Computer incident response and product security

Content: Introduction xvii  Part I Computer Security Incidents  Chapter 1 Why Care About Incident Response? 1  Instead of an Introduction 1  Reasons to Care About Responding to Incidents 2    Business Impacts 2    Legal Reasons 3    Being Part of a Critical Infrastructure 4    Direct Costs 5    Loss of Life 6  How Did We Get Here or "Why Me?" 7    Corporate Espionage 7    Unintended Consequences 8    Government-Sponsored Cyber Attacks 8    Terrorism and Activism 8  Summary 9  References 9  Chapter 2 Forming an IRT 13  Steps in Establishing an IRT 14  Define Constituency 14    Overlapping Constituencies 15    Asserting Your Authority Over the Constituency 16  Ensure Upper-Management Support 17  Secure Funding and Funding Models 18    IRT as a Cost Center 19    Cost of an Incident 19    Selling the Service Internally 25    Price List 25    Clear Engagement Rules 26    Authority Problems 26    Placement of IRT Within the Organization 28  Central, Distributed, and Virtual Teams 29    Virtual Versus Real Team 30    Central Versus Distributed Team 31  Developing Policies and Procedures 32    Incident Classification and Handling Policy 33    Information Classification and Protection 35    Information Dissemination 36    Record Retention and Destruction 38    Usage of Encryption 39    Symmetric Versus Asymmetric Keys and Key Authenticity 40    Creating Encryption Policy 42    Digression on Trust 45    Engaging and Cooperation with Other Teams 46    What Information Will Be Shared 47    Nondisclosure Agreement 47    Competitive Relationship Between Organizations 47  Summary 47  References 48  Chapter 3 Operating an IRT 51  Team Size and Working Hours 51    Digression on Date and Time 53  New Team Member Profile 53    Strong Technical Skills 54    Effective Interpersonal Skills 55    Does Not Panic Easily 55    Forms an Incident's Image 55  Advertising the IRT's Existence 56  Acknowledging Incoming Messages 56    Giving Attention to the Report 57    Incident Tracking Number 57    Setting the Expectations 57    Information About the IRT 58    Looking Professional and Courteous 58    Sample Acknowledgment 58  Cooperation with Internal Groups 59    Physical Security 59    Legal Department 59    Press Relations 60    Internal IT Security 61    Executives 61    Product Security Team 65    Internal IT and NOC 65  Be Prepared! 65    Know Current Attacks and Techniques 66    Know the System IRT Is Responsible For 67    Identify Critical Resources 69    Formulate Response Strategy 69    Create a List of Scenarios 70  Measure of Success 72  Summary 74  References 74  Chapter 4 Dealing with an Attack 75  Assigning an Incident Owner 76  Law Enforcement Involvement 77    Legal Issues 78  Assessing the Incident's Severity 78  Assessing the Scope 81    Remote Diagnosis and Telephone Conversation 83    Hint #1: Do Not Panic 83    Hint #2: Take Notes 84    Hint #3: Listen 84    Hint #4: Ask Simple Questions 84    Hint #5: Rephrase Your Questions 85    Hint #6: Do Not Use Jargon 85    Hint #7: Admit Things You Do Not Know 85    Hint #8: Control the Conversation 86  Solving the Problem 86    Determining the Reaction 86    Containing the Problem 88    Network Segmentation 88    Resolving the Problem and Restoring the Services 89    Monitoring for Recurrence 90  Involving Other Incident Response Teams 90  Involving Public Relations 90  Post-Mortem Analysis 91    Incident Analysis 92    IRT Analysis 94  Summary 95  References 95  Chapter 5 Incident Coordination 97  Multiple Sites Compromised from Your Site 97  How to Contact Somebody Far Away 98    Contact a CERT Local at the Remote End 98    Standard Security Email Addresses 99    Standard Security Web Page 99    whois and Domain Name 99    Who Is Your ISP? 102    Law Enforcement 102  Working with Different Teams 102  Keeping Track of Incident Information 103  Product Vulnerabilities 104    Commercial Vendors 104    Open Source Teams 105    Coordination Centers 105  Exchanging Incident Information 106  Summary 107  References 107  Chapter 6 Getting to Know Your Peers: Teams and Organizations Around the World 109  FIRST 110  APCERT 111  TF-CSIRT 111  BARF 112  InfraGard 112  ISAC 113  NSP-Security Forum 113  Other Forums and Organizations of Importance 114  Summary 114  References 115  Part II Product Security  Chapter 7 Product Security Vulnerabilities 117  Definition of Security Vulnerability 118  Severe and Minor Vulnerabilities 120    Chaining Vulnerabilities 122  Fixing Theoretical Vulnerabilities, or Do We Need an Exploit? 