How secure is your network? The best way to find out is to attack it. Network Security Assessment provides you with the tricks and tools professional security consultants use to identify and assess risks in Internet-based networks-the same penetration testing model they use to secure government, military, and commercial networks. With this book, you can adopt, refine, and reuse this testing model to design and deploy networks that are hardened and immune from attack.

Network Security Assessment demonstrates how a determined attacker scours Internet-based networks in search of vulnerable components, from the network to the application level. This new edition is up-to-date on the latest hacking techniques, but rather than focus on individual issues, it looks at the bigger picture by grouping and analyzing threats at a high-level. By grouping threats in this way, you learn to create defensive strategies against entire attack categories, providing protection now and into the future.

Network Security Assessment helps you assess:

• Web services, including Microsoft IIS, Apache, Tomcat, and subsystems such as OpenSSL, Microsoft FrontPage, and Outlook Web Access (OWA)





• Web application technologies, including ASP, JSP, PHP, middleware, and backend databases such as MySQL, Oracle, and Microsoft SQL Server





• Microsoft Windows networking components, including RPC, NetBIOS, and CIFS services





• SMTP, POP3, and IMAP email services





• IP services that provide secure inbound network access, including IPsec, Microsoft PPTP, and SSL VPNs





• Unix RPC services on Linux, Solaris, IRIX, and other platforms





• Various types of application-level vulnerabilities that hacker tools and scripts exploit

Assessment is the first step any organization should take to start managing information risks correctly. With techniques to identify and assess risks in line with CESG CHECK and NSA IAM government standards, Network Security Assessment gives you a precise method to do just that.

the book is good, but its almost totally unix based, I downloaded the tools and they all require unix systems
we just use Microsoft, and 99% of our clients use MS only
Really should be called unix security hacks Rating: 3 / 5

Two years ago Mr. McNab was a teenager running rootkits against random web servers. Now he is supposedly a professional pen tester.

This book is the latest clone of Hacking Exposed, a theme that gets a new title every month. The addition of checklists reeks of big four style mechanization. What people on the outside, looking in, don’t seem to understand is that real hacking/cracking is not about running tools to exploit known vulnerabilities. It’s about reverse engineering and hand crafting new attacks. Otherwise you’re just repeating the same tired lines about social engineering and using buffer overflows against unpatched systems. Nothing to see here folks. Move along.

I’m disappointed in O’Reilly for publishing this title. Rating: 2 / 5

‘Network Security Assessment: Know Your Network’ is an absolute must buy for anyone that runs/admins a network and needs to know the tricks to keeping things safer in today’s connected world. Warning right off the bat that this is a very niche market of reader and it’s NOT NOT NOT for the regular developer or admin. This is heavy on the technical jargon and you better know all your acronyms like there is no tomorrow from TCP to IP to LDAP to xxx!!

From IIS to VPN to Databases and regular Windows usage there are tons of case studies and examples throughout that will help you plug leaks and keep the bad guys out. Here’s a chapter overview:

01. Network Security Assessment Basics

02. Network Security Assessment Platform

03. Internet Host and Network Enumeration

04. IP Network Scanning

05. Assessing Remote Information Services

06. Assessing Web Servers

07. Assessing Web Applications

08. Assessing Remote Maintenance Services

09. Assessing Database Services

10. Assessing Windows Networking Services

11. Assessing Email Services

12. Assessing IP VPN Services

13. Assessing Unix RPC Services

14. Application-Level Risks

15. Running Nessus

16. Exploitation Frameworks

***** HIGHLY RECOMMENDED Rating: 5 / 5

This review is a comparison between the first and second edition. Other readers have properly described the book and you won’t find anything different.

The book is still very concise (its strength) and to the point. The previous edition had some links (or many I’d say) that were not working, or simply do not exist anymore. In this sense it’s a good update.

Probably the author had to decide between waiting more and revamp an important part of the book, or publish this edition with no major updates or changes.

The book is still a good companion so buy it if it’s not in your library. But if you have it wait for a third edition when all major updates in major operating systems take place.

Rating: 4 / 5

Recently I published a review of “Security Assessment – Case Studies for Implementing The NSA IAM”. In other reviews of this book, one person was upset that it did not focus on technical aspects of security assessments, but this person missed the point of that book. What this person should have read, in addition to that book, is Network Security Assessment (Chris McNab, O’Reilly Media, Inc., 2004, 371 Pages). This book provides a technical deep dive into security assessments to complement Security Assessment.

Whenever I read a new book, I hope to learn something new that I did not know before. This book did not disappoint me as very early on the author presents an overview of assessment standards. In addition to the NSA IAM covered last night, this book offers an overview of CSEG Check, which is the British Standard to evaluate and accredit security testing teams in the UK to do government work. The author also recognizes the three levels of assessment in the NSA IAM and clearly states that this book only covers the assessment and Red Team levels, as these are the nuts and bolts that take place on the project. This recognition is what makes this book the perfect complement to Security Assessment.

This book is not for managers and sales people, it is for the people who need to do the actual assessments. The book provides detailed technical information on tools, shows how to test services, application testing and more. Now, this is not a book I run to excited to read for readings sake, but it is a reference that I can use to identify tools and tasks my teams may need to undertake or if I need to provide an independent review of a proposal for a client.

The author also provides a number of helpful tips for when to use and not use systems in a networked environment, which may be useful for practitioners. He also provides a number of mitigation strategies depending on what is being tested.

Who Should Read This Book

If you do not have a desire or need to get into technical nitty-gritty details, this book is not for you. If you want a reference book for proposal development for your day-today job, this might be an ideal reference for you. But do not go into it expecting anything outside of the purely technical realm. You will end up frustrated and disappointed. The book for you is “Security Assessment – Case Studies for Implementing The NSA IAM”.

Scorecard

Birdie on a long par 5 (Good book, but nothing that really jumped out and grabbed my attention) Rating: 4 / 5