Computer Incident Response and Product Security

Computer Incident Response and Product Security

By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 11 business days
When will my order arrive?


Computer Incident Response and Product Security The practical guide to building and running incident response and product security teams Damir Rajnovic Organizations increasingly recognize the urgent importance of effective, cohesive, and efficient security incident response. The speed and effectiveness with which a company can respond to incidents has a direct impact on how devastating an incident is on the company's operations and finances. However, few have an experienced, mature incident response (IR) team. Many companies have no IR teams at all; others need help with improving current practices. In this book, leading Cisco incident response expert Damir Rajnovi'c presents start-to-finish guidance for creating and operating effective IR teams and responding to incidents to lessen their impact significantly. Drawing on his extensive experience identifying and resolving Cisco product security vulnerabilities, the author also covers the entire process of correcting product security vulnerabilities and notifying customers. Throughout, he shows how to build the links across participants and processes that are crucial to an effective and timely response.This book is an indispensable resource for every professional and leader who must maintain the integrity of network operations and products-from network and security administrators to software engineers, and from product architects to senior security executives. -Determine why and how to organize an incident response (IR) team -Learn the key strategies for making the case to senior management -Locate the IR team in your organizational hierarchy for maximum effectiveness -Review best practices for managing attack situations with your IR team -Build relationships with other IR teams, organizations, and law enforcement to improve incident response effectiveness -Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity -Recognize the differences between product security vulnerabilities and exploits -Understand how to coordinate all the entities involved in product security handling -Learn the steps for handling a product security vulnerability based on proven Cisco processes and practices -Learn strategies for notifying customers about product vulnerabilities and how to ensure customers are implementing fixes This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending more

Product details

  • Paperback | 256 pages
  • 185.42 x 200.66 x 15.24mm | 430.91g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587052644
  • 9781587052644
  • 1,887,754

About Damir Rajnovic

Damir Rajnovic finished his education in Croatia where, in 1993, he started his career in computer security. He started at the Croatian News Agency Hina, then moved on to the Ministry of Foreign Affairs, and finally to the Ministry of Science and Technology. During that time, Damir became involved with the Forum of Incident Response Teams (FIRST) and established the Croatian Academic and Research Network Computer Incident Response Team (CARNet CERT), which, until recently, was not only handling computer incidents for CARNet but was also acting as the Croatian national CERT. Damir then moved to the United Kingdom to work in EuroCERT which was a project that aimed to coordinate CERTs within the European region. After EuroCERT, Damir moved to the Cisco Product Security Incident Response Team (Cisco PSIRT), where he is still working. Cisco PSIRT is the focal point for managing security vulnerabilities in all Cisco products. Damir remains active in FIRST, where he created Vendor SIG, and currently serves as liaison officer to the International Organization for Standardization (ISO) and International Telecommunication Union (ITU). Damir was an invited lecturer for the MSc Information Technology Security course at Westminster University, London. He was one of the core people who dreamed up and formed the Industry Consortium for the Advancement of Security on the Internet (ICASI). His nonsecurity-related work includes working as a sound engineer on Radio 101 ( while living in Zagreb, Croatia. Damir lives with his family in Didcot, more

Back cover copy

Learn how to build a Security Incident Response team with guidance from a leading SIRT from Cisco Gain insight into the best practices of one of the foremost incident response teams Master your plan for building a SIRT (Security Incidence Response Team) with detailed guidelines and expert advice for incident handling and response Review legal issues from a variety of national perspectives, and consider practical aspects of coordination with other organizations"Network Security Incident Response" provides practical guidelines for building an SIRT team as well offering advice on responding to actual incidents. For many companies, incident response is new territory. Some companies do not have an incidence response team at all. Some would like to have one but need guidance to start and others would like to improve existing practices. Today, there are only a handful of organizations that do have mature and experienced teams. For that reason this book is structured to provide help in both creating and running an effective Security Incident Response Team. Organizations who are evaluating whether to invest in a SIRT or who are just getting started building one will find the information in this book to be invaluable in helping them understand the nature of the threats, justifying resources, and building effective IR (Incidence Response) teams. Established IR teams will also benefit from the best practices highlighted in building IR teams as well as information on the current state of incident response handling, incident coordination, and legal issues. Written by a leading SIRT (Security Incident Response Team) from Cisco, the expertise and guidance provided in this book will serve as the blueprint for successful incidence response planning for most any more

