REVIEW: "Incident Response", Kevin Mandia/Chris Procise
- BKINCDRS.RVW 20020108
"Incident Response", Kevin Mandia/Chris Procise, 2001, 0-07-213182-9,
%A Kevin Mandia mandiak@...
%A Chris Procise authors@...
%C 300 Water Street, Whitby, Ontario L1N 9B6
%I McGraw-Hill Ryerson/Osborne
%O U$39.99 905-430-5000 fax: 905-430-5020
%P 509 p.
%T "Incident Response: Investigating Computer Crime"
Part one is supposed to provide us with the basics of incident
response. Despite the assertion, in the introduction, that such
response deals with much more than computer crime and that incidents
can vary widely, chapter one details a deliberate and malicious
intrusion into a computer system, by an incredibly inept attacker,
using inside information. Chapter two provides a definition of
incident response, but it does lean heavily towards crimes, law
enforcement involvement, and directed attacks. The material also
assumes that an incident response team can be called upon or formed at
short notice. The suggestions for advance preparation, in chapter
three, do cover a broad range, but the writing is not always
organized, and the material has gaps and covers many topics
Part two purports to deal with technical issues. Chapter four deals
with guidelines for investigations, but, again, concentrates only on
directed attacks from outside the organization. The computer forensic
process, in chapter five, is limited to retention and copying of
evidence. There is a rather terse review of Internet Protocol header
information in chapter six. Chapter seven lists some information
related to network monitoring and logging. "Advanced Network
Surveillance" (chapter eight) examines a few of the more convoluted
Part three describes operating system functions associated with system
investigation. Chapters nine to twelve list a number of utility
programs that can be used to obtain system information.
Part four is a grab bag of material dealing with special topics,
chapter thirteen dealing with routers, fourteen the Web, and fifteen
various servers. A number of security and security breaking tools are
enumerated in chapter sixteen.
The emphasis in this book is adversarial: seeing incident response as
primarily a matter of active defence against an active attacker. Most
companies will probably see incident response as a matter related to
technical support: an endless stream of incidents, most of which are
trivial, and a select few of which indicate serious problems. As
such, the book does, occasionally, point out some matters to consider,
and possibly new practices to adopt in order to deal with those
isolated events that are important enough to turn over to law
enforcement agencies. However, overall, the text does not provide
much guidance in preparing for and responding to serious incidents.
copyright Robert M. Slade, 2002 BKINCDRS.RVW 20020108
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
A doctor's reputation is made by the number of eminent men who
die under his care. - George Bernard Shaw
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade