Network Security Evaluation Using the NSA IEM. (Syngress Media) [Englisch] [Taschenbuch]

I am a security consultant in the DC area, so I have heard the NSA IAM and IEM terms bandied about the Beltway. I read Network Security Evaluation Using the NSA IEM (NSE) to get a better understanding of the IEM side of the equation. I found the business process coverage of this book helpful, along with the general understanding of the goals of the IAM and IEM. For these two reasons you may find NSE helpful too.

The Prologue, ch 1, ch 2, and Part I (which oddly begins with ch 3 and ends with ch 6) occupies about 40% of the book. None of the material is technical, but it helps the reader understand why the NSA IAM and IEM exist, how the methodologies help clients, and what you as a security consultant owe clients when providing an IEM-centric service. These business issues, which largely sit outside the NSA's purview, are very helpful for those of us trying to provide good services to clients. I found contracting advice in ch 2 to be especially useful. Warnings about scope creep, salespeople over-promising, and setting expectations all rang true. I also liked the legal section (ch 5), but I wished it had avoided trotting out the tiresome links to "cyber terror"; cut pages 100-103 in the second edition! I did learn a critical legal lesson, however: consultants should avoid even the pretense of interpreting laws like SOX or HIPPA when advising clients. This could be misconstrued as "practicing law," which is illegal without a license!

Part II discusses "on-site" evaluation issues, which for ch 8-10 means discussing tools to accomplish the ten IEM baseline activities. These tool sections were fairly generic, and anyone with decent security experience will not learn anything new. One exception for me was Ophcrack, a recent password cracker. Ch 9 boasted of getting Unix-centric Nessus to run on Windows using Cygwin, but disappointed by providing no further details. Ch 10 mentions network protocol analysis as the tenth IEM baseline activity, but has nothing helpful to say besides mentioning running Ethereal or EtherPeek. If the purpose of protocol analysis is discovering insecure protocols or cleartext passwords, avoid Ethereal -- run a password grabber like dsniff or similar.

Part III addresses tasks done in the post-evaluation phase, like report-writing and delivery. Some of the material is superfluous and preachy, e.g. p 316 "Knowledge is individualistic. It is inherent to individuals and is acquired through the natural process of experience and learning." Ch 14 finally displays the 17 IAM (not IEM) categories, which had been alluded to in previous chapters but never explained (which would have been helpful for those unaware of the IAM). The sample Technical Evaluation Plan in Appendix B is a good way to provide concrete examples for IEM beginners.

I would like to see a second edition of NSE after an editor reads the entire book, as I just did. That editor should strive to remove as much extra and redundant information as possible. For example, there are sections repeated nearly word-for-word in ch 2 (p 40-43) and ch 4 (p 74-78). The risk triangle appears on p 246 and 383. CVE is introduced in ch 7 and again in ch 13. Calculating ROI is presented in ch 3 and again in the same words in ch 14. These duplications are the result of ten people contributing to a 400 page book.

Overall, I still recommend reading NSE. I return to the first 170 pages of the book for its best advice, such as entire chapter on scoping an engagement (ch 4). There are far too few security books that explain how to deliver a valuable service to a client. NSE addresses that issue in great detail, and for that reason I commend the authors.

Companies that admit that they have an information security problem, is the first step toward a solution. If you are one of those companies, this book is for you! Authors Russ Rogers, Ed Fuller, Greg Miles, Matthew Hoagberg, Travis Schack, Ted Dykstra, Bryan Cunningham and Chuck Little, have done an outstanding job of writing a book that will help the majority of experienced INFOSEC professionals in the industry find the optimum security solution for their respective organization.

Rogers, Fuller, Miles, Hoagberg, Schack, Dykstra, Cunningham and Little, begin by helping you understand what the IEM is intended to address, why this type of work is requested, where it could potentially be applied, and the phases into which IEM is organized. Next, the authors focus on those activities that occur prior to the start of the evaluation. Then, they delve into one of the most critical preparation aspects of doing any evaluation: assessing customer expectations, the tangible and intangible factors, that will affect the outcome of the evaluation. The authors continue by discussing the components and activities of the scoping process that will give you the majority of the information needed to do an effective and efficient job during the evaluation process. In addition, the authors next provide an overview of a number of legal issues faced by information security evaluation professionals and their customers. They also discuss the various aspects of the TEP and some of the things you want it to accomplish. Next, the authors discuss the framework of the on-site evaluation phase, where the meat of the technical evaluation occurs. Then, they discuss the network discovery portion of the onsite evaluation phase. The authors continue by covering the vulnerability scanning and host evaluation portions of the IEM. In addition, the authors then cover the remainder of the scanning, or hands-on, portion of the IEM. They also discuss the out-brief meeting that you'll hold with the customer. Next, the authors walk you through the process of categorizing , consolidating, correlating, and consulting, to develop practical and effective solutions for the customer. Then, they cover the sources of finding information and how this information can be put into a single chart that the customer an use as a road map to improving their security posture. The authors continue by identifying some type of metrics that will be needed to readily identify the current security posture. They also cover the presentation of the final report. Finally, they sum up the entire book.

With the preceding in mind, the authors have also done an excellent job of writing a book that addresses the process-level security issues along with the technical findings, so that you can improve your chances to mitigate problems before they occur. So, in the end, all of these pieces can come together to create a custom and valuable security solution for your customer!