Customer Reviews

Incident Response

5 star:		(0)
4 star:		(2)
3 star:		(2)
2 star:		(0)
1 star:		(4)

 

 

Anyone who has flown on a commercial airliner knows well of the pre- flight safety briefings. From the water floatation safety cushions to the oxygen masks, it's the cabin crew's duty to ensure that every passenger is briefed. Why is this safety briefing so vital? Because when a passenger is gasping for air at 39,000 feet, it is unlikely that they will get a response when they press the flight attendant call button.

In many ways, computer incident response is akin to airplane safety; you need to know
what to expect when the inevitable occurs. If an organization attempts to manage things
ex post facto -- whether it is a depressurization at cruise level or a hack attack - their response will invariably fail. As such, the need for IT-based incident response strategy is
crucial.

Why is incident response a necessity? According to data from the Computer Security
Institute (and backed-up by many other security surveys), more than 70% of businesses
reported security breaches in the year 2000. While 70% may have answered the survey
affirmatively, the reality is that every business on the planet has security breaches. It's
simply a matter of how effectively they handle the incident. System and network hacks
are to be expected; how well they are handled, and how the damage is mitigated is up to
the organizations and their respective incident response teams.

Although I used the airline example, the authors of Incident Response compare it to fire
fighting. Incident response is akin to firefighting in that it involves the coordination of
various disciplines, namely: prevention, planning, detection, analysis, containment,
investigation, eradication, and post-incident analysis.

The difference between a fire and incident response is that whereas a fire can be
extinguished with perhaps one or two of the controls just mentioned, effective incident
response requires that all eight of the controls be effectively carried out. Another
difference between firefighting and incident response is that humanity has thousands of
years of experience in putting out fires. Computer security, however, has only been
around for a few decades. From an incident response perspective, the CERT/CC
(Computer Emergency Response Team Coordination Center) is only 13 years old. The
fact that Smokey the Bear is older than information security and incident response should
be humbling to those in technology.

The problem within many elements of corporate information technology is that they don't
understand the intricacies involved with incident response. With that, Incident Response
provides a non-technical introduction to the rudiments of setting up an incident response
team. Many technology managers don't know the difference between Certs candy and
the CERT organization. For those managers, this book will be a good start toward
teaching them how to deal with the inevitable.

Overall, Incident Response is a thorough introduction to incident response. The authors
go into detail about defining what an incident is and analyzing its various components to
show how a multi-disciplinary approach is required to rectify the situation. Those of us
in technology easily understand the need for incident response; unfortunately, many IT
managers think that incident response can be handled in a much more informal and
unofficial way. Such an erroneous management attitude will only lead to many
undetected security incidents.

Although Forno and Van Wyk give a good overview of incident response, the topic is far
too broad to be thoroughly covered in this monograph alone. For those who need a deeper
and more technical look at incident response and its associated field of computer
forensics, the following books will likely be beneficial:

· Incident Response: A Strategic Guide to Handling System and Network Security
Breaches by Russell Shumway & Gene Schultz, New Riders Publishing 2002;
ISBN: 1578702569 2002
· Incident Response: Investigating Computer Crime by Chris Prosise & Kevin
Mandia, McGraw-Hill Professional Publishing 2001; ISBN: 0072131829
· Computer Forensics -- Incident Response Essentials by Warren Kruse & Jay
Heiser, Addison-Wesley 2001, ISBN: 0201707195.

At only 200 or so pages, the Incident Response is too brief to qualify as the Bible of Incident Response, but it certainly comes close. This excellent manual by two renowned security experts describes the administrative measures needed to create, train, maintain and operate an information incident response team. It also sheds light on sniffers, intrusion detection systems, vulnerability scanners, computer forensics utilities and other "tools of the trade" for the emergency response professional.

Co-author Kenneth R. van Wyk helped found CERT/CC, chaired the FIRST organization and helped launch the first commercial incident response team in the US. His collaborator, Richard Forno, established the first computer incident response team for the US House of Representatives, served as Chief Security Officer for the domain registry Network Solutions and has written a book on information warfare.

Together, they have produced a book that will be most useful to large companies -- since smaller ones just cannot afford a dedicated internal emergency team. However, they also discuss the considerations of choosing an outside team (public or commercial), which will definitely help smaller companies, as will the simple steps for handling incidents before the response team flies in. The team lifetime is outlined in a clear and concise manner: planning, reporting, staffing, training, developing procedures and testing them in real life. Additionally, van Wyk and Forno explain the logical steps to take in case of a penetration and they have optimized these steps for deployment under pressure.

Overall, Incident Response is a great book to own if you are an information security professional or an IT professional wearing the "security hat." It is also extremely useful if you are a manager tasked with creating a response team, because it can serve as a summary of special knowledge developed in the area.

This is most likely, the poorest O'Reilly publication in my library. The technical content is sorely lacking. The book's overall content reminds me of the early Internet books of a few years ago designed to get everyone "up to speed." Need to move on. Would have liked to seen more on the recent Internet incidents,hacker group activities and law enforcement countermeasures. This book is not only short (240 pages) but certainly doesn't meet the usually high O'Reilly standards with regard to quality and substance. Better choices are "Incident Response: Investigating Computer Crime" by Mandia and Procise or "Hacking Exposed" by Scambrey, McClure, and Kurtz or "Hacking Attacks Revealed" by Chirillo.

This book really lacks substance, first of all it must be meant for someone with no understanding of the internet or technology in general (like senior management or a new student). There are very high level examples of processes and procedures as well as high level examples of tools of the trade. At least Dragon IDS was mentioned (probably the best IDS however not the most popular), even though the screen shots are out of date and the old reference to Cabletron not Entrasys. Technologists will have no use for this book except to give it to their manager who refuses to use email or computers however still needs to understand what his organization needs to prepare for on Incident Response.

I found this a good intro to incident response, particularly since I have to develop a comprehensive program for our company and tie that with our subsidaries around the world. (I am the head of Global Incident Response for a Fortune 500 company) For managers and CIO folks, this book is a very handy reference that doesn't scare folks away.....if you want gads of screen shots and techno-babble, look elsewhere. If you want a book that managers and those with little time can read, learn from, and apply, get this one. This is the Cliff Notes of Incident Response - nothing more, and nothing less.

I think Mr. Cananady hit the nail on the head! The problem with this book is that O'Reilly readership has come to expect more from their publications - like substance and detail! Managers and CIOs should read Denning's "Information Warfare and Security" or Schneier's "Secrets and Lies" for the low down on security.

Not sure what O'Reilly had in mind in publishing this book. You can get pretty much the same information from organizations like CERT for FREE. If meant for management, it still missed the mark since in many cases management is still trying to learn how to spell S-E-C-U-R-I-T-Y. A concept like IR is way over their heads and out of the question. With shrinking budgets people are looking for solutions not another obtuse layer of complexity. Glad to see the price drop - still too much for what you get.

The book is a great introduction to incident handling, and is appropriate for both systems folks as well as their managers. This is not the heaviest security book in the world and that's because it doesn't get bogged down in the nitty-gritty technology stuff of computer security. (If you want a hand-holding how-to-do-it book, there are others better suited.)

Rare for a technology book, they take a management approach instead of a purely technical one, and thus probably means they have a wider target audience that will benefit from it. Also, the book isn't Unix- or Windows- based, what they talk about is handy for any computing platform for any size company.

However it does do a great job of introducing you to incident response - why it's needed and what options you have for it. They are correct that it is a process not a solution.

The tools section is a good overview and introduction - by no means complete - and the authors even say that it's not all-incompassing. I guess we all know how fast software changes, and that it's impossible to cover everything.