Incident Response: A Book Review

by Jose Nazario

Title: Incident ResponseAuthors: Kenneth R. van Wyk and Richard FornoPublisher: O'Reilly and AssociatesURL: www.oreilly.comPrice: $34.95 USISBN: 0-59600-130-4

As 2000 rolled into 2001, system and network security incidents looked to be on the rise for everyone. Broadband was becoming more widespread, more software was becoming network-centric, and users were using the Net more. For everyone, incidents were bound to rise in numbers and severity.

Coupled with this was the increasing likelihood of legal action being taken against network and system administrators who fell victim to an intrusion that, in turn, was used against another network. How to prevent an incident was no longer the only thing to worry about. People learned that no matter how solid their defense may look on Monday, a new hack could render it all meaningless on Tuesday. How to respond to such an incident has become something everyone has to worry about.

It is this philosophy that has spawned several books on the topic of security incident handling, and in a style we've come to expect from O'Reilly, their offering fares very well. Incidents like Melissa, ILOVEYOU and the high profile DDoS attacks of February, 2000, have really helped to raise awareness of security issues.

While it's easy to focus on the technical side of things, and enumerate tools and techniques, an incident response strategy really has to work from the bottom to the top. This new book by van Wyk and Forno skillfully outlines considerations and plans for a well founded security incident handling group within an organization.

O'Reilly has recruited two seasoned incident handlers who have worked for organizations such as the US House of Representatives and CERT/CC. Their depth of experience shows in their insights and is nicely complemented by their dexterity with the material.

Contents

The book opens with a discussion of the nature of the threats facing a networked organization, what an incident is, and then invites us in to the world of incident handling. Among the notes offered in this opening chapter are discussions of real life examples, how they were handled and how they fell flat. Also included is a business case for an incident response plan, outlining a basic cost-benefit analysis.

They go on to discuss the makeup and types of incident handling teams, along with discussing their relative strengths, weaknesses and target clients. This is important, as the myriad of options available may confuse or overwhelm many managers. They also discuss the interface between management, the IT staff and outside organizations.

Next, the authors discuss the planning and setup of a security response team. This discussion is focused at the managerial to technical managerial level, and includes such facets as the team makeup, their roles and responsibilities, and resource requirements. Though not highly detailed, the broad brushstrokes serve to illustrate how such an organization can be formed within an existing organization.

The next two chapters, focusing on how the team can keep current and some advice for actually handling an incident, are a bit skimpy, but bring together the salient points. Good coverage of the major players in "ethical hacking" training, their virtues and focus points, is provided, as well as the relative merit of this training. Also covered are the standard resources for keeping current. The chapter on handling an actual situation is filled with good advice, wisdom learned through years of field experience. It helps to bring together the previous chapters and illustrate the actions of the team components.

The last major chapter of the book focuses on the technical resources and tools used in an investigation. While not exhaustive, it discusses key tools for various operations. The focus is on UNIX systems, but key Windows tools are discussed as well. Several great tools, and their uses, are presented.

Lastly, the book closes with a tremendous resource list, including CERT teams around the world, vendor contacts for security questions and updates and the various security organizations that provide incident handling training and tools. Furthermore, a sample incident response report is provided, showing the merits of documentation, proper handling and what a manager should receive from a technical staff.

Presentation

The major strength of this book, and what will probably constitute its staying power when compared to other offerings on the topic, is its excellent coverage from top to bottom. As technical people, we sometimes forget the requirements for management, feeling that these are facets that simply sort themselves out. The book really works well to educate non-technical management and staff about an incident handling team, their role and value within an organization.

As noted above, the book is a tad light on a few points. First, the coverage of how to keep current is somewhat sparse. Currently, a wealth of groups and conventions exist to provide training. Some are not worthwhile, while others simply don't meet the needs for some organizations. This can be confusing for management and technical staff alike. A more in-depth discussion of the types of training provided at some of the conferences and seminars would have been welcome. Furthermore, tips on distilling information from the rather verbose lists available to discuss security would have been appreciated, as well. Information overload is a common pitfall in the security industry, without any great discussion so far as how to handle it.

Even a few more pages on the discussion of system forensics, the challenges and techniques required to do this, would have been a great addition to this book. Data recovery techniques, data sifting (in the face of rather large disks) and the like would have been useful--these are definitely some technical areas which would have complemented the material quite well.

Lastly, more coverage of the legal aspects of incident handling would have been advisable. It's not uncommon to begin an investigation and not anticipate involving law enforcement, only to find out when it is too late that damage has already been done. While the authors have expressly distanced themselves from this, both for a lack of authority in this field as well as the depth of the material, discussions such as how to integrate the incident handling team into the legal arm of an organization would have been worthwhile.

Despite these minor complaints, the book shines very nicely. Almost all of the above topics are covered in some fashion, and pointers to additional material are provided. However, their fuller inclusion would have made this book even more complete.

The Good and the Bad

The Good

  • Great coverage from top (management) to bottom (technical staff)

  • Right amount of anecdotal insights

  • Covers proactive and reactive facets

The Bad
  • Thin coverage in some places

  • Omits many key tools

  • Light on legal aspects

Load Disqus comments