Who Should Read This Book

This is an intermediate-level book for IT security professionals and system and network administrators who need to learn more about the security assessment process. Inside Network Security Assessment provides a step-by-step approach for assessing security, from paperwork to penetration testing to ethical hacking. This book is a valuable reference for individuals who are interested in creating their own methodology for conducting a comprehensive security assessment and in expanding their knowledge of network security tools and techniques to perform such evaluations. Almost every organization needs to evaluate the security of its IT infrastructure and IT assets.

Depending on the scope of the IT infrastructure and the scope of the security assessment, organizations can spend tens or hundreds of thousands of dollars to conduct a security assessment. With proper controls and objectivity, conducting a security assessment with internal IT security staff is a viable solution. To do this, the IT security staff must create their own methodology and implement it in-house.

Why We Created This Book

The world of information security continually evolves. More tools are available to attackers and defenders than ever before. There has also been an onslaught of books, classes, and seminars focused on security testing, tools, and techniques. But we as authors felt that something was missing. Among the wealth of information on tools and the how-to of security testing, very little was being discussed about the mechanics of security testing; therefore, we created this book to inform readers that the creation of a methodology and approach for conducting a security assessment is the critical missing piece. Unlike other books that focus on hacking tools or small segments of the assessment process, this book was designed to offer the reader a comprehensive step-by-step approach for guiding them through the security assessment process.

Overview of the Book's Contents

We would like to introduce this book from a 50,000- foot view. The first two chapters, "Introduction to Assessing Network Vulnerabilities" and "Foundations and Principles of Security," serve as a foundation for later chapters. These chapters introduce basic concepts of everything we will talk about throughout the book. Chapter 3, "Why Risk Assessment," and Chapter 4, "Risk Assessment Methodologies," deal specifically with risk. We examine risk terminology, quantitative risk assessment, qualitative risk assessment, and how risk is analyzed in real life.

Chapters 5 through 10 are designed to guide you through the security assessment process. Chapter 5, "Scoping the Project," presents a discussion of the scoping phase. Topics such as the forces driving the assessment are introduced. Chapter 6, "Understanding the Attacker," discusses who the real threat is. Both inside and outside attacks typically follow a given pattern. These stages of attack are discussed, as are ways to reduce the threat. If the assessment you are performing is being driven because of an attack, you'll find this a particularly valuable chapter.

Chapter 7, "Performing the Assessment," introduces the activities performed during the actual assessment. This might be only a policy review or may involve extensive hands-on testing. If hands-on testing is required, you will need a variety of tools, which are discussed in Chapter 8, "Tools Used for Assessments and Evaluations." Chapter 9, "Preparing the Final Report," introduces you to the report-writing phase. Everything you have done must be documented, and this chapter discusses ways to write a successful report. Finally, Chapter 10, "Post-Assessment Activities," describes what happens next . Post-assessment activities typically involve change. So this chapter delves into the topics of policy change, hardware implementation, and user training.

We have also outfitted the book with five appendixes. Here we provide security assessment resources, sample forms, and information on how to deal with outside consultants should you feel the need to outsource part of this process. Performing a security assessment is a challenging journey, and we hope that our approach to guarding your IT infrastructure makes your path more comfortable.