Computer Incident Response and Product Security

Learn how to build a Security Incident Response team with guidance from a leading SIRT from Cisco

• Gain insight into the best practices of one of the foremost incident response teams
• Master your plan for building a SIRT (Security Incidence Response Team) with detailed guidelines and expert advice for incident handling and response

• Review legal issues from a variety of national perspectives, and consider practical aspects of coordination with other organizations
  Network Security Incident Response provides practical guidelines for building an SIRT team as well offering advice on responding to actual incidents. For many companies, incident response is new territory. Some companies do not have an incidence response team at all. Some would like to have one but need guidance to start and others would like to improve existing practices. Today, there are only a handful of organizations that do have mature and experienced teams. For that reason this book is structured to provide help in both creating and running an effective Security Incident Response Team. Organizations who are evaluating whether to invest in a SIRT or who are just getting started building one will find the information in this book to be invaluable in helping them understand the nature of the threats, justifying resources, and building effective IR (Incidence Response) teams. Established IR teams will also benefit from the best practices highlighted in building IR teams as well as information on the current state of incident response handling, incident coordination, and legal issues. Written by a leading SIRT (Security Incident Response Team) from Cisco, the expertise and guidance provided in this book will serve as the blueprint for successful incidence response planning for most any organization.

Autorentext

Damir Rajnovic finished his education in Croatia where, in 1993, he started his career in computer security. He started at the Croatian News Agency Hina, then moved on to the Ministry of Foreign Affairs, and finally to the Ministry of Science and Technology. During that time, Damir became involved with the Forum of Incident Response Teams (FIRST) and established the Croatian Academic and Research Network Computer Incident Response Team (CARNet CERT), which, until recently, was not only handling computer incidents for CARNet but was also acting as the Croatian national CERT. Damir then moved to the United Kingdom to work in EuroCERT which was a project that aimed to coordinate CERTs within the European region. After EuroCERT, Damir moved to the Cisco Product Security Incident Response Team (Cisco PSIRT), where he is still working. Cisco PSIRT is the focal point for managing security vulnerabilities in all Cisco products.

Damir remains active in FIRST, where he created Vendor SIG, and currently serves as liaison officer to the International Organization for Standardization (ISO) and International Telecommunication Union (ITU). Damir was an invited lecturer for the MSc Information Technology Security course at Westminster University, London. He was one of the core people who dreamed up and formed the Industry Consortium for the Advancement of Security on the Internet (ICASI).

His nonsecurity-related work includes working as a sound engineer on Radio 101 (http://www.radio101.hr) while living in Zagreb, Croatia. Damir lives with his family in Didcot, UK.

Klappentext

Computer Incident Response and Product Security

The practical guide to building and running incident response and product security teams

Damir Rajnovic

Organizations increasingly recognize the urgent importance of effective, cohesive, and efficient security incident response. The speed and effectiveness with which a company can respond to incidents has a direct impact on how devastating an incident is on the company's operations and finances. However, few have an experienced, mature incident response (IR) team. Many companies have no IR teams at all; others need help with improving current practices. In this book, leading Cisco incident response expert Damir Rajnovi c presents start-to-finish guidance for creating and operating effective IR teams and responding to incidents to lessen their impact significantly.

Drawing on his extensive experience identifying and resolving Cisco product security vulnerabilities, the author also covers the entire process of correcting product security vulnerabilities and notifying customers. Throughout, he shows how to build the links across participants and processes that are crucial to an effective and timely response.

This book is an indispensable resource for every professional and leader who must maintain the integrity of network operations and products-from network and security administrators to software engineers, and from product architects to senior security executives.

-Determine why and how to organize an incident response (IR) team

-Learn the key strategies for making the case to senior management

-Locate the IR team in your organizational hierarchy for maximum effectiveness

-Review best practices for managing attack situations with your IR team

-Build relationships with other IR teams, organizations, and law enforcement to improve incident response effectiveness

-Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity

-Recognize the differences between product security vulnerabilities and exploits

-Understand how to coordinate all the entities involved in product security handling

-Learn the steps for handling a product security vulnerability based on proven Cisco processes and practices

-Learn strategies for notifying customers about product vulnerabilities and how to ensure customers are implementing fixes

This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.

Inhalt

Introduction xvii

Part I Computer Security Incidents

Chapter 1 Why Care About Incident Response? 1

Instead of an Introduction 1

Reasons to Care About Responding to Incidents 2

Business Impacts 2

Legal Reasons 3

Being Part of a Critical Infrastructure 4

Direct Costs 5

Loss of Life 6

How Did We Get Here or "Why Me?" 7

Corporate Espionage 7

Unintended Consequences 8

Government-Sponsored Cyber Attacks 8

Terrorism and Activism 8

Summary 9

References 9

Chapter 2 Forming an IRT 13

Steps in Establishing an IRT 14

Define Constituency 14

Overlapping Constituencies 15

Asserting Your Authority Over the Constituency 16

Ensure Upper-Management Support 17

Secure Funding and Funding Models 18

IRT as a Cost Center 19

Cost of an Incident 19

Selling the Service Internally 25

Price List 25

Clear Engagement Rules 26

Authority Problems 26

Placement of IRT Within the Organization 28

Central, Distributed, and Virtual Teams 29

Virtual Versus Real Team 30

Central Versus Distributed Team 31

Developing Policies and Procedures 32

Incident Classification and Handling Policy 33

Information Classification and Protection 35

Information Dissemination 36

Record Retention and Destruction 38

Usage of Encryption 39

Symmetric Versus Asymmetric Keys and Key Authenticity 40

Creating Encryption Policy 42

Digression on Trust 45

Engaging and Cooperation with Other Teams 46

What Information Will Be Shared 47

Nondisclosure Agreement 47

Competitive Relationship Between Organizations 47

Summary 47

References 48

Chapter 3 Operating an IRT 51

Team Size and Working Hours 51

Digression on Date and Time 53

New Team Member Profile 53

Strong Technical S…