Network Security Evaluation: Using the NSA IEM

Features

• Cover Type: Paperback with 450 pages
• Published by: Syngress July 1, 2005
• Written in: English
• ISBN 10 Number: 1597490350
• ISBN 13 Number: 978-1597490351
• Book Dimensions: 9.5 x 6.9 x 1.1 inches
• Weighs: 1.7 pounds

Product Description
Are you an information security professional looking for a way to conduct network evaluations in a comprehensive and customized manner? Did you know that the National Security Agency has a methodology that they use and recommend? Security Evaluation was written by professionals who not only use this methodology themselves, but who helped develop and teach the course for the NSA.

Security Evaluation guides the experienced INFOSEC professional through a step-by-step process to ensure their customers receive the most accurate and comprehensive evaluation of their network security posture as possible. Security Evaluation is unique as it starts with the customer's information, not the technical tools to be used. In this way, the INFOSEC professional is able to ensure the results are relevant to the customer as opposed to delivering a standardized report, which may or may not directly affect or improve security posture. In addition, this framework will not only give the customer a sense of where they are, but also a way for both the service provider and customer to monitor and track progress over time using this repeatable methodology. Don't be misled by other books that focus only on technical tools. As an INFOSEC professional, you owe it to yourself and your customers to also have an understanding of how legislation, industry regulation, and legal issues affect you both. Network Security Evaluation Using the NSA IEM helps you put this all together and deliver a final product that the customer will actually understand and use.

About The Author
Russ is a co-founder, CEO, CTO and Principal Security Consultant for Security Horizon, Inc. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of "The Security Journal." He also serves as the Professor of Network Security at the University of Advancing Technology (uat.edu) in Tempe, AZ. Russ is the author of Hacking a Terror Network: The Silent Threat of Covert Channels (Syngress, ISBN 1-928994-98-9). He has contributed to many books including Stealing the Network: How to Own a Continent (Syngress, ISBN: 1-931836-05-1), Security Assessment: Case Studies for Implementing the NSA IAM (Syngress, ISBN 1-932266-96-8), WarDriving, Drive, Detect, Defend: A Guide to Wireless Security (Syngress, ISBN: 1-931836-03-5) and SSCP Study Guide and DVD Training System (Syngress, ISBN: 1-931846-80-9). He is also a co-founder of the Security Tribe information security research web site at www.securitytribe.com.

Greg Miles,(Ph.D., CISSP#24431, CISM#0300338, IAM, IEM)is the President, and Chief Financial Officer of Security Horizon, Inc. Security Horizon is a Global, Veteran-Owned Small Business headquartered in Colorado Springs, Colorado.



Reader Reviews
I am a security consultant in the DC area, so I have heard the NSA IAM and IEM terms bandied about the Beltway. I read Network Security Evaluation Using the NSA IEM (NSE) to get a better understanding of the IEM side of the equation. I found the business process coverage of this book helpful, along with the general understanding of the goals of the IAM and IEM. For these two reasons you may find NSE helpful too. The Prologue, ch 1, ch 2, and Part I (which oddly begins with ch 3 and ends with ch 6) occupies about 40% of the book. None of the material is technical, but it helps the reader understand why the NSA IAM and IEM exist, how the methodologies help clients, and what you as a security consultant owe clients when providing an IEM-centric service. These business issues, which largely sit outside the NSA's purview, are very helpful for those of us trying to provide good services to clients. I found contracting advice in ch 2 to be especially useful. Warnings about scope creep, salespeople over-promising, and setting expectations all rang true. I also liked the legal section (ch 5), but I wished it had avoided trotting out the tiresome links to "cyber terror"; cut pages 100-103 in the second edition! I did learn a critical legal lesson, however: consultants should avoid even the pretense of interpreting laws like SOX or HIPPA when advising clients. This could be misconstrued as "practicing law," which is illegal without a license! Part II discusses "on-site" evaluation issues, which for ch 8-10 means discussing tools to accomplish the ten IEM baseline activities. These tool sections were fairly generic, and anyone with decent security experience will not learn anything new. One exception for me was Ophcrack, a recent password cracker. Ch 9 boasted of getting Unix-centric Nessus to run on Windows using Cygwin, but disappointed by providing no further details. Ch ten mentions network protocol analysis as the tenth IEM baseline activity, but has nothing helpful to say besides mentioning running Ethereal or EtherPeek. If the purpose of protocol analysis is discovering insecure protocols or cleartext passwords, avoid Ethereal -- run a password grabber like dsniff or similar. Part III addresses tasks done in the post-evaluation phase, like report-writing and delivery. Some of the material is superfluous and preachy, e.g. p 316 "Knowledge is individualistic. It is inherent to individuals and is acquired through the natural process of experience and learning." Ch 14 finally displays the 17 IAM (not IEM) categories, which had been alluded to in previous chapters but never explained (which would have been helpful for those unaware of the IAM). The sample Technical Evaluation Plan in Appendix B is a good way to provide concrete examples for IEM beginners. I would like to see a second edition of NSE after an editor reads the entire book, as I just did. That editor should strive to remove as much extra and redundant information as possible. For example, there are sections repeated nearly word-for-word in ch 2 (p 40-43) and ch 4 (p 74-78). The risk triangle appears on p 246 and 383. CVE is introduced in ch 7 and again in ch 13. Calculating ROI is presented in ch 3 and again in the same words in ch 14. These duplications are the result of ten people contributing to a 400 page book. Overall, I still recommend reading NSE. I return to the first 170 pages of the book for its best advice, such as entire chapter on scoping an engagement (ch 4). There are far too few security books that explain how to deliver a valuable service to a client. NSE addresses that issue in great detail, and for that reason I commend the authors.