Security awareness info on incident management

Click the banner for the site map of NoticeBored.com, the information security awareness service

Managing & responding to IT incidents

Information Security Management with ITIL v3 by Cazemier et al (€40 from the publisher) is an excellent guidebook for organizations that use ITIL and/or ISO27k. We’re reviewed the book here.

Information Security Incident Management - A Methodology by Neil Hare Brown (£50 from BSI) is worth buying if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs a comprehensive, well -structured incident management process. Read our book review for more.

SP800-61 Revision 1 is the Computer security incident handling guide, as usual from NIST, gives the full nine yards. SP800-86 Guide to integrating forensic techniques into incident response looks more explicitly at the forensic elements of IT incident responses.

A panel of experts assembled by SANS explain in an FAQ how to liaise with law enforcement officials (aka the police) on security incidents.

Mich Kabay has published a superb white paper synthesizing various pieces he has written previously on building an effective Computer Security Incident Response Team. Mich also republished the contents of a training CD on incident response from US DoD’s Defense Information Systems Agency (DISA).

Incident Response and Computer Forensics, second edition by Chris Prosise, Kevin Mandia and Matt Pepe (~$34 from Amazon) explains in a reasonably generic and timeless way how to tell when a computer system has been, or is being, attacked and how to respond to that. Despite being more than 7 years old, the book’s good reviews from information security graybeards bode well.

In Incident Response: A Strategic Guide to Handling System and Network Security Breaches (~$32 from Amazon) , authors Eugene Schultz and Russell Shumway give us the benefit of their considerable experience in the field. Combining procedural, technical, legal and policy matters, the book is a useful guide to professional incident response processes and teams, plus forensic techniques and tools.

Despite being a decade old, Incident Response by Ken van Wyk and Richard Forno (now out of print) remains a decent broad but shallow introductory-level text to a field that actually hasn’t moved very far in that time.

The mother of all incident management teams is the Computer Emergency Response Team Coordination Center CERT/CC, set up by the US DoD in 1988 in the wake of the original Morris Worm at at Carnegie Mellon University's Software Engineering Institute. CERT commands enormous respect in the incident management community and remains the reference. Their mission is not to respond directly to individual incidents but to coordinate overall responses.

Organizations often need to consider the thorny issue of disclosure after they have been hit by serious security incidents, assuming the incident is not already public knowledge. The benefits of fulfilling social and legal compliance responsibilities sometimes conflict with the threat of public embarrassment and reputational damage, at least for UK-based Internet gambling companies facing Denial of Service cyber extortion. This is a good topic to discuss with senior management before the Big One hits, when tempers are not frayed and rational decisions can be codified into policy statements.

Surveys are an excellent way to read about real world threats and incidents. Benefit from other people’s misfortune! Examples include the PwC UK survey and CSI + FBI survey.

Watchguard’s excellent VML exploit video is an object lesson in technical awareness presentations - professionally produced, clear and straightforward, and just over 4 minutes long.

Through the use of networks of hundreds or thousands of zombie PCs (compromised PCs on high-bandwidth/broadband connections) to exploit architectural ‘features’ of the Internet, Distributed Denial of Service (DDoS) attacks by extortionists on web-based businesses are all but impossible to prevent. Online gambling and other financial sites have mostly been targeted to date. Having already been DDoS’d a year before, WorldPay was hit again. An email to customers confirmed that their data are secure and contingency plans are in place (although in practice the site was evidently reduced to a crawl), but the attack can hardly enhance the bank’s reputation with its customers.

The SANS Internet Storm Center tracks and reports on Internet security incidents in real time. The daily diary entries make interesting reading - more than simply news items about the latest malware in circulation, the incident handlers give their analysis and sometimes tools to help identify or fix the issues that arise.

The Forum of Incident Response Teams FIRST is a club for over 170 incident response teams worldwide. As well as helping each other, members have prepared and published a range of system security configuration guides.

Information security incidents come in all shapes and sizes. This news story, for example, concerned allegations that source code had been stolen from an Indian software company. One hurdle to any investigation of the case is that the facility fell short on security, according to investigators. “It does not have a security policy, it has no log of the computer and network activity at the center, and passwords are known to all and sundry,” said technical consultant Vijay Mukhi. So much for preventive controls.

In Help! I think I’ve been hacked, author Tony Bradley discusses incident response processes for individuals whose PCs have been compromised by malware, in particular.

The Computer Incident Response Team’s desk reference guide is a manual describing the Federal Communications Commission’s incident response process.

Managing & responding to IT incidents

Related NoticeBored links collections