Educause Security Discussion mailing list archives

Re: Incident Classifications

From: Aaron Wade <agw8 () CORNELL EDU>
Date: Thu, 20 Dec 2007 11:41:14 -0500

Wes,
I've found the mercalli intensity scale to be highly accurate in terms of
classifying the impact of an incident. It's easily adapted to incident
categories and classifications.  From barely noticable - a lab system gets
a virus, to many lab systems get a virus - and so on.. All you have to do
is plug in some threats * impact and you've got yourself some
classifications.

I think your questions are best answered only if you've determined the
operational criticality of the systems impacted and the sensitivity of
those systems.  For instance: Do you care if it connected to a botnet?
You might if it's your HR system containing SSN's.

Hope that helps.
-Aaron


Aaron Wade, CCE
IT Security & Infrastructure
Engineering Information Technologies
Cornell University
mobile:607.227.1067
office:607.254.2721

I'm in the process of overhauling our current incident handling system
that we've been running for a few years. I am at the point of revamping
how we classify incidents and the questions struck me... "will this
actually scale" and "at this point, do I actually care that it was
connecting to a botnet"?

In the past we've used things such as:

Spamming
Virus
DDos
Remote Compromise
Botnet

etc...


Coming purely from a network perspective, or even more so, a
risk-management based perspective, do I really care what the host was
doing while it was hosed? I'm more interested in classifying the risk of
the incident longer term. Maybe a little more description than "Severity
1, 2, etc...", but along the same lines.... Something that describes the
risk and makes it easy to tie to an easily perceptive value....

Does anyone know/have a commonly used framework for stuff like this?
--
Wes Young
Network Security Analyst
University at Buffalo
 -----------------------------------------------
| my OpenID:        | http://tinyurl.com/2zu2d3 |
 -----------------------------------------------

Today is currently under construction. Thank you for understanding.

Current thread:

Incident Classifications Wes Young (Dec 20)
- <Possible follow-ups>
- Re: Incident Classifications Aaron Wade (Dec 20)
- Re: Incident Classifications Roger Safian (Dec 20)
- Re: Incident Classifications Hull, Dave (Dec 20)
- Re: Incident Classifications Bill Brinkley (Dec 20)
- Re: Incident Classifications Wes Young (Dec 24)