Computer Incident Response and Product Security

Computer Incident Response and Product Security   The practical guide to building and running incident response and product security teams   Damir Rajnovic   Organizations increasingly recognize the urgent importance of effective, cohesive, and efficient security incident response. The speed and effectiveness with which a company can respond to incidents has a direct impact on how devastating an incident is on the company’s operations and finances. However, few have an experienced, mature incident response (IR) team. Many companies have no IR teams at all; others need help with improving current practices. In this book, leading Cisco incident response expert Damir Rajnovi´c presents start-to-finish guidance for creating and operating effective IR teams and responding to incidents to lessen their impact significantly. Drawing on his extensive experience identifying and resolving Cisco product security vulnerabilities, the author also covers the entire process of correcting product security vulnerabilities and notifying customers. Throughout, he shows how to build the links across participants and processes that are crucial to an effective and timely response. This book is an indispensable resource for every professional and leader who must maintain the integrity of network operations and products—from network and security administrators to software engineers, and from product architects to senior security executives.       -Determine why and how to organize an incident response (IR) team     -Learn the key strategies for making the case to senior management     -Locate the IR team in your organizational hierarchy for maximum effectiveness     -Review best practices for managing attack situations with your IR team     -Build relationships with other IR teams, organizations, and law enforcement to improve incident response effectiveness     -Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity     -Recognize the differences between product security vulnerabilities and exploits     -Understand how to coordinate all the entities involved in product security handling     -Learn the steps for handling a product security vulnerability based on proven Cisco processes and practices     -Learn strategies for notifying customers about product vulnerabilities and how to ensure customers are implementing fixes   This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.    