124  Internally Versus Externally Found Vulnerabilities 125  Are Vendors Slow to Produce Remedies? 126    Process of Vulnerability Fixing 127    Vulnerability Fixing Timeline 128  Reasons For and Against Applying a Remedy 130  Question of Appliances 133  Summary 135  References 135  Chapter 8 Creating a Product Security Team 137  Why Must a Vendor Have a Product Security Team? 137  Placement of a PST 138    PST in the Engineering and Development Department 138    PST in the Test and Quality Assurance Group 139    PST in the Technical Support Department 140  Product Security Team Roles and the Team Size 140    PST Interaction with Internal Groups 141    PST Interaction with Engineering and Development 141    PST Interaction with Test Group 141    PST Interaction with Technical Support 142    PST Interaction with Sales 142    PST Interaction with Executives 143    Roles the PST Can Play and PST Involvement 143    PST Team Size 144  Virtual Team or Not? 144  Summary 145  References 145  Chapter 9 Operating a Product Security Team 147  Working Hours 147  Supporting Technical Facilities 147    Vulnerability Tracking System 148    Interfacing with Internal Databases 149    Laboratory Resources 150    Geographic Location of the Laboratory 151    Shared Laboratory Resources 151    Virtual Hardware 152  Third-Party Components 152    Product Component Tracking 152    Tracking Internally Developed Code 155    Relationship with Suppliers 155  Summary 156  References 156  Chapter 10 Actors in Vulnerability Handling 159  Researchers 159  Vendors 160    Who Is a Vendor? 160    Vendor Communities 162    Vendor Special Interest Group (SIG) 162    ICASI 162    IT-ISAC 163    VSIE 163    Vendor Point of Contact-Japan 164    SAFECode 164    vendor-sec 164  Coordinators 164    Vendors' Incentive to Be Coordinated 165    Coordinators' Business Model 165    Commercial Coordinators 166    Government and Government Affiliated 166    Open-Source Coordinators 167    Other Coordinators 167  Users 167    Home Users 167    Business Users 168    Equipment Usage 168  Interaction Among Actors 169  Summary 171  References 171  Chapter 11 Security Vulnerability Handling by Vendors 173  Known Unknowns 173  Steps in Handling Vulnerability 174  Discovery of the Vulnerability 174  Initial Triage 175  Reproduction 176  Detailed Evaluation 177  Remedy Production 177    Remedy Availability 179  Remedy Distribution and Notification 180  Monitoring the Situation 181  Summary 181  References 181  Chapter 12 Security Vulnerability Notification 183  Types of Notification 183  When to Disclose Vulnerability 184  Amount of Information in the Notice 186  Disclosing Internally Found Vulnerabilities 187  Public Versus Selected Recipients 188  Vulnerability Predisclosure 190  Scheduled Versus Ad Hoc Notification Publication 193  Vulnerability Grouping 194  Notification Format 197    Notification Medium 197    Electronic Document Type 198    Electronic Document Structure 198    Usage of Language in Notifications 199  Push or Pull 200  Internal Notification Review 202  Notification Maintenance 203  Access to the Notifications 204  Summary 205  References 205  Chapter 13 Vulnerability Coordination 209  Why Cooperate and How to Deal with Competitors 209  Who Should Be a Coordinator? 211  How to Coordinate Vendors on a Global Scale 212    Vendors Never Sleep 212    Be Sensitive to Multicultural Environments 213    Use Good Communication Skills 213    No Surprises 214  Summary 214  References 214        9781587052644  TOC  11/9/2010