Re: Security incident categories

[Frank Barton <bartonf () HUSSON EDU>]

To branch off from this a little bit... how do folks categorize third-party
incidents that have an impact on their institution?

I'm thinking of, for example, the recent Front Rush data exposure. There's
no question that it was an incident on their end, but how are folks
categorizing it on their end?

Frank

On Fri, Feb 21, 2020 at 8:50 AM Jim A. Bole <jbole () stevenson edu> wrote:

> David,
>
>
>
> This is great! I’m intrigued in including vulnerability as a top-level
> category. It would be a great way to emphasize vulnerability management.
>
>
>
> I’d still like to have some way to classify any test. I’m thinking it
> would be a “type” under top-level, to be able to differentiate between a
> network pen-test from phishing simulation.
>
>
>
> And I also would like to classify investigations/efforts that turn out to
> be false positives or non-incidents. