Educause Security Discussion mailing list archives
Security incident categories
From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Thu, 20 Feb 2020 19:59:53 +0000
ISO good list of security incident categories. I am looking for something that works for formal IR Plans and can establish helpful metrics, especially for leadership outside of infosec/IT. I like the federal guidelines (https://www.us-cert.gov/government-users/reporting-requirements) but I don't think they cover some categories I think are important: - Phishing attacks, especially BEC incidents with no technology compromise, just social engineering. Think gift card scams. - Data breaches, especially those requiring formal notification (HIPAA, PCI, etc.). I think those types of incidents require their own category for tracking. - Loss/theft of equipment. I've typically had to track these, especially when internal drives weren't encrypted. Not sure if this one is still relevant. I'd be interested if anyone has anything better. I modified the fed categories a bit and came up with: Category 0 - Test/Exercise Used for any approved test or exercise, such as internal or external network penetration tests. Category 1 - Data Theft Any attempted or successful destruction, manipulation, or disclosure of sensitive, confidential or proprietary information. Includes any incident requiring breach notification or resulting in financial loss (Business Email Compromise - BEC). Does not include most typical phishing attacks/attempts (Category 5). Category 2 - Denial of Service An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Category 3 - Compromised technology asset Any incident the results in the compromise of a technology asset: host, network device, account, service etc. Includes malware-infected hosts and account compromise due to successfully credential harvesting phishing attack. Category 4 - Improper Usage Any violation of acceptable computing use policies. Category 5 - Phishing An attempt to collect sensitive information via electronic communication, including email, social media accounts, SMS/text, phone call, etc. Does not include account takeovers after successful credential harvesting (Category 3) or Category 6 - Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. This also includes any activities that do not have measureable impact - scans, probes or unsuccessful attempts at access. Category 7 - Loss or Theft of Equipment The loss or theft of a computing device or media storing sensitive information. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
<<attachment: winmail.dat>>
Current thread:
- Security incident categories Jim A. Bole (Feb 20)
- <Possible follow-ups>
- Re: Security incident categories David Treble (Feb 20)
- Re: Security incident categories Piscitello, Frank (Feb 20)
- Re: Security incident categories Jim A. Bole (Feb 21)
- Re: Security incident categories Frank Barton (Feb 21)