Table of Contents:
Introduction xvii Part I Computer Security Incidents Chapter 1 Why Care About Incident Response? 1 Instead of an Introduction 1 Reasons to Care About Responding to Incidents 2     Business Impacts 2     Legal Reasons 3     Being Part of a Critical Infrastructure 4     Direct Costs 5     Loss of Life 6 How Did We Get Here or “Why Me?” 7     Corporate Espionage 7     Unintended Consequences 8     Government-Sponsored Cyber Attacks 8     Terrorism and Activism 8 Summary 9 References 9 Chapter 2 Forming an IRT 13 Steps in Establishing an IRT 14 Define Constituency 14     Overlapping Constituencies 15     Asserting Your Authority Over the Constituency 16 Ensure Upper-Management Support 17 Secure Funding and Funding Models 18     IRT as a Cost Center 19         Cost of an Incident 19         Selling the Service Internally 25         Price List 25         Clear Engagement Rules 26         Authority Problems 26         Placement of IRT Within the Organization 28 Central, Distributed, and Virtual Teams 29     Virtual Versus Real Team 30     Central Versus Distributed Team 31 Developing Policies and Procedures 32     Incident Classification and Handling Policy 33     Information Classification and Protection 35     Information Dissemination 36     Record Retention and Destruction 38     Usage of Encryption 39         Symmetric Versus Asymmetric Keys and Key Authenticity 40         Creating Encryption Policy 42         Digression on Trust 45     Engaging and Cooperation with Other Teams 46         What Information Will Be Shared 47         Nondisclosure Agreement 47         Competitive Relationship Between Organizations 47 Summary 47 References 48 Chapter 3 Operating an IRT 51 Team Size and Working Hours 51     Digression on Date and Time 53 New Team Member Profile 53     Strong Technical Skills 54     Effective Interpersonal Skills 55     Does Not Panic Easily 55     Forms an Incident’s Image 55 Advertising the IRT’s Existence 56 Acknowledging Incoming Messages 56     Giving Attention to the Report 57     Incident Tracking Number 57     Setting the Expectations 57     Information About the IRT 58     Looking Professional and Courteous 58     Sample Acknowledgment 58 Cooperation with Internal Groups 59     Physical Security 59     Legal Department 59     Press Relations 60     Internal IT Security 61     Executives 61     Product Security Team 65     Internal IT and NOC 65 Be Prepared! 65     Know Current Attacks and Techniques 66     Know the System IRT Is Responsible For 67     Identify Critical Resources 69     Formulate Response Strategy 69     Create a List of Scenarios 70 Measure of Success 72 Summary 74 References 74 Chapter 4 Dealing with an Attack 75 Assigning an Incident Owner 76 Law Enforcement Involvement 77     Legal Issues 78 Assessing the Incident’s Severity 78 Assessing the Scope 81     Remote Diagnosis and Telephone Conversation 83     Hint #1: Do Not Panic 83     Hint #2: Take Notes 84     Hint #3: Listen 84     Hint #4: Ask Simple Questions 84     Hint #5: Rephrase Your Questions 85     Hint #6: Do Not Use Jargon 85     Hint #7: Admit Things You Do Not Know 85     Hint #8: Control the Conversation 86 Solving the Problem 86     Determining the Reaction 86     Containing the Problem 88     Network Segmentation 88     Resolving the Problem and Restoring the Services 89     Monitoring for Recurrence 90 Involving Other Incident Response Teams 90 Involving Public Relations 90 Post-Mortem Analysis 91     Incident Analysis 92     IRT Analysis 94 Summary 95 References 95 Chapter 5 Incident Coordination 97 Multiple Sites Compromised from Your Site 97 How to Contact Somebody Far Away 98     Contact a CERT Local at the Remote End 98     Standard Security Email Addresses 99     Standard Security Web Page 99     whois and Domain Name 99     Who Is Your ISP? 102     Law Enforcement 102 Working with Different Teams 102 Keeping Track of Incident Information 103 Product Vulnerabilities 104     Commercial Vendors 104     Open Source Teams 105     Coordination Centers 105 Exchanging Incident Information 106 Summary 107 References 107 Chapter 6 Getting to Know Your Peers: Teams and Organizations Around the World 109 FIRST 110 APCERT 111 TF-CSIRT 111 BARF 112 InfraGard 112 ISAC 113 NSP-Security Forum 113 Other Forums and Organizations of Importance 114 Summary 114 References 115 Part II Product Security Chapter 7 Product Security Vulnerabilities 117 Definition of Security Vulnerability 118 Severe and Minor Vulnerabilities 120     Chaining Vulnerabilities 122 Fixing Theoretical Vulnerabilities, or Do We Need an Exploit? 124 Internally Versus Externally Found Vulnerabilities 125 Are Vendors Slow to Produce Remedies? 126     Process of Vulnerability Fixing 127     Vulnerability Fixing Timeline 128 Reasons For and Against Applying a Remedy 130 Question of Appliances 133 Summary 135 References 135 Chapter 8 Creating a Product Security Team 137 Why Must a Vendor Have a Product Security Team? 137 Placement of a PST 138     PST in the Engineering and Development Department 138     PST in the Test and Quality Assurance Group 139     PST in the Technical Support Department 140 Product Security Team Roles and the Team Size 140     PST Interaction with Internal Groups 141         PST Interaction with Engineering and Development 141         PST Interaction with Test Group 141         PST Interaction with Technical Support 142         PST Interaction with Sales 142         PST Interaction with Executives 143     Roles the PST Can Play and PST Involvement 143     PST Team Size 144 Virtual Team or Not? 144 Summary 145 References 145 Chapter 9 Operating a Product Security Team 147 Working Hours 147 Supporting Technical Facilities 147     Vulnerability Tracking System 148         Interfacing with Internal Databases 149     Laboratory Resources 150         Geographic Location of the Laboratory 151         Shared Laboratory Resources 151         Virtual Hardware 152 Third-Party Components 152     Product Component Tracking 152     Tracking Internally Developed Code 155     Relationship with Suppliers 155 Summary 156 References 156 Chapter 10 Actors in Vulnerability Handling 159 Researchers 159 Vendors 160     Who Is a Vendor? 160     Vendor Communities 162         Vendor Special Interest Group (SIG) 162         ICASI 162         IT-ISAC 163         VSIE 163         Vendor Point of Contact—Japan 164         SAFECode 164         vendor-sec 164 Coordinators 164     Vendors’ Incentive to Be Coordinated 165     Coordinators’ Business Model 165     Commercial Coordinators 166     Government and Government Affiliated 166     Open-Source Coordinators 167     Other Coordinators 167 Users 167     Home Users 167     Business Users 168     Equipment Usage 168 Interaction Among Actors 169 Summary 171 References 171 Chapter 11 Security Vulnerability Handling by Vendors 173 Known Unknowns 173 Steps in Handling Vulnerability 174 Discovery of the Vulnerability 174 Initial Triage 175 Reproduction 176 Detailed Evaluation 177 Remedy Production 177     Remedy Availability 179 Remedy Distribution and Notification 180 Monitoring the Situation 181 Summary 181 References 181 Chapter 12 Security Vulnerability Notification 183 Types of Notification 183 When to Disclose Vulnerability 184 Amount of Information in the Notice 186 Disclosing Internally Found Vulnerabilities 187 Public Versus Selected Recipients 188 Vulnerability Predisclosure 190 Scheduled Versus Ad Hoc Notification Publication 193 Vulnerability Grouping 194 Notification Format 197     Notification Medium 197     Electronic Document Type 198     Electronic Document Structure 198     Usage of Language in Notifications 199 Push or Pull 200 Internal Notification Review 202 Notification Maintenance 203 Access to the Notifications 204 Summary 205 References 205 Chapter 13 Vulnerability Coordination 209 Why Cooperate and How to Deal with Competitors 209 Who Should Be a Coordinator? 211 How to Coordinate Vendors on a Global Scale 212     Vendors Never Sleep 212     Be Sensitive to Multicultural Environments 213     Use Good Communication Skills 213     No Surprises 214 Summary 214 References 214     9781587052644    TOC    11/9/2010  

About the Author :
Damir Rajnovic finished his education in Croatia where, in 1993, he started his career in computer security. He started at the Croatian News Agency Hina, then moved on to the Ministry of Foreign Affairs, and finally to the Ministry of Science and Technology. During that time, Damir became involved with the Forum of Incident Response Teams (FIRST) and established the Croatian Academic and Research Network Computer Incident Response Team (CARNet CERT), which, until recently, was not only handling computer incidents for CARNet but was also acting as the Croatian national CERT. Damir then moved to the United Kingdom to work in EuroCERT which was a project that aimed to coordinate CERTs within the European region. After EuroCERT, Damir moved to the Cisco Product Security Incident Response Team (Cisco PSIRT), where he is still working. Cisco PSIRT is the focal point for managing security vulnerabilities in all Cisco products.   Damir remains active in FIRST, where he created Vendor SIG, and currently serves as liaison officer to the International Organization for Standardization (ISO) and International Telecommunication Union (ITU). Damir was an invited lecturer for the MSc Information Technology Security course at Westminster University, London. He was one of the core people who dreamed up and formed the Industry Consortium for the Advancement of Security on the Internet (ICASI).   His nonsecurity-related work includes working as a sound engineer on Radio 101 (http://www.radio101.hr) while living in Zagreb, Croatia. Damir lives with his family in Didcot, UK.