Icon Incident Response Icon
Book Review

by Dale Farris, President, Golden Triangle PC Club
October 2001

This new O'Reilly book, "Incident Response," presents an excellent summary of technical information with guidelines for administrative planning so organizations can map out their responses to computer incidents. The special authors selected for this important work show how the incident response process needs to be planned, efficient, and as business-like as any other IT operation in a mature organization.

Sadly, in truth computer crises happen, and being able to effectively respond to these crises makes good business sense. In this timely book, you will find a complete guide for organizations of all sizes and types that are addressing their computer security issues.

Before this concept of incident response, computer network administrators mostly responded to computer intrusions and security problems. In November 1988, after the Morris Worm, several computer network administrators founded the Computer Emergency Response Team/Coordination Center (CERT/CC) in Pittsburgh, PA. This team was involved in countless hours of analysis of log files and file systems looking for clues to explain what had happened to their systems and to identify other systems on the Internet that had been broken into. 

In 1988, computer security was not on the top of most system administrator's lists of things to worry about. Information on security was hard to find and the resources of the Internet were not yet developed and there was very little in print to help administrators deal with security issues. What a difference now!

Today, preparing to handle a computer security incident has become a top priority for most all system administrators, a sign of the times and the need now to be more diligent about protecting computer security than ever before. There are now several computer incident response teams formed around the country, mainly in the larger corporate information systems, and there are now several sources of information and tools to be used in this important work. These tools help keep systems secure, and many are also featured in this very important new book from O'Reilly.

As businesses increase their online presence and dependency on information systems assets, the number of computer incidents also rises. These organizations are finally increasing their security postures. This is accomplished in three stages. First, organizations must develop and implement security plans and controls in a proactive effort. Secondly, they must work to ensure their plans and controls are effective by continually reviewing and adapting them to ensure that appropriate security is always in place. And finally, when controls are bypassed either intentionally or unintentionally, organizations must be prepared to act quickly and effectively to minimize the impact of these situations.

The goal is to prevent an operational security problem from becoming a business problem that impacts revenue. With this book, you can learn guidelines to help plan a response to incidents and minimize any negative impact to a business.

Waiting until an incident occurs is of course too late to begin planning how to address the situation. Incident response planning requires both administrative and technical roles. Both parties need to be familiar with the other's role, responsibilities and capabilities. This book is thus written for both administrators and managers, as well as the technical people, all needing to plan for and understand the response to computer incidents.

Content Features

What incident response is, and the problems of distinguishing real risk from perceived risk

The different types of incident response teams, and advantages and disadvantages of each

Considerations in planning and establishing an incident response team

State of the Hack information about different types of attacks

Recommendations and details about available tools for incident response teams

Detailed information about all sorts of resources available to incident response teams

Table of Contents

The eight (8) thorough chapters include the following.
  1. What is Incident Response?
  2. Incident Response Teams
  3. Planning the Incident Response Program
  4. Mission and Capabilities
  5. State of the Hack
  6. Incident Response Operations
  7. Tools of the Trade
  8. Resources

The two appendices include Appendix A, "FIRST," information on the Forum of Incident Response and Security Teams (FIRST), the all-volunteer community organization comprised of incident response teams from virtually every sector and around the world, and Appendix B, "Sample Incident Report," regarding a real-world situation where a technically-savvy manager arbitrarily shut down a firewall protecting a critical server cluster supporting a major e-commerce company.

About the Authors

Kenneth R. van Wyk is an internationally known incident response and antivirus expert, and an active member of the incident response community, as well as the general computer security community. Over his career, he has worked on and managed numerous incident response teams. In 1989, he was the first full-time staff member of Carnegie Mellon University's famous CERT/CC. In 1993, he left CMU to be the Operations Chief of the U.S. Department of Defense's ASSIST incident response team at SAIC, and in 1998, he co founded Para-Protect, Inc., a company that specializes in incident response and other operational security services. Ken is currently the Chief Technology Officer for Para-Protect.

He served on and chaired the Steering Committee of the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams. He also created and moderated VIRUS-L, the world-renowned Internet discussion group on computer viruses.

An engineering graduate of Lehigh University, Ken has done graduate work at both Lehigh and Carnegie Mellon. He is a frequent speaker at technical conferences, and has presented papers and speeches for SANS, USENIX, FIRST, and others. You can contact Ken at ken@incidentresponse.com.

Richard Forno's broad security experience includes helping establish the first incident response team for the U.S. House of Representatives, providing senior level analysis on information operations for the national security community, and serving as Chief Security Officer for Network Solutions (the InterNIC) from 1998-2001. Most recently, he co founded WHONAMI, the first independent natural language, international whois service. He is currently consulting, writing, and teaching in Washington, D.C.

Richard holds degrees from Valley Forge Military College, The American University School of International Service, and is the youngest recorded graduate from the United States Naval War College. In addition to regular media commentary and conference presentations, he is the coauthor of the "The Art of Information Warfare" (1999) and numerous articles and white papers on security topics at INFOWARRIOR.ORG. Contact Richard at rick@incidentresponse.com.

Target Readers

This book is written primarily for administrators and managers of complex computer information systems, as well as technical people, all who need to plan for and understand the response to computer incidents. With the strong need for a total team effort when responding to real incidents, this book should be serious reading for anyone with responsibility to set up, maintain, and secure their computer network. 
O'Reilly Hits Another Homer

The O'Reilly publishing firm, famous for their emphasis on a common-sense approach to explaining very technical material, depth of detail, and focus on the practical, has released an invaluable tool for anyone currently administering a computer network. As is usually the case with all O'Reilly works, very busy systems administrators will find the attention to detail and the superbly organized material very helpful as they attempt to integrate the valuable information in this book in their daily work.

Book Contents

240 pages; foreword, preface; acknowledgments; figures; screen shots; index; cover colophon

Authors

Kenneth R. van Wyk & Richard Forno

ISBN

July 2001 - First Edition
0-596-00130-4

List Price

$34.95

Publisher

Contact: Lisa Mann
lisam@oreilly.com
1-707-829-0515, ext 230
O'Reilly & Associates, Inc.
101 Morris Street
Sebastopol, California 95472
1-800-998-9938
1-707-829-0515
FAX 1-707-829-0104
www.oreilly.com