Computer Incident Response and Product Security

As time passes, more and more companies realize the importance of having an in-house incident response team. But how to go about forming one and organizing its functioning? This book offers the answers to those questions and teaches you to ask the right questions when dealing with unique situations. The title is divided in two logical units: incident response and vulnerability management.

Author: Damir Rajnovic
Pages: 256
Publisher: Cisco Press
ISBN: 1587052644

Introduction

As time passes, more and more companies realize the importance of having an in-house incident response team. But how to go about forming one and organizing its functioning? This book offers the answers to those questions and teaches you to ask the right questions when dealing with unique situations. The title is divided in two logical units: incident response and vulnerability management.

About the author

Damir Rajnovic works on the Cisco PSIRT team where he handles customer’s security incidents and security vulnerabilities in all Cisco products. In 1995 he formed CARNet CERT (Croatian Academic and Educational Network Computer Incident Response Team). Before moving to the Cisco PSIRT team, he worked in EuroCERT, which was a project that aimed to coordinate CERTs within the European region.

Inside the book

Judging by the steep increase of breaches suffered by company networks and databases in the last few years, it is beginning to dawn on some people that there is not technology and no product that can in and of itself be the perfect defense choice – especially when it comes to what came to be known as Advanced Persistent Threats.

They need to be always alert to the possibility of a breach and ready to react to it, and that means having a dedicated team of experts that know what they are doing. The it-won’t-happen-to-me attitude is slowly becoming laughable, and if you need more reasons to convince management to establish an incident response team, the first chapter of this book is for you.

If you have already gained their approval, you can start forming the team by answering a series of questions: Who will the team serve and to which attacks will it respond? How will it be funded? How is it positioned within the organization’s hierarchy and what topology will it have?

Finally, you’ll need to develop and institute policies and procedures regarding incident classification and handling, information protection and dissemination, record retention, cooperation with other groups, and many other things.

Next, you need to think about the ideal size for the team and who would be the perfect candidate for it. Working hours should be established, and the rest of the company should be made aware that the team (finally) exists, so that they know who to contact when a security breach happens. Also, the team must contact the other departments in the company and establish a good rapport. In the end, the group must know exactly what it must protect and establish strategies to do it and think of viable scenarios that could come to pass.

How to respond to various attacks and to handle incident coordination when the attacks are coming from different states and continents is described in detail in Chapters 4 and 5, and the sixth offers information about the various organizations and forums of which your team will ideally be part of in the future and which will help you with issues that might arise and you can’t find the answer to.

Chapter 7 marks the beginning of the second part of the book – the one intended to help those vendors that have already realized there is no such thing as a product without security flaws and are determined to manage them adequately.

Major software and hardware companies have instituted mechanisms regarding vulnerability management, and some are even offering bounties as an incentive for researchers to search for and responsibly disclose found vulnerabilities and help them fix them. What is a reasonable timeline for each phase of vulnerability fixing? Find out in this book.

The process of creating and operating a product security team has also its rules, and you can find out all about them in Chapter 8 and 9. How to best handle security vulnerabilities and issue notifications for them is dealt with in the rest of the book.

Final thoughts

Although at first glance it could seem too short to offer real insight, this book will surprise you. The author has wisely chosen to concentrate on incident response and product security, as these two topics are rarely addressed in this manner.

The title is so chock-full with helpful and very specific advice, which makes it a must read for everyone who’s considering establishing a IR or Product Security team and wondering how to do it. I was pleasantly surprised by the direct and very concise way the author explains each topic and course of action, and I suspect everyone who values their time will appreciate it as much as I did.