Re: What defines an "incident"?

[Bob Radvanovsky <rsradvan () unixworks net>]

The reason for the series of definitions and questions pertains to the apparent ignorance and either misuse, or overuse 
of terminology that is inconsistent with one another, both discussed here and elsewhere.  Thus, I took it upon myself 
to *define* those terms.  Personally, I liked Dr. Wright's clarification of several of those definitions.  Yes, I 
realize that they are dealing with semantical issues ("light red" versus "rose" -- that sort of thing), but make no 
mistake about them, though.  An incorrect statement in front of press or someone important within your organization can 
mean the difference between that individual having a job versus being unemployed (of which, I ask -- humbly -- let's 
NOT get into IT-related HR laws, shall we?).  The fact is, is that people (usually management) misconstrue the context 
of the message(s) being conveyed, thus misinterpretting their meaning and significance, sometimes overreacting to 
something that should have simply been left alone to only as a memo on someone's desk (case in point, from the movie 
"The Hunt for Red October": "Next time, write a memo!").

In some circumstances (and you, Mr. Gucinski should know this all too well) is that organizations that place extremely 
high value and importance on money or people get skittish when someone makes a comments that their "network is being 
attacked."  This doesn't make too well, esp. for a late Friday afternoon at 4 PM when everyone's ready to go home for 
the weekend.  ;))  So...yeah, I *do* think it's relevant that we define the meaning and significance of some of these 
terms that you and I (and 1/2 a beeellion other people) have read, is that people interchangeably use these words in 
the wrong context.  Therefore, I want to see about setting that straight.  Nothing more...

Hopefully, I've clarified things a tad bit further...

-r

P.S.  I like your clarifications, too.  Nice...  ;))

----- Original Message -----
From: Jon Gucinski [mailto:Jgucinski () midwestbank com]
To: security-basics () securityfocus com
Subject: Re: What defines an "incident"?


