Educause Security Discussion mailing list archives
Re: Incident Classifications
From: Bill Brinkley <wbbrinkley () GMAIL COM>
Date: Thu, 20 Dec 2007 20:28:43 -0500
Our classifications are a combination of a category and severity (critical, high, medium or low). Several of our categories are from NIST Special Publication 800-61 revision 1: http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf Investigation Penetration Testing Scans/Recon Protected Information Denial of Service Malicious Code Unauthorized Access Inappropriate Usage Multiple Component -- Bill Brinkley Sr. Security Analyst On Dec 20, 2007 12:08 PM, Hull, Dave <dphull () ku edu> wrote:
Like Aaron Wade said, classifying the incident is going to depend to some extent on the data that is on the compromised machine. In my past life in a higher ed IT Security Office, our first questions asked after discovering an compromised host went to the nature of the data on the system. Was it HIPAA, FERPA or research covered by NDA or less sensitive data? Based on the answers to those questions we would escalate to full scale forensics or tell the admin in charge to wipe the system, reinstall, patch, etc. Our "classification" system consisted of two different categories, "red pill" or "blue pill". If it was a blue pill, the story ended and we would return to business as usual, if it was a red pill then we'd have to venture down the rabbit hole and things would get interesting. Good luck. -- Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI Director of Technology KU School of Architecture & Urban Planning Tel. 785.864.2629 Fax 785.864.5393 "The free world says that software is the embodiment of knowledge about technology, which needs to be free in the same way that mathematics is free." -- Eben Moglen, Software Freedom Law Center -----Original Message----- From: Wes Young [mailto:wcyoung () BUFFALO EDU] Sent: Thursday, December 20, 2007 10:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Incident Classifications I'm in the process of overhauling our current incident handling system that we've been running for a few years. I am at the point of revamping how we classify incidents and the questions struck me... "will this actually scale" and "at this point, do I actually care that it was connecting to a botnet"? In the past we've used things such as: Spamming Virus DDos Remote Compromise Botnet etc... Coming purely from a network perspective, or even more so, a risk-management based perspective, do I really care what the host was doing while it was hosed? I'm more interested in classifying the risk of the incident longer term. Maybe a little more description than "Severity 1, 2, etc...", but along the same lines.... Something that describes the risk and makes it easy to tie to an easily perceptive value.... Does anyone know/have a commonly used framework for stuff like this? -- Wes Young Network Security Analyst University at Buffalo ----------------------------------------------- | my OpenID: | http://tinyurl.com/2zu2d3 | ----------------------------------------------- Today is currently under construction. Thank you for understanding.
Current thread:
- Incident Classifications Wes Young (Dec 20)
- <Possible follow-ups>
- Re: Incident Classifications Aaron Wade (Dec 20)
- Re: Incident Classifications Roger Safian (Dec 20)
- Re: Incident Classifications Hull, Dave (Dec 20)
- Re: Incident Classifications Bill Brinkley (Dec 20)
- Re: Incident Classifications Wes Young (Dec 24)