FW: Security incident or operational incident?

["Laundrup, Jens" <Jens.Laundrup () METROKC GOV>]

> From the sounds of it, someone needs a little more training!

I would say it is a security incident even though there is no malicious
intent.  It has impacted the security state of the network.  An
un-authorized action by an authorized user (in this case an admin) is a
security issue regardless of intent (we are assuming it was an accident
but what if the admin purposely did it?  Can you prove their intent?).

A security program should have a series of "buckets" wherein security
incidents are categorized and each bucket has a series of actions
associated with it.  Depending on what security framework your
management has opted to use and how structured it is determines how
complex it is.

Example:

Category A - Seriously jeopardized security/integrity/availability
 
Category B - Jeopardized security/integrity/availability

Category C - Affected security/integrity/availability posture

Category D - Did not affect security/integrity/availability 

Class 1 - Directed malicious intent by a person/program

Class 2 - Undirected malicious intent by a person/program

Class 3 - Unauthorized action by an authorized person/program

Class 4 - Authorized action by an authorized person/program

Then classify each incident based on this and for each crossroads,
identify the action.  What you had was a C3 incident. 

A worm in the wild that brings down your network is a A2

A script kiddie that does not like your post and brings down your
network A1

As long as you can place it in the matrix, consider it a security item.
Some should just be logged and forgotten (until it becomes habitual),
others require some real action.  


Jens 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of ttate () ctscorp com
Sent: Tuesday, October 10, 2006 1:06 AM
To: security-basics () securityfocus com
Subject: Security incident or operational incident?

As we all know, the tenets of information security are confidentiality,
integrity & availability. How do you separate out an operational
incident from a security incident? For example, is it a security
incident or operational incident when an admin accidentally deletes an
OU in AD containing users or computers when working in the GPO
management console? The admin is authorized to perform all and any tasks
in AD. In this case by deleting the OU, the users no longer had access
to the system, hence the availability tenet comes into play. But the
issue was not caused by some malicious intent but by a perceived flaw in
the Microsoft application. Who would think that you could delete OU's in
the GPO management console? 
Thanks for your thoughts. 
Regards, 
Troy

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------