> This is purely from my current organization's standpoint...every place
> i've worked has had a slightly different take on it.  
>
> An event is "any observable occurrence in a system or network that is
> viewed as customary or consistent with normal usage".  
>
> An adverse event (I personally dislike that term) is defintes as 
> "events with negative consequences such as system stoppages, network
> traffic floods, unauthorized use of system privileges, unauthorized
> access to information, unauthorized use of information, the introduction
> of malicious code, or any combination of these."
>
> We'd further investigate an adverse event before labeling it an
> "incident" and convening the CIRT.  We call an incident "An actual or
> imminent threat of violation of the information security or acceptable
> use policies"
>
> I find that having too many synonyms (i.e., scenario, situation, event,
> incident) brings too much complexity to what is often a stressful
> situation. 
>
> -Jon
>
> > > > Bob Radvanovsky <rsradvan () unixworks net> 2/11/2006 10:20 am >>>
> This debate, of course, is all in good fun and purely meant as a
> "learning experience".  I'm sure that other who read this will (no
> doubt) agree with me.
>
> As such, what qualifies between something defined as an "event", versus
> an "occurence", versus an "incident", versus a "situation"?
>
> Defined, an "event" is:
>
> "In probability theory, an event is a set of outcomes (a subset of the
> sample space) to which a probability is assigned.  Typically, any subset
> of the sample space is an event (i.e. all elements of the power set of
> the sample space are events), but when defining a probability space it
> is possible to exclude certain subsets of the sample space from being
> events."
>
> URL: http://en.wikipedia.org/wiki/Event_(probability_theory)
>
> From what I've found the definition of "occurence" signifies a state or
> period in time that an event occurred.  Beyond that, nothing else seems
> to describe that definition.
>
> Defined, an "incident" is:
>
> "Any event which is not part of the standard operation of a service and
> which causes, or may cause, an interruption to, or a reduction in, the
> quality of that service."
>
> URL:
> http://www.dream-catchers-inc.com/White%20Papers/glossary_of_terms-AM.htm
>
>
> Subsequently, "incident" is subset to "incidental" as defined as:
>
> "((sometimes followed by `to') minor or casual or subordinate in
> significance or nature or occurring as a chance concomitant or
> consequence) "incidental expenses"; "the road will bring other
> incidental advantages"; "extra duties incidental to the job"; "labor
> problems incidental to a rapid expansion"; "confusion incidental to a
> quick change"."
>
> URL: http://wordnet.princeton.edu/perl/webwn?s=incident 
>
> Consequently, people have interchangably used the word "situation" in
> lieu of "incident" or "event"; thus, the definition of "situation" is:
>
> "A position or condition with regard to circumstances, the combination
> of circumstances at any given time, a difficult or critical state of
> affairs; any significant combination of circumstances developing in the
> course of an event. The objective conditions immediately affecting an
> individual."
>
> URL: http://method.vtheatre.net/dict.html 
>
> NOTE: Mind you, this refers to actors in a play, and the course of
> events that lead to a climax within the plot; however, it can imply a
> course or series of events which may be applied to real-life scenarios,
> thus implicating an "act" (if you will).
>
> In legal terms, the choice of a word can depend upon the severity (and
> its significance) of the event.  Having recently been chewed out by a
> superior officer last year about the incorrect use of the word
> "incident", law enforcement would prefer -- at least in public -- using
> alternative words such as "occurence" or "event" to describe whatever
> transpired.  An "incident", "situation" or "scenario" signifies
> importance towards an event that has transpired, and thus, if the
> culprit responsible for the event is watching television or listening to
> the radio, is being empowered by an officiant making claim to their
> "incident".  Additionally, identifying the course of circumstances which
> transpired to as an "event" or "events" unempowers the state of the
> condition following the circumstances leading to or from the event. 
> Essentially, you've taken whomever's "wind out of their sails".
>
> And, from a liability perspective, the choice of the words "event" or
> "occurence" provides little significance towards any acts committed as
> being a purposeful "attack" or act of violence.  If you were a
> stockholder to a larger company, and someone had maliciously attacked a
> server with a barrage of attack methods, your first role is
> "containment", attempting to "contain" the event.  This means calming
> down stockholders who may be upset about the attack.  Secondly, if the
> attack was successful, and you have determined it as such, if there was
> loss of property, financial information, or life, then changing to
> another word with greater significance will greater bearing esp. if/when
> the individual or group of individuals is apprehended.  If nothing has
> been determined, the attack attempt remains just that, an attempt, or
> "event".
>
> Be careful in your choice of words, as they have significance and pose
> more bearing and meaning psychologically to most people.  If you misuse
> a word inappropriately, you can sometimes cause panic or states of
> confusion (or dismay) when there are no reasons for such conditions. 
> Thus, choose your words *carefully*.
>
> Until an "attack attempt" has been: (1) proven as an "attack", (2) was
> successful, and (3) have an idea as to who is responsible for the attack
> attempt -- the current state leading from the course of circumstances
> would remain as an "event" -- nothing more.
>
> I've included the previous comments from a "virus attack" in reference
> to his definition of an "incident".  Comments anyone (yeah, I
> know...I've got to be INSANE to ask, but I am...)
>
> -rad
>
>
> ----- Original Message -----
> From: Craig Wright [mailto:cwright () bdosyd com au] 
> To: dave kleiman [mailto:dave () davekleiman com] 
> Cc: security-basics () securityfocus com 
> Subject: RE: Forensic/Cyber Crime Investigator
>
>
> > Definately friendly. Please do not see anything in any other manner.
> >  
> > I am firstly enjoying the debate and secondly debate is the heart of
> > knowledge. Even if neither party comes to an agreement on terms at
> least a
> > good debate on the subject should give each party a better
> understanding of
> > their own perspective and a more logical manner of comprehension.
> >  
> > More on the other responses later this morning...
> >  
> > Regards
> > Craig
> >
> >     -----Original Message----- 
> >     From: dave kleiman [mailto:dave () davekleiman com] 
> >     Sent: Fri 10/02/2006 3:44 AM 
> >     To: security-basics () securityfocus com 
> >     Cc: 
> >     Subject: RE: Forensic/Cyber Crime Investigator
> >     Craig,
> >     
> >     I hope you are taking this as a friendly discussion
> >     
> >     Answers inline..
> >     
> >          -----Original Message-----
> >          From: Craig Wright
> >        
> >         
> >          Virus attacks etc as you put are incidents. The average
> >          (and all but maybe a rare exception) organisation will
> >          treat these as incidents. They do not take them to court
> >          nor have the intention of doing such. To take your Virus
> >          example. This is an incident, it requires a response. It
> >          does not require a forensic analysis of the system, nor
> >          would this be generally done..... etc
> >     
> >      
> >
> >
> > Liability limited by a scheme approved under Professional Standards
> > Legislation in respect of matters arising within those States and
> > Territories of Australia where such legislation exists.
> >
> > DISCLAIMER
> > The information contained in this email and any attachments is
> confidential.
> > If you are not the intended recipient, you must not use or disclose
> the
> > information. If you have received this email in error, please inform
> us
> > promptly by reply email or by telephoning +61 2 9286 5555. Please
> delete the
> > email and destroy any printed copy.  
> >
> > Any views expressed in this message are those of the individual
> sender. You
> > may not rely on this message as advice unless it has been
> electronically
> > signed by a Partner of BDO or it is subsequently confirmed by letter
> or fax
> > signed by a Partner of BDO.
> >
> > BDO accepts no liability for any damage caused by this email or its
> > attachments due to viruses, interference, interception, corruption
> or
> > unauthorised access.
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting
> experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus 
> ---------------------------------------------------------------------------
>
>
> NOTICE: This electronic mail message and any files transmitted with 
> it are intended exclusively for the individual or entity to which it 
> is addressed. The message, together with any attachment, may contain 
> confidential and/or privileged information. Any unauthorized review, 
> use, printing, saving, copying, disclosure or distribution is 
> strictly prohibited. If you have received this message in error, 
> please immediately advise the sender by reply email and delete all 
> copies.
>
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning,
>
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------