Publisher: Sams - 2001-11-18
Paperback | 408 Pages
This book teaches readers what they need to know to not only set up an incident response effort, but also how to improve existing incident response efforts. The book provides a comprehensive approach to incident response, covering everything necessary to deal with all phases of incident response effectively Â¿ spanning from pre-incident conditions and considerations to the end of an incident.
Although technical considerations, (e.g. the particular binaries in Unix and Linux and dynamically linked libraries in Windows NT and Windows 2000) that need to be inspected in case they are corrupted, the types of logging data available in major operating systems and how to interpret it to obtain information about incidents, how network attacks can be detected on the basis of information contained in packets, and so on Â¿ the major focus of this book is on managerial and procedural matters. Incident Response advances the notion that without effective management, incident response cannot succeed.
Incident Response fills a need that's existed in the security book market for some time. The authors--a pair of accomplished incident response experts, not merely researchers--have converted to book form their accumulated wisdom on the question of how to respond to an attack on computer systems. Their expertise is only partly technical; much of what Eugene Schultz and Russell Shumway have written has to do with legal questions and policy decisions. It's a reasonable balance, considering that the state of the art in network intrusion (and defense against it) changes frequently and security administrators are better armed with concepts and strategies than with "click this, type that" instructions. The explicit technical material that does appear here is nicely balanced between Windows and Unix systems, and clearly explains networking details of interest to security people and their managers. The explanation of how a spanning port can make a switch work like a hub for purposes of packet monitoring--nearly entirely prose--is one example of high-quality technical coverage that will remain valuable as operating systems and other network details change over time.
Unlike many books about computers, this one deserves to be read cover to cover. The authors have points to make, and they generally build on their earlier thoughts as they go. Some material in these pages seems somewhat obvious--the advice to dress nicely for a media interview, for example--but it all fits with the authors' goal of showing their readers how to react (in all respects) to security problems when they happen. Read this, be prepared for trouble, and know how to educate others about incident response. --David WallTopics covered: How an organization should react--organizationally, technically, legally, and in terms of public relations--to incidents of unauthorized access (originating both internally and externally) to its computer systems.