Re: Security incident categories

[David Treble <David.Treble () UMANITOBA CA>]

Hi Jim,

I was recently working on something similar for our new incident handling database and was able to find good 
inspiration from this group.

https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy

There is a PDF you can download that contains references to other taxonomies such as MISP Project taxonomy.

https://www.misp-project.org/taxonomies.html#_ecsirt

I created Major Categories and then aligned Sub-Types as well as adding an attack vector reference.  I didn’t like the 
alpha sort in the picklists, so I used the numbering system which was a bonus since that allowed me to better match the 
related sub-type to the major category and add/remove more in the future if necessary.

An example of a reported Laptop Theft would be:  60 Information Content Security – 61 Unauthorized access to 
information – Attack Vector: Theft or Loss of Asset

Not perfect, since this could also be an Intrusion, Availability or Information Gathering incident, but we can clarify 
this with Category/Sub-Type descriptions.  I’m not sure how well this will translate up to Executives outside IT just 
yet….pretty fresh approach for us.  Executive report data tends to be reformatted anyway into selected pie charts, 
graphs, etc…  I don’t think we will be generating direct reports from these tracking categories.

David Treble
University of Manitoba


[A close up of text on a white background  Description automatically generated]
--
+++++++++++++++++++++++++++++++++
David Treble, CISM | IT Security Coordinator
Information Security & Compliance
E3-640 EITC | University of Manitoba
David.Treble () umanitoba ca<mailto:David.Treble () umanitoba ca> | 204.474.8340
Information Security starts with You!
+++++++++++++++++++++++++++++++++

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" 
<jbole () STEVENSON EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 20, 2020 at 2:00 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security incident categories

ISO good list of security incident categories. I am looking for something that works for formal IR Plans and can 
establish helpful metrics, especially for leadership outside of infosec/IT.

I like the federal guidelines (https://www.us-cert.gov/government-users/reporting-requirements) but I don’t think they 
cover some categories I think are important:

-          Phishing attacks, especially BEC incidents with no technology compromise, just social engineering. Think 
gift card scams.

-          Data breaches, especially those requiring formal notification (HIPAA, PCI, etc.). I think those types of 
incidents require their own category for tracking.

-          Loss/theft of equipment. I’ve typically had to track these, especially when internal drives weren’t 
encrypted. Not sure if this one is still relevant.

I’d be interested if anyone has anything better. I modified the fed categories a bit and came up with:


Category 0 - Test/Exercise

Used for any approved test or exercise, such as internal or external network penetration tests.



Category 1 - Data Theft

Any attempted or successful destruction, manipulation, or disclosure of sensitive, confidential or proprietary 
information. Includes any incident requiring breach notification or resulting in financial loss (Business Email 
Compromise - BEC). Does not include most typical phishing attacks/attempts (Category 5).



Category 2 - Denial of Service

An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or 
applications by exhausting resources. This activity includes being the victim or participating in the DoS.



Category 3 - Compromised technology asset

Any incident the results in the compromise of a technology asset: host, network device, account, service etc. Includes  
malware-infected hosts and account compromise due to successfully credential harvesting phishing attack.



Category 4 - Improper Usage

Any violation of acceptable computing use policies.



Category 5 - Phishing

An attempt to collect sensitive information via electronic communication, including email, social media accounts, 
SMS/text, phone call, etc. Does not include account takeovers after successful credential harvesting (Category 3) or



Category 6 - Investigation

Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant 
further review. This also includes any activities that do not have measureable impact - scans, probes or unsuccessful 
attempts at access.



Category 7 - Loss or Theft of Equipment

The loss or theft of a computing device or media storing sensitive information.


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community