HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Computer Incident Response
and Product Security
The practical guide to building and running incident response and product security teams
Damir Rajnovic
Organizations increasingly recognize the urgent importance of effective, cohesive, and efficient security incident response. The speed and effectiveness with which a company can respond to incidents has a direct impact on how devastating an incident is on the company’s operations and finances. However, few have an experienced, mature incident response (IR) team. Many companies have no IR teams at all; others need help with improving current practices. In this book, leading Cisco incident response expert Damir Rajnovi´c presents start-to-finish guidance for creating and operating effective IR teams and responding to incidents to lessen their impact significantly.
Drawing on his extensive experience identifying and resolving Cisco product security vulnerabilities, the author also covers the entire process of correcting product security vulnerabilities and notifying customers. Throughout, he shows how to build the links across participants and processes that are crucial to an effective and timely response.
This book is an indispensable resource for every professional and leader who must maintain the integrity of network operations and products—from network and security administrators to software engineers, and from product architects to senior security executives.
-Determine why and how to organize an incident response (IR) team
-Learn the key strategies for making the case to senior management
-Locate the IR team in your organizational hierarchy for maximum effectiveness
-Review best practices for managing attack situations with your IR team
-Build relationships with other IR teams, organizations, and law enforcement to improve incident response effectiveness
-Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity
-Recognize the differences between product security vulnerabilities and exploits
-Understand how to coordinate all the entities involved in product security handling
-Learn the steps for handling a product security vulnerability based on proven Cisco processes and practices
-Learn strategies for notifying customers about product vulnerabilities and how to ensure customers are implementing fixes
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending
networks.
Introduction xvii
Part I Computer Security Incidents
Chapter 1 Why Care About Incident Response? 1
Instead of an Introduction 1
Reasons to Care About Responding to Incidents 2
Business Impacts 2
Legal Reasons 3
Being Part of a Critical Infrastructure 4
Direct Costs 5
Loss of Life 6
How Did We Get Here or “Why Me?” 7
Corporate Espionage 7
Unintended Consequences 8
Government-Sponsored Cyber Attacks 8
Terrorism and Activism 8
Summary 9
References 9
Chapter 2 Forming an IRT 13
Steps in Establishing an IRT 14
Define Constituency 14
Overlapping Constituencies 15
Asserting Your Authority Over the Constituency 16
Ensure Upper-Management Support 17
Secure Funding and Funding Models 18
IRT as a Cost Center 19
Cost of an Incident 19
Selling the Service Internally 25
Price List 25
Clear Engagement Rules 26
Authority Problems 26
Placement of IRT Within the Organization 28
Central, Distributed, and Virtual Teams 29
Virtual Versus Real Team 30
Central Versus Distributed Team 31
Developing Policies and Procedures 32
Incident Classification and Handling Policy 33
Information Classification and Protection 35
Information Dissemination 36
Record Retention and Destruction 38
Usage of Encryption 39
Symmetric Versus Asymmetric Keys and Key Authenticity 40
Creating Encryption Policy 42
Digression on Trust 45
Engaging and Cooperation with Other Teams 46
What Information Will Be Shared 47
Nondisclosure Agreement 47
Competitive Relationship Between Organizations 47
Summary 47
References 48
Chapter 3 Operating an IRT 51
Team Size and Working Hours 51
Digression on Date and Time 53
New Team Member Profile 53
Strong Technical Skills 54
Effective Interpersonal Skills 55
Does Not Panic Easily 55
Forms an Incident’s Image 55
Advertising the IRT’s Existence 56
Acknowledging Incoming Messages 56
Giving Attention to the Report 57
Incident Tracking Number 57
Setting the Expectations 57
Information About the IRT 58
Looking Professional and Courteous 58
Sample Acknowledgment 58
Cooperation with Internal Groups 59
Physical Security 59
Legal Department 59
Press Relations 60
Internal IT Security 61
Executives 61
Product Security Team 65
Internal IT and NOC 65
Be Prepared! 65
Know Current Attacks and Techniques 66
Know the System IRT Is Responsible For 67
Identify Critical Resources 69
Formulate Response Strategy 69
Create a List of Scenarios 70
Measure of Success 72
Summary 74
References 74
Chapter 4 Dealing with an Attack 75
Assigning an Incident Owner 76
Law Enforcement Involvement 77
Legal Issues 78
Assessing the Incident’s Severity 78
Assessing the Scope 81
