Security Basics mailing list archives
RE: What defines an "incident"? - Part 2
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 16 Feb 2006 16:22:19 +1100
<Is the correlation between a place and time required? If so, what constitutes the correlation factors?> There will have to be a follow-up post on this. It could be said simply that the source at a time signifies the attacker, but than we would also need to look at the alternatives: 1 Spoofed addresses 2 Zombie and other compromised hosts 3 delayed attacks, etc Site as place could result in a single system or a distributed group. Time (date) comes as: 1 Reporting date - the first date that the incident was recorded 2 starting date - 1st known incident activity 3 ending date - last known incident activity "correlation" now that is another can or worms. More later, Craig -----Original Message----- From: Bob Radvanovsky [mailto:rsradvan () unixworks net] Sent: 16 February 2006 2:33 To: Craig Wright; security-basics () securityfocus com Subject: RE: What defines an "incident"? - Part 2 Henceforth, such that an "event" is either: (1) an un-acknowledged "attack", or (2) is an "attack" that has not been proven as an "attack". OK...makes sense regarding "incident" because it correlates to a place and time. Is the correlation between a place and time required? If so, what constitutes the correlation factors? -rad ----- Original Message ----- From: Craig Wright [mailto:cwright () bdosyd com au] To: Craig Wright [mailto:cwright () bdosyd com au], security-basics () securityfocus com Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net] Subject: RE: What defines an "incident"? - Part 2
Hi again, CERT/CC held a number of workshops in 1997/1998 with representatives from the DoD, NIST, Sandia etc. One of the Results from this was a preliminary taxonomy for computer security terms. From this an event was to defined to involve one Action and one
target.
To "steal" a quote without fully referencing it this time (hay I have to leave something for everyone else to look up...) Event - An action directed at a target that is intended to result in a
change of state, or status, of the target. A Process would thus include actions to probe, scan, authenticate, bypass or flood a running computer process or execution thread. Incident - A group of attacks that can be distinguished from other attacks because of the attackers, attacks, objectives, sites, and timing. Etc and I can go on or read the following: Radatz, John, ed. (1996) "The IEEE Standard Dictionary of Electrical and Electronic Terms", 6th ed. (NY: Institute of Electrical and electronic Engineers), p 1087. Howard, John D (April 1997) "An Analysis of Security Incidents on the Internet, 1989-1995, PhD dissertation", Pittsburgh, PA: Dept. of Engineering and Public Policy, Carnegie Mellon University (see also Http://www.cert.org) So from this we have; People attack computers People attack for a variety of objectives (what they intend to accomplish)
Regards Craig Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is
confidential.
If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: What defines an "incident"? - Part 2 Craig Wright (Feb 17)
- <Possible follow-ups>
- What defines an "incident"? - Part 2 Craig Wright (Feb 17)
- RE: What defines an "incident"? - Part 2 Bob Radvanovsky (Feb 17)