and Progress
		Important Metrics
	Conclusion
Chapter 6. Incident Response
	Processes
		Pre-Incident Processes
		Incident Processes
		Post-Incident Processes
	Tools and Technology
		Log Analysis
		EDR/XDR/MDR/All the “Rs”
		Disk and File Analysis
		Memory Analysis
		PCAP Analysis
		All-in-One Tools
	Conclusion
Chapter 7. Disaster Recovery
	Setting Objectives
		Recovery Point Objective
		Recovery Time Objective
	Recovery Strategies
		Traditional Physical Backups
		Warm Standby
		High Availability
		Alternate System
		System Function Reassignment
	Cloud Native Disaster Recovery
	Dependencies
	Scenarios
	Invoking a Failover...and Back
	Testing
	Security Considerations
	Conclusion
Chapter 8. Industry Compliance Standards and Frameworks
	Industry Compliance Standards
		Family Educational Rights and Privacy Act (FERPA)
		Gramm-Leach-Bliley Act (GLBA)
		Health Insurance Portability and Accountability Act (HIPAA)
		Payment Card Industry Data Security Standard (PCI DSS)
		Sarbanes-Oxley (SOX) Act
	Frameworks
		Center for Internet Security (CIS)
		Cloud Control Matrix (CCM)
		The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
		Control Objectives for Information and Related Technologies (COBIT)
		ISO-27000 Series
		MITRE ATT&CK
		NIST Cybersecurity Framework (CSF)
	Regulated Industries
		Financial
		Government
		Healthcare
	Conclusion
Chapter 9. Physical Security
	Physical
		Restrict Access
		Video Surveillance
		Authentication Maintenance
		Secure Media
		Datacenters
	Operational Aspects
		Identifying Visitors and Contractors
		Physical Security Training
	Conclusion
Chapter 10. Microsoft Windows Infrastructure
	Quick Wins
		Upgrade
		Third-Party Patches
		Open Shares
	Active Directory Domain Services
		Forests
		Domains
		Domain Controllers
		Organizational Units
		Groups
		Accounts
	Group Policy Objects (GPOs)
	Conclusion
Chapter 11. Unix Application Servers
	Keeping Up-to-Date
		Third-Party Software Updates
		Core Operating System Updates
	Hardening a Unix Application Server
		Disable Services
		Set File Permissions
		Use Host-Based Firewalls
		Manage File Integrity
		Configure Separate Disk Partitions
		Use chroot
		Set Up Mandatory Access Control
	Conclusion
Chapter 12. Endpoints
	Keeping Up-to-Date
		Microsoft Windows
		macOS
		Unix Desktops
		Third-Party Updates
	Hardening Endpoints
		Disable Services
		Use Desktop Firewalls
		Implement Full-Disk Encryption
		Use Endpoint Protection Tools
	Mobile Device Management
	Endpoint Visibility
	Centralization
	Conclusion
Chapter 13. Databases
	Introduction to Databases and Their Importance in Information Security
		Database Implementations
		Common Database Management Systems
		A Real-World Case Study: The Marriott Breach
	Database Security Threats and Vulnerabilities
		Unauthorized Access
		SQL Injection
		Data Leakage
		Insider Threats
		Defense Evasion
	Database Security Best Practices
		Data Encryption
		Authentication and Authorization Mechanisms
		Secure Database Configuration and Hardening
		Database Management in the Cloud
		Hands-on Exercise: Implementing Encryption in a MySQL Database (Operation Lockdown)
	Conclusion
Chapter 14. Cloud Infrastructure
	Types of Cloud Services and Their Security Implications
		Software as a Service (SaaS)
		Platform as a Service (PaaS)
		Infrastructure as a Service (IaaS)
		The Shared Responsibility Model
	Common Cloud Security Mistakes and How to Avoid Them
		Misconfigurations
		Inadequate Credential and Secrets Management
		Overpermissioned Cloud Resources
		Poor Security Hygiene
		Failing to Understand the Shared Responsibility Model
	Cloud Security Best Practices
		Start with Secure Architectural Patterns
		Properly Manage Secrets
		Embrace Well-Architected Frameworks
