BKINCDRS.RVW 20020108 "Incident Response", Kevin Mandia/Chris Procise, 2001, 0-07-213182-9, U39.99 %A Kevin Mandia mandiak@erols.com %A Chris Procise authors@incidentresponsebook.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2001 %G 0-07-213182-9 %I McGraw-Hill Ryerson/Osborne %O U$39.99 905-430-5000 fax: 905-430-5020 %P 509 p. %T "Incident Response: Investigating Computer Crime" Part one is supposed to provide us with the basics of incident response. Despite the assertion, in the introduction, that such response deals with much more than computer crime and that incidents can vary widely, chapter one details a deliberate and malicious intrusion into a computer system, by an incredibly inept attacker, using inside information. Chapter two provides a definition of incident response, but it does lean heavily towards crimes, law enforcement involvement, and directed attacks. The material also assumes that an incident response team can be called upon or formed at short notice. The suggestions for advance preparation, in chapter three, do cover a broad range, but the writing is not always organized, and the material has gaps and covers many topics superficially. Part two purports to deal with technical issues. Chapter four deals with guidelines for investigations, but, again, concentrates only on directed attacks from outside the organization. The computer forensic process, in chapter five, is limited to retention and copying of evidence. There is a rather terse review of Internet Protocol header information in chapter six. Chapter seven lists some information related to network monitoring and logging. "Advanced Network Surveillance" (chapter eight) examines a few of the more convoluted exploits. Part three describes operating system functions associated with system investigation. Chapters nine to twelve list a number of utility programs that can be used to obtain system information. Part four is a grab bag of material dealing with special topics, chapter thirteen dealing with routers, fourteen the Web, and fifteen various servers. A number of security and security breaking tools are enumerated in chapter sixteen. The emphasis in this book is adversarial: seeing incident response as primarily a matter of active defence against an active attacker. Most companies will probably see incident response as a matter related to technical support: an endless stream of incidents, most of which are trivial, and a select few of which indicate serious problems. As such, the book does, occasionally, point out some matters to consider, and possibly new practices to adopt in order to deal with those isolated events that are important enough to turn over to law enforcement agencies. However, overall, the text does not provide much guidance in preparing for and responding to serious incidents. copyright Robert M. Slade, 2002 BKINCDRS.RVW 20020108