Re: REVIEW: "Incident Response", Kevin Mandia/Chris Procise

From: Van.ForSaler (
Date: 03/12/02

From: "Van.ForSaler" <>
Date: Tue, 12 Mar 2002 17:21:09 GMT

Hello, Rob:

Is there a book, website or other source of information dealing with this
subject that you would recommend?

Thank you.

"Rob Slade, doting grandpa of Ryan and Trevor" <> wrote in
message news:Bepj8.336$
> BKINCDRS.RVW 20020108
> "Incident Response", Kevin Mandia/Chris Procise, 2001, 0-07-213182-9,
> U39.99
> %A Kevin Mandia
> %A Chris Procise
> %C 300 Water Street, Whitby, Ontario L1N 9B6
> %D 2001
> %G 0-07-213182-9
> %I McGraw-Hill Ryerson/Osborne
> %O U$39.99 905-430-5000 fax: 905-430-5020
> %P 509 p.
> %T "Incident Response: Investigating Computer Crime"
> Part one is supposed to provide us with the basics of incident
> response. Despite the assertion, in the introduction, that such
> response deals with much more than computer crime and that incidents
> can vary widely, chapter one details a deliberate and malicious
> intrusion into a computer system, by an incredibly inept attacker,
> using inside information. Chapter two provides a definition of
> incident response, but it does lean heavily towards crimes, law
> enforcement involvement, and directed attacks. The material also
> assumes that an incident response team can be called upon or formed at
> short notice. The suggestions for advance preparation, in chapter
> three, do cover a broad range, but the writing is not always
> organized, and the material has gaps and covers many topics
> superficially.
> Part two purports to deal with technical issues. Chapter four deals
> with guidelines for investigations, but, again, concentrates only on
> directed attacks from outside the organization. The computer forensic
> process, in chapter five, is limited to retention and copying of
> evidence. There is a rather terse review of Internet Protocol header
> information in chapter six. Chapter seven lists some information
> related to network monitoring and logging. "Advanced Network
> Surveillance" (chapter eight) examines a few of the more convoluted
> exploits.
> Part three describes operating system functions associated with system
> investigation. Chapters nine to twelve list a number of utility
> programs that can be used to obtain system information.
> Part four is a grab bag of material dealing with special topics,
> chapter thirteen dealing with routers, fourteen the Web, and fifteen
> various servers. A number of security and security breaking tools are
> enumerated in chapter sixteen.
> The emphasis in this book is adversarial: seeing incident response as
> primarily a matter of active defence against an active attacker. Most
> companies will probably see incident response as a matter related to
> technical support: an endless stream of incidents, most of which are
> trivial, and a select few of which indicate serious problems. As
> such, the book does, occasionally, point out some matters to consider,
> and possibly new practices to adopt in order to deal with those
> isolated events that are important enough to turn over to law
> enforcement agencies. However, overall, the text does not provide
> much guidance in preparing for and responding to serious incidents.
> copyright Robert M. Slade, 2002 BKINCDRS.RVW 20020108
> --
> ======================
> Find virus, book info
> Mirrored at
> Review mailing list: send mail to
> Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER)
> Viruses Revealed or