1. Visitors in the Night. An Unwanted Guest. Day 1: A Nice Night for a Hack. Day 2: Out of Sight, Out of Mind. Day 3: The Hack is Back. Days 4 to 7: Waiting to Exhale. Day 8: Too Little, Too Late. Day 9: Just the Facts. Summary: It Can Come from Within. Let's Not Go There. Focus on Prevention. Prepare for the Worst. React Quickly and Decisively. Follow Up. Checklist. Final Words.
2. The Bogus Box. Out-of-the-box Security. Day 1: False Security from a Box. Two Years Later: It Was Bound to Happen Eventually. + Two Weeks: Once Is Never Enough. + Three Weeks: No Quick Fix. The Saga Continues: A Disaster Awaits. Summary: Would You Hire this ISP? Let's Not Go There. Know Your Risks. Avoid Out-of-the-box Installations. Audit Your Network. Know the People Who Know Your Data. Assign or Acquire Adequate Funding for Security. Don't Export Read/Write Permissions to the World. Remove Old Accounts. Forbid the Use of Crackable Passwords. Apply Security Patches. Follow Policies and Procedures. Get Help. Use Training. Checklist. Final Words.
3. Executive Nightmare. Can You Hear Me At The Top? Day 1: Not a Security Measure in Sight. A Year Later: The Hacks Continue. Summary: Take an Active Approach. Let's Not Go There. Commit to Security from the Top Down. Speak Softly and ACT LOUDLY. Keep Levels of Management to a Minimum. Report Back! Set Security as a Management Goal. Provide or Take Training as Required. Make Sure that All Managers Understand Security. Check that System Administrators Communicate Needs Clearly. Checklist. Final Words.
4. Controlling Access. The Never-ending Network. Day 1: An Ill Fated Plan for Outside Access. A Few Weeks Later: Dave's Big Mistake. The Next Day: Who's Job is Security, Anyway? Over the Next 29 Days: And the Hacker Wanders Quietly. + One Month: A Spot Audit Spots the Hacker. Audit Day 1: Follow the Network Map to Follow the Security Hole. Audit Day 2: An Unenforced Policy is a Useless Policy. The Last Audit Day: The Wrong Man for the Job is Worse than No Man for the Job. Summary: Close the Door to the Competition. Let's Not Go There. Use Standard Architecture Designs. Track External Connections. Take Responsibility for Your Territory. Require Approval for External Connections. Enforce Policies and Procedures. Disable Unnecessary Services. Stress the Importance of Training. Follow Through. Don't Connect Unsecured Systems to the Internet. Checklist. Final Words.
5. What You Don't Know. Sink or Swim? Initial Contact: A Good Sign. Day 1: Don't Put Your Security Eggs in One Basket. Day 2: The Penetration Begins. Day 3: Sink or Swin Always Means Sink. Summary: Can't Afford the Power of Negative Training. Let's Not Go There. Have Management Send the Right Security Message. Educate Executive Management. Protect the Security Training Budget. Make Security a Management Requirement. Make Training a System Administrator Requirement. Attend Security Seminars. Have Brown Bag Lunches. Disseminate Security Information. Join Security Aliases. Write White Papers. Write for Newsletters. Develop Tools into Products. Checklist. Final Words.
6. Risking the Corporation. Trauma Zone. Day 1: An Unscheduled Audit. A Game of Risk is a Game of Strategy. Phase One: Dress the Part. Phase Two: Infiltrate Physical Security. Phase Three: A Walk Through the System Park. Day 2: Patient Records at Risk. Summary: Look Before You Leap. Let's Not Go There. Assess Risks. Classify Systems. Forbid Out-of-the-box Installations. Don't Be Too Trusting. Learn from the Past. Target Budget Cuts. Conduct Security Audits. Hold Management Accountable. Don't Set Yourself Up. Include Training in Right-sizing Budgets. Keep Score. Checklist. Final Words.
7. Not My Job. Come On In, The Door's Open. Day 1: Why Can't We Lock the Hackers Out? Day 2: The Usual Suspects. Stuck on Band-Aides for Job Security. Moving On. When You Hear Don't Worry, Start Worrying. My Last Day: Breaking the News. Summary: Ask Not What Your Company's Security Can Do for You. Let's Not Go There. Define Roles and Responsibilities. Develop Firewall Policies and Procedures. Feed Your Firewall. Read Your Audit Logs. Use Detection Software. Respond Quickly! Require Proof of Security. Conduct Audits. Get Educated. Checklist. Final Words.
8. For Art's Sake. Policies? What Policies? In the Beginning: A Conflict Arises. Day 1: In Search of Tangible Evidence. Day 2: Whose Side Are You On, Anyway? System Admins: It's Not Our Problem, It's Theirs. Security Team: It's Not Our Problem, It's Theirs. Summary: Security is the Casualty of War. Let's Not Go There. Put Someone in Charge of Policies and Procedures. Delineate Cross-organizational Security Support. Don't Wait for Miracles. Question Processes. Know When to Cry Uncle. Be Responsible. Checklist. Final Words.
9. Outsourcing the Store. I Did It My Way. Day 1: On the Surface, Everything Appears Normal. Day 2: A Skeleton Key to Success. Cracking the Case. Lifestyles of the Untrained and Inexperienced. Days 3 and 4: The Fix Is Up to Them. Summary: Stop! Look! Audit. Let's Not Go There. Conduct Audits. Do It Right. Do It Regularly. Use the Freebies. Fix the Problems You Find. Kill the Sink-or-Swim Trainers. Checklist. Final Words.
10. What They See Can Hurt You. E-mail or See Mail? Personal Data in 30 Seconds Flat. Summary: You Have the Right to Waive Your Right to Privacy. Let's Not Go There. Use Encryption! Encourage Your Friends to Encrypt. Add Encryption to Your Security Budget. Promote Strong Cryptography Everywhere. Watch for Other E-mail Hazards. Final Words.
11. A Hacker's Walk Through the Network. A Hacker's Profile. The Real Hackers. About Those Tools. Walking with the Hacker. What the Hacker Was Doing. Conclusion.
Appendix A: People and Products to Know. Glossary. Index. 