		Continue Following Security Best Practices
	Exercise: Gaining Security Visibility into an AWS Environment
		Configure an SNS Email Notification
		Enable GuardDuty
		Set Up EventBridge to Route Alerts to Email
		Testing
	Conclusion
Chapter 15. Authentication
	Identity and Access Management
	Passwords
		Password Basics
		Encryption, Hashing, and Salting
		Password Management
		Additional Password Security
	Common Authentication Protocols
		NTLM
		Kerberos
		LDAP
		RADIUS
		Differences Between Protocols
		Protocol Security
		Choosing the Best Protocol for Your Organization
	Multi-Factor Authentication
		MFA Weaknesses
		Where It Should Be Implemented
	Conclusion
Chapter 16. Secure Network Infrastructure
	Device Hardening
		Firmware/Software Patching
		Services
		SNMP
		Encrypted Protocols
		Management Network
	Hardware Devices
		Bastion Hosts
		Routers
		Switches
		Wireless Devices
	Design
		Egress Filtering
		IPv6: A Cautionary Note
		TACACS+
	Networking Attacks
		ARP Cache Poisoning and MAC Spoofing
		DDoS Amplification
		VPN Attacks
		Wireless
	Conclusion
Chapter 17. Segmentation
	Network Segmentation
		Physical
		Logical
		Physical and Logical Network Example
		Software-Defined Networking
	Application Segmentation
	Segmentation of Roles and Responsibilities
	Conclusion
Chapter 18. Vulnerability Management
	Authenticated Versus Unauthenticated Scans
	Vulnerability Assessment Tools
	Open Source Tools
	Vulnerability Management Program
		Program Initialization
		Business as Usual
	Remediation Prioritization
	Risk Acceptance
	Conclusion
Chapter 19. Development
	Language Selection
		Assembly
		C and C++
		Go
		Rust
		Python/Ruby/Perl
		PHP
	Secure Coding Guidelines
	Testing
		Automated Static Testing
		Automated Dynamic Testing
		Peer Review
	Software Development Lifecycle
	Conclusion
Chapter 20. OSINT and Purple Teaming
	Open Source Intelligence
		Types of Information and Access
		Modern OSINT Tools
	Purple Teaming
		A Purple Teaming Example
	Conclusion
Chapter 21. Understanding IDSs and IPSs
	Role in Information Security
	Exploring IDS and IPS Types
		Network-Based IDSs
		Host-Based IDSs
		IPSs
		NGFWs
	IDSs and IPSs in the Cloud
		AWS
		Azure
		GCP
	Working with IDSs and IPSs
		Managing False Positives
		Writing Your Own Signatures
	IDS/IPS Positioning
	Encrypted Protocols
	Conclusion
Chapter 22. Logging and Monitoring
	Security Information and Event Management
		Why Use a SIEM
		Scope of Coverage
		Designing the SIEM
	Log Analysis and Enrichment
		Sysmon
		Group Policy
	Alert Examples and Log Sources to Focus On
		Authentication Systems
		Application Logs
		Cloud Services
		Databases
		DNS
		Endpoint Protection Solutions
		IDSs/IPSs
		Operating Systems
		Proxy and Firewall Logs
		User Accounts, Groups, and Permissions
	Testing and Continuing Configuration
	Aligning with Detection Frameworks, Compliance Mandates, and Use Cases
		MITRE ATT&CK
		Sigma
		Compliance
		Use Case Analysis
	Conclusion
Chapter 23. The Extra Mile
	Email Servers
	DNS Servers
	Security Through Obscurity
	Useful Resources
		Books
		Blogs
		Podcasts
		Websites
Appendix. User Education Templates
	Live Phishing Education Slides
		You’ve Been Hacked!
		What Just Happened, and Why?
		Social Engineering 101(0101)
		So It’s OK That You Were Exploited (This Time)
		No Blame, No Shames, Just...
		A Few Strategies for Next Time
		Because There Will Be a Next Time
		If Something Feels Funny
		If Something Looks Funny
		If Something Sounds Funny
		Feels, Looks, or Sounds Funny—Call the IT Help Desk
		What If I Already Clicked the Link or Opened the Attachment?
		What If I Didn’t Click the Link or Attachment?
		Your IT Team Is Here for You!
	Phishing Program Rules
Index
About the Authors
Colophon