Incident Response: A Strategic Guide to Handling System and Network Security Breaches (Paperback)

~ E. Eugene Schultz (Author), Russell Shumway (Author)

Editorial Reviews

Amazon.com Review

Incident Response fills a need that's existed in the security book market for some time. The authors--a pair of accomplished incident response experts, not merely researchers--have converted to book form their accumulated wisdom on the question of how to respond to an attack on computer systems. Their expertise is only partly technical; much of what Eugene Schultz and Russell Shumway have written has to do with legal questions and policy decisions. It's a reasonable balance, considering that the state of the art in network intrusion (and defense against it) changes frequently and security administrators are better armed with concepts and strategies than with "click this, type that" instructions. The explicit technical material that does appear here is nicely balanced between Windows and Unix systems, and clearly explains networking details of interest to security people and their managers. The explanation of how a spanning port can make a switch work like a hub for purposes of packet monitoring--nearly entirely prose--is one example of high-quality technical coverage that will remain valuable as operating systems and other network details change over time.

Unlike many books about computers, this one deserves to be read cover to cover. The authors have points to make, and they generally build on their earlier thoughts as they go. Some material in these pages seems somewhat obvious--the advice to dress nicely for a media interview, for example--but it all fits with the authors' goal of showing their readers how to react (in all respects) to security problems when they happen. Read this, be prepared for trouble, and know how to educate others about incident response. --David Wall

Topics covered: How an organization should react--organizationally, technically, legally, and in terms of public relations--to incidents of unauthorized access (originating both internally and externally) to its computer systems.

Product Description

This book teaches readers what they need to know to not only set up an incident response effort, but also how to improve existing incident response efforts. The book provides a comprehensive approach to incident response, covering everything necessary to deal with all phases of incident response effectively ¿ spanning from pre-incident conditions and considerations to the end of an incident.

Although technical considerations, (e.g. the particular binaries in Unix and Linux and dynamically linked libraries in Windows NT and Windows 2000) that need to be inspected in case they are corrupted, the types of logging data available in major operating systems and how to interpret it to obtain information about incidents, how network attacks can be detected on the basis of information contained in packets, and so on ¿ the major focus of this book is on managerial and procedural matters. Incident Response advances the notion that without effective management, incident response cannot succeed.

See all Editorial Reviews

Product Details

• Paperback: 408 pages
• Publisher: Sams; illustrated edition edition (November 18, 2001)
• Language: English
• ISBN-10: 1578702569
• ISBN-13: 978-1578702565
• Product Dimensions: 8.8 x 3.8 x 0.2 inches
• Shipping Weight: 2.1 ounces (View shipping rates and policies)
• Average Customer Review: 4.0 out of 5 stars  See all reviews (3 customer reviews)
• Amazon.com Sales Rank: #673,893 in Books (See Bestsellers in Books)

  Popular in this category: (What's this?)

  #16 in

  Books > Computers & Internet > Certification Central > Publisher > Sams

Customer Reviews

Most Helpful Customer Reviews

8 of 9 people found the following review helpful:

4.0 out of 5 stars "Incident Response" by Mandia/Prosise/Pepe is still king, December 27, 2001

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I am a senior engineer for network security operations. I read "Incident Response: A Strategic Guide" (IR:ASG) by Shultz and Shumway to enhance my own understanding of ways to deal with security events. As a "strategic guide," the book will be useful to managers of incident response teams. Nevertheless, "Incident Response: Investigating Computer Crime," by Mandia, Prosise, and Pepe remains king of the hill.

IR:ASG is well-written, and focuses attention on processes and methodology over technical implementation. While this approach lengthens the book's shelf-life, it lessens its value to those looking for solutions to technical problems. Still, IR:ASG offers plenty of good advice, such as guidelines for users reporting security events, tips for handling the media, and recognition of the importance of operations staff. Chapter five provides useful recommendations for training and testing incident response personnel, and chapter ten's coverage of insider attacks is especially enlightening.

On the negative side, incorrect material on "packet sequence numbers" on pages 34-5 reflects the widespread misunderstanding that TCP sequence numbers count packets. As RFC 793 clearly states, "each octet of data is assigned a sequence number;" i.e., packets are NOT assigned sequence numbers; bytes of data are. The authors do not accurately represent the 2600 DeCSS case properly on p. 148, as the issue is not copy-protection but play-prevention on non-licensed platforms. The "traps and deceptions" chapter is weak compared to Lance Spitzner's truly definitive honeynet work, and in chapter thirteen the authors repeat the party line on the supposed weaknesses of intrusion detection systems.

The best reason to buy and read IR:ASG isn't written by the lead authors. Dr. Terry Gudaitis' chapter eleven, "The Human Side of Incident Response," is refreshing and educational. As a behavioral scientist and criminologist, she discusses "cyber criminal profiling." While the average security incident may not require application of her techniques, it's reassuring to know people with her level of skill and insight are available to add a human dimension when responding to serious incidents.

