The Effective Incident Response Team
暫譯: 有效的事件響應團隊

Table of Contents

Foreword.

Preface.

1. Welcome to the Information Age.

A Brief History.

CERT.

More Teams.

FIRST.

What Does This Mean to My Organization?

Examples of Incident Response Teams.

Some Statistics.

Summary.

2. What's Your Mission?

Focus and Scope.

Know Who You're Protecting: Defining Your Constituency.

Defining Response.

Working with Law Enforcement.

InfraGard.

Operational Strategy.

Defining an Incident.

Tracking an Incident.

Counting Incidents.

Services Offered.

The Importance of Credibility.

Summary.

3. The Terminology Piece.

What Is a Computer Incident?

Operational Versus Security Incidents.

Determining the Categories to Be Used.

An Incident Taxonomy.

Common Vulnerability and Exposure (CVE) Project.

Summary.

4. Computer Attacks.

Consequences of Computer Attacks.

Computer Intrusion, Unauthorized Access, or Compromise.

Denial-of-Service Attacks.

Port Scans or Probes.

Attack Vectors.

The Human Factor.

TCP/IP Design Limitations.

Coding Oversight.

Malicious Logic.

The Computer Virus.

Virus Types.

Important Steps to Remain Virus-Free.

Other Forms of Malicious Logic.

Virus Hoaxes and Urban Legends.

Summary.

5. Forming the Puzzle.

Putting the Team Together.

Coverage Options.

Determining the Best Coverage.

Team Roles.

Team Skills.

Promotions and Growth.

Interviewing Candidates.

Facilities.

Products and Tools.

Penetration Testing Tools.

Intrusion Detection Systems.

Network Monitors and Protocol Analyzers.

Forensics Tools.

Other Tools.

Funding the Team.

Marketing Campaign.

Risk Assessment.

Business Case.

Placement of the Team.

Worst-Case Scenarios.

Training.

Certifications.

Constituency Training.

Marketing the Team.

Dealing with the Media.

Summary.

6. Teamwork.

External Team Members.

Internal Teamwork.

Selecting Team Members.

Retention and Cohesiveness.

Summary.

7. Selecting the Products and Tools.

Training as a Tool.

Sound Security Practices.

The Tools of the Trade.

Using the Tools.

Summary.

8. The Puzzle in Action.

The Life Cycle of an Incident.

Step One: Preparation (Preparing for Compromise).

Step Two: Incident Identification.

Step Three: Notification.

Step Four: Incident Analysis.

Step Five: Remediation.

Step Six: System Restoration.

Step Seven: Lessons Learned.

Sample Incidents.

Incident Reporting.

Feedback.

Tracking Incidents.

Keeping Current.

Writing Computer Security Advisories.

Summary.

9. What Did That Incident Cost?

Statistics and Cases.

CSI/FBI Survey Results.

Some Example Cases.

Forms of Economic Impact.

Costs Associated with Time Frames.

Tangible Versus Intangible Costs.

An Incident Cost Model.

Summary.

10. The Legal Eagles.

Working with the Legal Community.

The Need for Legal Assistance.

Establishing Contacts.

Laws Pertaining to Computer Crime.

NeededNCase Law.

Reporting Computer Crime.

Summary.

11. Computer Forensics: An Evolving Discipline.

The World of Forensics.

What Is Forensics?

The Forensics Investigation.

Overview and Importance of Computer Forensics.

Computer Forensics Challenges.

Computer Evidence.

Methodologies.

Education.

Summary.

12. Conclusions.

Appendix A: Sample Incident Report Form.
Appendix B: Federal Code Related to Cyber Crime.

18 U.S.C. 1029. Fraud and Related Activity in Connection with Access Devices.

18 U.S.C. 1030. Fraud and Related Activity in Connection with Computers: As amended October 11, 1996.

18 U.S.C. 1362. Communication Lines, Stations, or Systems.

Appendix C: Sample Frequently Asked Questions.

Appendix D: Domain Name Extensions Used for Internet Addresses.

Appendix E: Well-Known Port Numbers.

Glossary.

Bibliography.

Index.