Table of contents

Introduction xviiPart I Computer Security IncidentsChapter 1 Why Care About Incident Response? 1Instead of an Introduction 1Reasons to Care About Responding to Incidents 2 Business Impacts 2 Legal Reasons 3 Being Part of a Critical Infrastructure 4 Direct Costs 5 Loss of Life 6How Did We Get Here or "Why Me?" 7 Corporate Espionage 7 Unintended Consequences 8 Government-Sponsored Cyber Attacks 8 Terrorism and Activism 8Summary 9References 9Chapter 2 Forming an IRT 13Steps in Establishing an IRT 14Define Constituency 14 Overlapping Constituencies 15 Asserting Your Authority Over the Constituency 16Ensure Upper-Management Support 17Secure Funding and Funding Models 18 IRT as a Cost Center 19 Cost of an Incident 19 Selling the Service Internally 25 Price List 25 Clear Engagement Rules 26 Authority Problems 26 Placement of IRT Within the Organization 28Central, Distributed, and Virtual Teams 29 Virtual Versus Real Team 30 Central Versus Distributed Team 31Developing Policies and Procedures 32 Incident Classification and Handling Policy 33 Information Classification and Protection 35 Information Dissemination 36 Record Retention and Destruction 38 Usage of Encryption 39 Symmetric Versus Asymmetric Keys and Key Authenticity 40 Creating Encryption Policy 42 Digression on Trust 45 Engaging and Cooperation with Other Teams 46 What Information Will Be Shared 47 Nondisclosure Agreement 47 Competitive Relationship Between Organizations 47Summary 47References 48Chapter 3 Operating an IRT 51Team Size and Working Hours 51 Digression on Date and Time 53New Team Member Profile 53 Strong Technical Skills 54 Effective Interpersonal Skills 55 Does Not Panic Easily 55 Forms an Incident's Image 55Advertising the IRT's Existence 56Acknowledging Incoming Messages 56 Giving Attention to the Report 57 Incident Tracking Number 57 Setting the Expectations 57 Information About the IRT 58 Looking Professional and Courteous 58 Sample Acknowledgment 58Cooperation with Internal Groups 59 Physical Security 59 Legal Department 59 Press Relations 60 Internal IT Security 61 Executives 61 Product Security Team 65 Internal IT and NOC 65Be Prepared! 65 Know Current Attacks and Techniques 66 Know the System IRT Is Responsible For 67 Identify Critical Resources 69 Formulate Response Strategy 69 Create a List of Scenarios 70Measure of Success 72Summary 74References 74Chapter 4 Dealing with an Attack 75Assigning an Incident Owner 76Law Enforcement Involvement 77 Legal Issues 78Assessing the Incident's Severity 78Assessing the Scope 81 Remote Diagnosis and Telephone Conversation 83 Hint #1: Do Not Panic 83 Hint #2: Take Notes 84 Hint #3: Listen 84 Hint #4: Ask Simple Questions 84 Hint #5: Rephrase Your Questions 85 Hint #6: Do Not Use Jargon 85 Hint #7: Admit Things You Do Not Know 85 Hint #8: Control the Conversation 86Solving the Problem 86 Determining the Reaction 86 Containing the Problem 88 Network Segmentation 88 Resolving the Problem and Restoring the Services 89 Monitoring for Recurrence 90Involving Other Incident Response Teams 90Involving Public Relations 90Post-Mortem Analysis 91 Incident Analysis 92 IRT Analysis 94Summary 95References 95Chapter 5 Incident Coordination 97Multiple Sites Compromised from Your Site 97How to Contact Somebody Far Away 98 Contact a CERT Local at the Remote End 98 Standard Security Email Addresses 99 Standard Security Web Page 99 whois and Domain Name 99 Who Is Your ISP? 102 Law Enforcement 102Working with Different Teams 102Keeping Track of Incident Information 103Product Vulnerabilities 104 Commercial Vendors 104 Open Source Teams 105 Coordination Centers 105Exchanging Incident Information 106Summary 107References 107Chapter 6 Getting to Know Your Peers: Teams and Organizations Around the World 109FIRST 110APCERT 111TF-CSIRT 111BARF 112InfraGard 112ISAC 113NSP-Security Forum 113Other Forums and Organizations of Importance 114Summary 114References 115Part II Product SecurityChapter 7 Product Security Vulnerabilities 117Definition of Security Vulnerability 118Severe and Minor Vulnerabilities 120 Chaining Vulnerabilities 122Fixing Theoretical Vulnerabilities, or Do We Need an Exploit? 