BKIRSGHS.RVW 20060906 "Incident Response", E. Eugene Schultz/Russell Shumway, 2002, 1-57870-256-9, U$39.99/C$59.95/UK#30.99 %A E. Eugene Schultz %A Russell Shumway %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2002 %G 1-57870-256-9 %I Macmillan Computer Publishing (MCP)/New Riders %O U$39.99/C$59.95/UK#30.99 800-858-7674 317-581-3743 info@mcp.com %O http://www.amazon.com/exec/obidos/ASIN/1578702569/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1578702569/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1578702569/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 384 p. %T "Incident Response: A Strategic Guide to Handling System and Network Security Breaches" Beyond saying that security breaches occur, and that we need to respond to them, the introduction doesn't tell us much about either the topic or the book. Chapter one contains a good deal of material with which security professionals will agree, but it does not provide helpful guidance. The attempt to define "incidents" is not wrong in any particular, but is tautological and of limited utility. "Risk Analysis," in chapter two, briefly repeats the usual procedures, but expends most of its text in details of specific (mostly network) system attacks. A suggested methodology for incident response is provided in chapter three, along with a justification for the use of a formal process. (Many may find it ironic that much of the rationale for formal methods has to do with expecting the unexpected.) (The process is given in the acronym PDCERF; which stands for preparation, detection, containment, eradication, recovery, and followup; but the text, rather unsettlingly, presents a number of variations on the acronym throughout the chapter.) Chapter four deals with forming and managing an incident response team, and the content is mostly concerned with communications, corporate culture, and management. This material is extended in chapter five, which covers other factors involved with organizing for incident response. Chapter six turns to a slightly more technical topic, regarding the tracing of network attacks. This is an overview, with only limited technical content, but even so a few items are suspect (such as the implication that MAC [Media Access Control] addresses are permanent and fixed). Legal issues related to incident response are reviewed in chapter seven. Chapters eight and nine provide an overview of computer forensics, as well as good advice on the handling and management of evidence, but at a conceptual, rather than technical, level. Insider attacks are difficult to determine and protect against, and chapter ten tacitly admits this by spending a lot of time just telling stories. Chapter eleven (written by an outside author) examines criminal profiling and other incident response factors related to social sciences. Honeypots and other types of deception aimed at the attacker are the subject of chapter twelve. Chapter thirteen finishes off with a look at emerging tools and directions. While still flawed, this work is probably more practical than Mandia and Procise's law enforcement oriented volume (cf. BKINCDRS.RVW), van Wyk and Forna's somewhat less detailed work (cf. BKINCRES.RVW), or Schweitzer's basic and wordy tome (cf. BKINCRSP.RVW) (all, of course, are entitled "Incident Response"). copyright Robert M. Slade, 2006 BKIRSGHS.RVW 20060906