The Effective Incident Response Team

Few technology details are given in the book. And it's a good thing, since some other management-focused books simply give wrong tech details. In fact, in a couple of places the authors try to "go techno" and the content becomes somewhat shaky. For example, in 'attack vectors' section they talk about CGI abuses but completely ignore web applications (which are really hot today). The book does have some incident content. Good incident taxonomy stuff is there, even if not original. Important issues such as what the IR team does when there are no incidents are covered as well.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal [web site.]

Rating:
Summary: Good Intro to Establishing Incident Response Procedures
Review: Julie Lucas and Brian Moeller bring a lot of knowledge and experience to the table in creating this book. The focus of The Effective Incident Response Team is not to teach you everything you need to know to respond to computer intrusions or incidents. The goal of the book is to help a manager understand the roles and functions of a CIRT (computer incident response team) and answer the questions they need to answer to define and form their own CIRT.

The Effective Incident Response Team begins with a brief history of computer incidents and incident response teams and a short overview of the grandmother of all CIRT's- the Carnegie Mellon CERT (computer emergency response team). To this day the Carnegie Mellon CERT remains as one of the primary sources of reliable information and one of the key resources that many rely on when creating their own CIRT processes.

The book goes on to define the scope and some of the roles and responsibilities you will need to consider in creating your own incident response team. It does so in relatively plain English and at a fairly high level. Again, the goal is to help a manager define and form a team- not to provide the level of technical expertise required to actually be on the team.

For managers who have been tasked with forming or leading a CIRT or defining their incident response process this book can be a great start. For those looking for more technical depth you may want to refer to books like Incident Response by Douglas Schweitzer.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Rating:
Summary: Important - Describes CERT CC
Review: Primarily aimed at a nontechnical manager who is given the responsibility to start or run an IT group watching a company's computer security. Though I do not want to draw this constraint too tightly. Systems administrators and programmers who have been tasked to this field will also find it useful.

The book gives a good synopsis of the field of computer security. It tells you what the issues are, and the broader resources available out there. Most significantly, you learn about Carnegie-Mellon's Computer Emergency Response Team, aka CERT CC. This is the main organisation in the world that pools data on incidents and disseminates authoritative information on countermeasures and patches. I would posit that the best value in this book is in telling you of CERT and how to use them to your best advantage. Especially advantageous if you are new to managing computer security. CERT means you do not stand alone.

Other sections of the book also discuss how to organise a team and gives a broad overview of what types of incidents to check.

Please note that no code examples are actually given in the book. For example, buffer overruns are mentioned, but not described further. Such things would be the purview of a more technical text, aimed directly at a programmer.

Rating:
Summary: Pretty Good Beginners Summary
Review: This book serves as a very good starting point for the discussion of how to effectively manage an incident response in your corporate environment. The target audience appears to be those persons who are familiar with IT security and may even be starting practitioners in this field. Given this focus, the book is very well organized and provides basic analysis and implementation steps when dealing with an incident. There are many helpful tables, charts, and some very good resources for future research.

Perhaps the ease of understanding and the very basic nature of this book operates as its greatest strength - by being a valuable resource for newcomers to the IT security world and its greatest weakness - by not providing higher level tactics to incident response.

Overall I felt this book falls short by not providing in depth and highly detailed information that will help or assist the seasoned practitioner with incident response. I also felt that this book would have befitted from more charts, graphs, diagrams, and better overall organization. This is a great beginner book for incident response, but probably not a must read for those persons already involved in IT security.

Rating:
Summary: The Effective Incident Response Team
Review: While "The effective Incident Response Team" is not
nor intends to be a highly technical manual on CIRT
operations, it does provide a very effective overview of
the subject matter and concentrates on the Soft Skills
like Operational Strategy, Focus, Scope and even justification
of a Computer Incident Response Team. The book does go into
great detail on things like terminology, definitions and the
what is of a computer attack so that an IT manager that does
not have training in these things can follow along and benefit
from the reading. The average Team member may not feel
the need to know the economic impact and incident cost
models but in the current IT environment knowing how to
justify your job may not be a bad thing either.
I would recommend this book as a first read for any
managment organization that is thinking about implementing
at CIRT team. I believe that the need for such a team has
been well established through many recent events.

Rating:
Summary: Pretty Good Beginners Summary
Review: While "The effective Incident Response Team" is not
nor intends to be a highly technical manual on CIRT
operations, it does provide a very effective overview of
the subject matter and concentrates on the Soft Skills
like Operational Strategy, Focus, Scope and even justification
of a Computer Incident Response Team. The book does go into
great detail on things like terminology, definitions and the
what is of a computer attack so that an IT manager that does
not have training in these things can follow along and benefit
from the reading. The average Team member may not feel
the need to know the economic impact and incident cost
models but in the current IT environment knowing how to
justify your job may not be a bad thing either.
I would recommend this book as a first read for any
managment organization that is thinking about implementing
at CIRT team. I believe that the need for such a team has
been well established through many recent events.