Introduction

Many who read this book already know something about responding to information security ‚ related incidents. Commonly referred to as "break-ins," "hacks," "security breaches," and other terms, these incidents have become all too commonplace. Why? One of the most important reasons is that systems, applications, and networks have become more complex and diverse and are thus increasingly difficult to defend. The Internet continues to undergo almost unprecedented growth, enabling attackers from almost anywhere in the world to probe and shortly afterward attack systems that are connected to the Internet. Compounding the problem is the tendency for senior management to be oblivious to the threat of security- related incidents, much like the proverbial "ostrich with its head in the sand."

Security-related attacks that occur often have catastrophic consequences. Chapter 2, "Risk Analysis," discusses the types of negative consequences security-related incidents can cause and the extent of each. We do not mean to claim that "the sky is falling." Instead, we present selected loss statistics when available. But we are confident that the problem is far greater than most people realize. National infrastructures are gravely at risk and have been for years . A few saboteurs could, for example, bring down or modify systems that control critical parts of these infrastructures , such as energy production and distribution systems, air-traffic control systems, and others. We have become dependent on computers but fail to take the security of computers and networks seriously. And we will continue to fail to take the security of computers and networks seriously until some event ‚ a security-related incident of unparalleled proportion, something that shocks the public ‚ occurs. Perhaps this will manifest itself in the form of massive and prolonged power outages or even a jumbo jet crash caused by someone tampering with a computer.

Governments are not likely to take computer security more seriously if the public does not demand better security. Corporations are also not likely to take computer security more seriously unless stockholders press them, security-related losses mount dramatically, or a proliferation of lawsuits related to poor security practices occurs.

The need to respond effectively when security-related incidents occur has also increased proportionately to the growing level of threat. The main purpose of this book is to communicate to readers what they need to know not only to set up an incident response effort, but also to improve existing incident response efforts.

The concepts and principles presented throughout this book are not simply ideas we have fabricated. The authors have spent a large portion of their careers in computer and information security, helping organizations respond to incidents. Case studies from our firsthand experiences are included throughout this book. At the same time, however, we have attempted wherever possible to present models, projected trends, and other more theoretical concepts to encourage readers to think about incident response at a more conceptual level as well. The problem we face is indeed a very multifaceted one; computer science and information technology alone can solve only part of this problem. The human side is particularly important, especially when it comes to dealing with insider attacks. This book thus presents a broad perspective, covering a variety of technical, procedural, managerial , and psychological information. This broad perspective makes this book appropriate for readers with both technical and nontechnical backgrounds.