IR:ASG reminded me of "Computer Forensics" by Kruse and Heiser when I read this line on p. 188 in the "Forensics II" chapter: "The specific steps in analyzing a mission-critical system are beyond the scope of this book." Unfortunately for both books, most readers crave details on investigating systems for signs of external compromise and exploitation. We've heard enough about searching hard drives for remnants of illicit images, illegal software, or harassing emails. Until another set of authors can do better, "Incident Response" by Mandia, Prosise, and Pepe will be the single "go-to" book for most incident responders.

(Disclaimer: I received a free review copy of this book.)

5 of 5 people found the following review helpful:

4.0 out of 5 stars Very nice high-level book, April 11, 2003

By	Dr Anton Chuvakin (CA, USA) - See all my reviews

Being the third book with the same title that I reviewed, "Incident Response" by Eugene Schultz and Russell Shumway had to overcome a certain expectation barrier, even though the authors are recognized experts in the security field. It passed the barrier with flying colors, being different, but still covering many facets of the intricate incident response (IR) process, such as technology, procedures and especially people.

The books starts with security basics. A risk assessment overview with loss estimates and a summary of digital risks (such as privilege escalation, break-in, denial-of-service, etc) is provided. It appears to be useful mostly for newcomers to the security field. Formal six stage incident response methodology is then presented by the authors. Preparation, Detection, Containment, Eradication Recovery and Follows-Up (PDCERF) process helps create a solid skeleton to support the fluid form of the IR process.

Admittedly, the book is less hands-on oriented than some other IR manuals; the reader will not find things like computer forensics tool command line options and ext2fs filesystem internals there. However, the book shines brightly in the area of human aspect of incident response. Written by a ex-CIA Ph.D. Psychologist, the amazing chapter on social sciences and incident response covers a diverse range of topics. Cybercrime profiling techniques such as victim counseling and victimology, identifying 'modus operandi' and attack pattern recognition, establishment of threat level and communication with attacker are all covered in the chapter, which provides an exciting journey into the mind of a computer criminal, a cyber-sleuth and a cybercrime victim. Also covered are insider attacks, often considered to be the doom of information security. A number of reasons "Why insiders attack?" are analyzed. The author overlays the social methods over the standard procedure of incident response

(detection->containment->eradication->recovery), which helps understand the crucial role the human element plays in any security incident.

Two chapters are devoted to high-level computer forensics overview. Hard disk basics are explained - FAT, cluster, secure deletion are all given an appropriate space. The book then goes to talk about the "guiding principles" of the investigation. The brief overview of forensic software and hardware is also provided. It only serves to familiarize the reader with the names of common packages and utilities. For example, TCT coroner kit is only given about 15 lines of text.

Honeypots also take an honorable place in the book. Their role in IR is studied in detail and is deemed important. Honeypots are also tied to the PDCERF methodology (namely, to detection, eradication and follow-up phases). The value of honeypots is recognized for studying attackers, shielding of IT resources and even gathering evidence for court prosecution. Some common ways of implementing honeypots (such as via virtual environment) are discussed. The authors even digress to touch upon the ethical implication of honeypots.

Another gem is a stimulating chapter on future direction in IR. The ambitious prediction of intelligent automated incident response and attacker tracking tools is made by the authors. While it is known that automated response to security incidents must be viewed with caution, the potential seem to exist for future automated IR "helpers".

Legal issues overview is a must for any IR book. A brief and to-the-point section on US laws and international cybercrime treaties is available.

Last, but not least, a short response and reporting checklist is compiled by the authors. It is based on the six step IR process and will help investigators to structure their efforts and assist with data collection. Also included is a copy of a Site Security Handbook (RFC2196) with an extensive list of references.

Overall, the book is an extremely useful guide for security managers and those tasked with organizing/maintaining incident response teams. It will not reveal any technology secrets to a skilled computer crime investigator. However, he is likely to enjoy the book anyway!

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

5 of 5 people found the following review helpful:

4.0 out of 5 stars Excellent overview of Incident Response, April 9, 2002

By	Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews (TOP 1000 REVIEWER)    (REAL NAME)

Incident Response: A Strategic Guide to Handling System and Network Security Breaches provides an excellent introduction into the concepts of IR.

The book covers all of the main areas required for effective incident response. There are a lot of real world scenarios written to provide the reader with a feel for what is truly required of IR.

The book is geared towards the high level and does not provide much hands on information. Those looking for a heavy hands-on tome for IR will be better served by reading `Incident Response' by Kevin Mandia & Chris Prosise.

The only think I found lacking in the book was an overview of third-party software applications that can be used for a Computer Incident Response Team.

Other than that, Incident Response: A Strategic Guide to Handling System and Network Security Breaches is an excellent read written by two experts in the field.