124Internally Versus Externally Found Vulnerabilities 125Are Vendors Slow to Produce Remedies? 126 Process of Vulnerability Fixing 127 Vulnerability Fixing Timeline 128Reasons For and Against Applying a Remedy 130Question of Appliances 133Summary 135References 135Chapter 8 Creating a Product Security Team 137Why Must a Vendor Have a Product Security Team? 137Placement of a PST 138 PST in the Engineering and Development Department 138 PST in the Test and Quality Assurance Group 139 PST in the Technical Support Department 140Product Security Team Roles and the Team Size 140 PST Interaction with Internal Groups 141 PST Interaction with Engineering and Development 141 PST Interaction with Test Group 141 PST Interaction with Technical Support 142 PST Interaction with Sales 142 PST Interaction with Executives 143 Roles the PST Can Play and PST Involvement 143 PST Team Size 144Virtual Team or Not? 144Summary 145References 145Chapter 9 Operating a Product Security Team 147Working Hours 147Supporting Technical Facilities 147 Vulnerability Tracking System 148 Interfacing with Internal Databases 149 Laboratory Resources 150 Geographic Location of the Laboratory 151 Shared Laboratory Resources 151 Virtual Hardware 152Third-Party Components 152 Product Component Tracking 152 Tracking Internally Developed Code 155 Relationship with Suppliers 155Summary 156References 156Chapter 10 Actors in Vulnerability Handling 159Researchers 159Vendors 160 Who Is a Vendor? 160 Vendor Communities 162 Vendor Special Interest Group (SIG) 162 ICASI 162 IT-ISAC 163 VSIE 163 Vendor Point of Contact-Japan 164 SAFECode 164 vendor-sec 164Coordinators 164 Vendors' Incentive to Be Coordinated 165 Coordinators' Business Model 165 Commercial Coordinators 166 Government and Government Affiliated 166 Open-Source Coordinators 167 Other Coordinators 167Users 167 Home Users 167 Business Users 168 Equipment Usage 168Interaction Among Actors 169Summary 171References 171Chapter 11 Security Vulnerability Handling by Vendors 173Known Unknowns 173Steps in Handling Vulnerability 174Discovery of the Vulnerability 174Initial Triage 175Reproduction 176Detailed Evaluation 177Remedy Production 177 Remedy Availability 179Remedy Distribution and Notification 180Monitoring the Situation 181Summary 181References 181Chapter 12 Security Vulnerability Notification 183Types of Notification 183When to Disclose Vulnerability 184Amount of Information in the Notice 186Disclosing Internally Found Vulnerabilities 187Public Versus Selected Recipients 188Vulnerability Predisclosure 190Scheduled Versus Ad Hoc Notification Publication 193Vulnerability Grouping 194Notification Format 197 Notification Medium 197 Electronic Document Type 198 Electronic Document Structure 198 Usage of Language in Notifications 199Push or Pull 200Internal Notification Review 202Notification Maintenance 203Access to the Notifications 204Summary 205References 205Chapter 13 Vulnerability Coordination 209Why Cooperate and How to Deal with Competitors 209Who Should Be a Coordinator? 211How to Coordinate Vendors on a Global Scale 212 Vendors Never Sleep 212 Be Sensitive to Multicultural Environments 213 Use Good Communication Skills 213 No Surprises 214Summary 214References 214 9781587052644 TOC 11/9/2010show more