larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Computer Incident Response and Product Security

eBook (Watermarked)

  • Your Price: $42.39
  • List Price: $52.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • Description
  • Sample Content
  • Updates
  • Copyright 2011
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 256
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-265254-4
  • ISBN-13: 978-0-13-265254-4

Computer Incident Response
and Product Security

The practical guide to building and running incident response and product security teams

Damir Rajnovic

Organizations increasingly recognize the urgent importance of effective, cohesive, and efficient security incident response. The speed and effectiveness with which a company can respond to incidents has a direct impact on how devastating an incident is on the company’s operations and finances. However, few have an experienced, mature incident response (IR) team. Many companies have no IR teams at all; others need help with improving current practices. In this book, leading Cisco incident response expert Damir Rajnovi´c presents start-to-finish guidance for creating and operating effective IR teams and responding to incidents to lessen their impact significantly.

Drawing on his extensive experience identifying and resolving Cisco product security vulnerabilities, the author also covers the entire process of correcting product security vulnerabilities and notifying customers. Throughout, he shows how to build the links across participants and processes that are crucial to an effective and timely response.

This book is an indispensable resource for every professional and leader who must maintain the integrity of network operations and products—from network and security administrators to software engineers, and from product architects to senior security executives.

    -Determine why and how to organize an incident response (IR) team

    -Learn the key strategies for making the case to senior management

    -Locate the IR team in your organizational hierarchy for maximum effectiveness

    -Review best practices for managing attack situations with your IR team

    -Build relationships with other IR teams, organizations, and law enforcement to improve incident response effectiveness

    -Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity

    -Recognize the differences between product security vulnerabilities and exploits

    -Understand how to coordinate all the entities involved in product security handling

    -Learn the steps for handling a product security vulnerability based on proven Cisco processes and practices

    -Learn strategies for notifying customers about product vulnerabilities and how to ensure customers are implementing fixes

This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending
networks.

