Re: Incident Classifications

[Bill Brinkley <wbbrinkley () GMAIL COM>]

Our classifications are a combination of a category and severity (critical,
high, medium or low). Several of our categories are from NIST Special
Publication 800-61 revision 1:
http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf

Investigation
Penetration Testing
Scans/Recon
Protected Information
Denial of Service
Malicious Code
Unauthorized Access
Inappropriate Usage
Multiple Component

--
Bill Brinkley
Sr. Security Analyst


On Dec 20, 2007 12:08 PM, Hull, Dave <dphull () ku edu> wrote:

> Like Aaron Wade said, classifying the incident is going to depend to
> some extent on the data that is on the compromised machine. In my past
> life in a higher ed IT Security Office, our first questions asked after
> discovering an compromised host went to the nature of the data on the
> system. Was it HIPAA, FERPA or research covered by NDA or less sensitive
> data?
>
> Based on the answers to those questions we would escalate to full scale
> forensics or tell the admin in charge to wipe the system, reinstall,
> patch, etc.
>
> Our "classification" system consisted of two different categories, "red
> pill" or "blue pill". If it was a blue pill, the story ended and we
> would return to business as usual, if it was a red pill then we'd have
> to venture down the rabbit hole and things would get interesting.
>
> Good luck.
>
> --
> Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI
> Director of Technology
> KU School of Architecture & Urban Planning
> Tel. 785.864.2629
> Fax  785.864.5393
>
>
> "The free world says that software is the embodiment of knowledge about
> technology, which needs to be free in the same way that mathematics is
> free."
> -- Eben Moglen, Software Freedom Law Center
>
> -----Original Message-----
> From: Wes Young [mailto:wcyoung () BUFFALO EDU]
> Sent: Thursday, December 20, 2007 10:11 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Incident Classifications
>
> I'm in the process of overhauling our current incident handling system
> that we've been running for a few years. I am at the point of revamping
> how we classify incidents and the questions struck me... "will this
> actually scale" and "at this point, do I actually care that it was
> connecting to a botnet"?
>
> In the past we've used things such as:
>
> Spamming
> Virus
> DDos
> Remote Compromise
> Botnet
>
> etc...
>
>
> Coming purely from a network perspective, or even more so, a
> risk-management based perspective, do I really care what the host was
> doing while it was hosed? I'm more interested in classifying the risk of
> the incident longer term. Maybe a little more description than "Severity
> 1, 2, etc...", but along the same lines.... Something that describes the
> risk and makes it easy to tie to an easily perceptive value....
>
> Does anyone know/have a commonly used framework for stuff like this?
> --
> Wes Young
> Network Security Analyst
> University at Buffalo
>  -----------------------------------------------
> | my OpenID:        | http://tinyurl.com/2zu2d3 |
>  -----------------------------------------------
>
> Today is currently under construction. Thank you for understanding.