REVIEW: "Incident Response", E. Eugene Schultz/Russell Shumway
- BKIRSGHS.RVW 20060906
"Incident Response", E. Eugene Schultz/Russell Shumway, 2002,
%A E. Eugene Schultz
%A Russell Shumway
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)/New Riders
%O U$39.99/C$59.95/UK#30.99 800-858-7674 317-581-3743 info@...
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 384 p.
%T "Incident Response: A Strategic Guide to Handling System and
Network Security Breaches"
Beyond saying that security breaches occur, and that we need to
respond to them, the introduction doesn't tell us much about either
the topic or the book.
Chapter one contains a good deal of material with which security
professionals will agree, but it does not provide helpful guidance.
The attempt to define "incidents" is not wrong in any particular, but
is tautological and of limited utility. "Risk Analysis," in chapter
two, briefly repeats the usual procedures, but expends most of its
text in details of specific (mostly network) system attacks. A
suggested methodology for incident response is provided in chapter
three, along with a justification for the use of a formal process.
(Many may find it ironic that much of the rationale for formal methods
has to do with expecting the unexpected.) (The process is given in
the acronym PDCERF; which stands for preparation, detection,
containment, eradication, recovery, and followup; but the text, rather
unsettlingly, presents a number of variations on the acronym
throughout the chapter.) Chapter four deals with forming and managing
an incident response team, and the content is mostly concerned with
communications, corporate culture, and management. This material is
extended in chapter five, which covers other factors involved with
organizing for incident response.
Chapter six turns to a slightly more technical topic, regarding the
tracing of network attacks. This is an overview, with only limited
technical content, but even so a few items are suspect (such as the
implication that MAC [Media Access Control] addresses are permanent
and fixed). Legal issues related to incident response are reviewed in
chapter seven. Chapters eight and nine provide an overview of
computer forensics, as well as good advice on the handling and
management of evidence, but at a conceptual, rather than technical,
level. Insider attacks are difficult to determine and protect
against, and chapter ten tacitly admits this by spending a lot of time
just telling stories. Chapter eleven (written by an outside author)
examines criminal profiling and other incident response factors
related to social sciences. Honeypots and other types of deception
aimed at the attacker are the subject of chapter twelve. Chapter
thirteen finishes off with a look at emerging tools and directions.
While still flawed, this work is probably more practical than Mandia
and Procise's law enforcement oriented volume (cf. BKINCDRS.RVW), van
Wyk and Forna's somewhat less detailed work (cf. BKINCRES.RVW), or
Schweitzer's basic and wordy tome (cf. BKINCRSP.RVW) (all, of course,
are entitled "Incident Response").
copyright Robert M. Slade, 2006 BKIRSGHS.RVW 20060906
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
...death coming at the hands of your own creation. That's part
the human epic tradition, after all. Oedipus and his father,
Baron Frankenstein and his monster, William Henry Gates
and Windows '09.
- David Brin, `Kiln People', Chap. 41, p. 396
Dictionary of Information Security www.syngress.com/catalog/?pid=4150