Table of Contents

Introduction xvii

Part I Computer Security Incidents

Chapter 1 Why Care About Incident Response? 1

Instead of an Introduction 1

Reasons to Care About Responding to Incidents 2

    Business Impacts 2

    Legal Reasons 3

    Being Part of a Critical Infrastructure 4

    Direct Costs 5

    Loss of Life 6

How Did We Get Here or “Why Me?” 7

    Corporate Espionage 7

    Unintended Consequences 8

    Government-Sponsored Cyber Attacks 8

    Terrorism and Activism 8

Summary 9

References 9

Chapter 2 Forming an IRT 13

Steps in Establishing an IRT 14

Define Constituency 14

    Overlapping Constituencies 15

    Asserting Your Authority Over the Constituency 16

Ensure Upper-Management Support 17

Secure Funding and Funding Models 18

    IRT as a Cost Center 19

        Cost of an Incident 19

        Selling the Service Internally 25

        Price List 25

        Clear Engagement Rules 26

        Authority Problems 26

        Placement of IRT Within the Organization 28

Central, Distributed, and Virtual Teams 29

    Virtual Versus Real Team 30

    Central Versus Distributed Team 31

Developing Policies and Procedures 32

    Incident Classification and Handling Policy 33

    Information Classification and Protection 35

    Information Dissemination 36

    Record Retention and Destruction 38

    Usage of Encryption 39

        Symmetric Versus Asymmetric Keys and Key Authenticity 40

        Creating Encryption Policy 42

        Digression on Trust 45

    Engaging and Cooperation with Other Teams 46

        What Information Will Be Shared 47

        Nondisclosure Agreement 47

        Competitive Relationship Between Organizations 47

Summary 47

References 48

Chapter 3 Operating an IRT 51

Team Size and Working Hours 51

    Digression on Date and Time 53

New Team Member Profile 53

    Strong Technical Skills 54

    Effective Interpersonal Skills 55

    Does Not Panic Easily 55

    Forms an Incident’s Image 55

Advertising the IRT’s Existence 56

Acknowledging Incoming Messages 56

    Giving Attention to the Report 57

    Incident Tracking Number 57

    Setting the Expectations 57

    Information About the IRT 58

    Looking Professional and Courteous 58

    Sample Acknowledgment 58

Cooperation with Internal Groups 59

    Physical Security 59

    Legal Department 59

    Press Relations 60

    Internal IT Security 61

    Executives 61

    Product Security Team 65

    Internal IT and NOC 65

Be Prepared! 65

    Know Current Attacks and Techniques 66

    Know the System IRT Is Responsible For 67

    Identify Critical Resources 69

    Formulate Response Strategy 69

    Create a List of Scenarios 70

Measure of Success 72

Summary 74

References 74

Chapter 4 Dealing with an Attack 75

Assigning an Incident Owner 76

Law Enforcement Involvement 77

    Legal Issues 78

Assessing the Incident’s Severity 78

Assessing the Scope 81

    Remote Diagnosis and Telephone Conversation 83

    Hint #1: Do Not Panic 83

    Hint #2: Take Notes 84

    Hint #3: Listen 84

    Hint #4: Ask Simple Questions 84

    Hint #5: Rephrase Your Questions 85

    Hint #6: Do Not Use Jargon 85

    Hint #7: Admit Things You Do Not Know 85

    Hint #8: Control the Conversation 86

Solving the Problem 86

    Determining the Reaction 86

    Containing the Problem 88

    Network Segmentation 88

    Resolving the Problem and Restoring the Services 89

    Monitoring for Recurrence 90

Involving Other Incident Response Teams 90

Involving Public Relations 90

Post-Mortem Analysis 91

    Incident Analysis 92

    IRT Analysis 94

Summary 95

References 95

Chapter 5 Incident Coordination 97

Multiple Sites Compromised from Your Site 97

How to Contact Somebody Far Away 98

    Contact a CERT Local at the Remote End 98

    Standard Security Email Addresses 99

    Standard Security Web Page 99

    whois and Domain Name 99

    Who Is Your ISP? 102

    Law Enforcement 102

Working with Different Teams 102

Keeping Track of Incident Information 103

Product Vulnerabilities 104

    Commercial Vendors 104

    Open Source Teams 105

    Coordination Centers 105

Exchanging Incident Information 106

Summary 107

References 107

Chapter 6 Getting to Know Your Peers: Teams and Organizations Around the World 109

FIRST 110

APCERT 111

TF-CSIRT 111

BARF 112

InfraGard 112

ISAC 113

NSP-Security Forum 113

Other Forums and Organizations of Importance 114

Summary 114

References 115

Part II Product Security

Chapter 7 Product Security Vulnerabilities 117

Definition of Security Vulnerability 118

Severe and Minor Vulnerabilities 120

    Chaining Vulnerabilities 122

Fixing Theoretical Vulnerabilities, or Do We Need an Exploit? 124

Internally Versus Externally Found Vulnerabilities 125

Are Vendors Slow to Produce Remedies? 126

    Process of Vulnerability Fixing 127

    Vulnerability Fixing Timeline 128

Reasons For and Against Applying a Remedy 130

Question of Appliances 133

Summary 135

References 135

Chapter 8 Creating a Product Security Team 137

Why Must a Vendor Have a Product Security Team? 137

Placement of a PST 138

    PST in the Engineering and Development Department 138

    PST in the Test and Quality Assurance Group 139

    PST in the Technical Support Department 140

Product Security Team Roles and the Team Size 140

    PST Interaction with Internal Groups 141

        PST Interaction with Engineering and Development 141

        PST Interaction with Test Group 141

        PST Interaction with Technical Support 142

        PST Interaction with Sales 142

        PST Interaction with Executives 143

    Roles the PST Can Play and PST Involvement 143

    PST Team Size 144

Virtual Team or Not? 144

Summary 145

References 145

Chapter 9 Operating a Product Security Team 147

Working Hours 147

Supporting Technical Facilities 147

    Vulnerability Tracking System 148

        Interfacing with Internal Databases 149

    Laboratory Resources 150

        Geographic Location of the Laboratory 151

        Shared Laboratory Resources 151

        Virtual Hardware 152

Third-Party Components 152

    Product Component Tracking 152

    Tracking Internally Developed Code 155

    Relationship with Suppliers 155

Summary 156

References 156

Chapter 10 Actors in Vulnerability Handling 159

Researchers 159

Vendors 160

    Who Is a Vendor? 160

    Vendor Communities 162

        Vendor Special Interest Group (SIG) 162

        ICASI 162

        IT-ISAC 163

        VSIE 163

        Vendor Point of Contact—Japan 164

        SAFECode 164

        vendor-sec 164

Coordinators 164

    Vendors’ Incentive to Be Coordinated 165

    Coordinators’ Business Model 165

    Commercial Coordinators 166

    Government and Government Affiliated 166

    Open-Source Coordinators 167

    Other Coordinators 167

Users 167

    Home Users 167

    Business Users 168

    Equipment Usage 168

Interaction Among Actors 169

Summary 171

References 171

Chapter 11 Security Vulnerability Handling by Vendors 173

Known Unknowns 173

Steps in Handling Vulnerability 174

Discovery of the Vulnerability 174

Initial Triage 175

Reproduction 176

Detailed Evaluation 177

Remedy Production 177

    Remedy Availability 179

Remedy Distribution and Notification 180

Monitoring the Situation 181

Summary 181

References 181

Chapter 12 Security Vulnerability Notification 183

Types of Notification 183

When to Disclose Vulnerability 184

Amount of Information in the Notice 186

Disclosing Internally Found Vulnerabilities 187

Public Versus Selected Recipients 188

Vulnerability Predisclosure 190

Scheduled Versus Ad Hoc Notification Publication 193

Vulnerability Grouping 194

Notification Format 197

    Notification Medium 197

    Electronic Document Type 198

    Electronic Document Structure 198

    Usage of Language in Notifications 199

Push or Pull 200

Internal Notification Review 202

Notification Maintenance 203

Access to the Notifications 204

Summary 205

References 205

Chapter 13 Vulnerability Coordination 209

Why Cooperate and How to Deal with Competitors 209

Who Should Be a Coordinator? 211

How to Coordinate Vendors on a Global Scale 212

    Vendors Never Sleep 212

    Be Sensitive to Multicultural Environments 213

    Use Good Communication Skills 213

    No Surprises 214

Summary 214

References 214

9781587052644    TOC    11/9/2010

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020