Remote Diagnosis and Telephone Conversation 83
Hint #1: Do Not Panic 83
Hint #2: Take Notes 84
Hint #3: Listen 84
Hint #4: Ask Simple Questions 84
Hint #5: Rephrase Your Questions 85
Hint #6: Do Not Use Jargon 85
Hint #7: Admit Things You Do Not Know 85
Hint #8: Control the Conversation 86
Solving the Problem 86
Determining the Reaction 86
Containing the Problem 88
Network Segmentation 88
Resolving the Problem and Restoring the Services 89
Monitoring for Recurrence 90
Involving Other Incident Response Teams 90
Involving Public Relations 90
Post-Mortem Analysis 91
Incident Analysis 92
IRT Analysis 94
Summary 95
References 95
Chapter 5 Incident Coordination 97
Multiple Sites Compromised from Your Site 97
How to Contact Somebody Far Away 98
Contact a CERT Local at the Remote End 98
Standard Security Email Addresses 99
Standard Security Web Page 99
whois and Domain Name 99
Who Is Your ISP? 102
Law Enforcement 102
Working with Different Teams 102
Keeping Track of Incident Information 103
Product Vulnerabilities 104
Commercial Vendors 104
Open Source Teams 105
Coordination Centers 105
Exchanging Incident Information 106
Summary 107
References 107
Chapter 6 Getting to Know Your Peers: Teams and Organizations Around the World 109
FIRST 110
APCERT 111
TF-CSIRT 111
BARF 112
InfraGard 112
ISAC 113
NSP-Security Forum 113
Other Forums and Organizations of Importance 114
Summary 114
References 115
Part II Product Security
Chapter 7 Product Security Vulnerabilities 117
Definition of Security Vulnerability 118
Severe and Minor Vulnerabilities 120
Chaining Vulnerabilities 122
Fixing Theoretical Vulnerabilities, or Do We Need an Exploit? 124
Internally Versus Externally Found Vulnerabilities 125
Are Vendors Slow to Produce Remedies? 126
Process of Vulnerability Fixing 127
Vulnerability Fixing Timeline 128
Reasons For and Against Applying a Remedy 130
Question of Appliances 133
Summary 135
References 135
Chapter 8 Creating a Product Security Team 137
Why Must a Vendor Have a Product Security Team? 137
Placement of a PST 138
PST in the Engineering and Development Department 138
PST in the Test and Quality Assurance Group 139
PST in the Technical Support Department 140
Product Security Team Roles and the Team Size 140
PST Interaction with Internal Groups 141
PST Interaction with Engineering and Development 141
PST Interaction with Test Group 141
PST Interaction with Technical Support 142
PST Interaction with Sales 142
PST Interaction with Executives 143
Roles the PST Can Play and PST Involvement 143
PST Team Size 144
Virtual Team or Not? 144
Summary 145
References 145
Chapter 9 Operating a Product Security Team 147
Working Hours 147
Supporting Technical Facilities 147
Vulnerability Tracking System 148
Interfacing with Internal Databases 149
Laboratory Resources 150
Geographic Location of the Laboratory 151
Shared Laboratory Resources 151
Virtual Hardware 152
Third-Party Components 152
Product Component Tracking 152
Tracking Internally Developed Code 155
Relationship with Suppliers 155
Summary 156
References 156
Chapter 10 Actors in Vulnerability Handling 159
Researchers 159
Vendors 160
Who Is a Vendor? 160
Vendor Communities 162
Vendor Special Interest Group (SIG) 162
ICASI 162
IT-ISAC 163
VSIE 163
Vendor Point of Contact—Japan 164
SAFECode 164
vendor-sec 164
Coordinators 164
Vendors’ Incentive to Be Coordinated 165
Coordinators’ Business Model 165
Commercial Coordinators 166
Government and Government Affiliated 166
Open-Source Coordinators 167
Other Coordinators 167
Users 167
Home Users 167
Business Users 168
Equipment Usage 168
Interaction Among Actors 169
Summary 171
References 171
Chapter 11 Security Vulnerability Handling by Vendors 173
Known Unknowns 173
Steps in Handling Vulnerability 174
Discovery of the Vulnerability 174
Initial Triage 175
Reproduction 176
Detailed Evaluation 177
Remedy Production 177
Remedy Availability 179
Remedy Distribution and Notification 180
Monitoring the Situation 181
Summary 181
References 181
Chapter 12 Security Vulnerability Notification 183
Types of Notification 183
When to Disclose Vulnerability 184
Amount of Information in the Notice 186
Disclosing Internally Found Vulnerabilities 187
Public Versus Selected Recipients 188
Vulnerability Predisclosure 190
Scheduled Versus Ad Hoc Notification Publication 193
Vulnerability Grouping 194
Notification Format 197
Notification Medium 197
Electronic Document Type 198
Electronic Document Structure 198
Usage of Language in Notifications 199
Push or Pull 200
Internal Notification Review 202
Notification Maintenance 203
Access to the Notifications 204
Summary 205
References 205
Chapter 13 Vulnerability Coordination 209
Why Cooperate and How to Deal with Competitors 209
Who Should Be a Coordinator? 211
How to Coordinate Vendors on a Global Scale 212
Vendors Never Sleep 212
Be Sensitive to Multicultural Environments 213
Use Good Communication Skills 213
No Surprises 214
Summary 214
References 214
9781587052644 TOC 11/9/2010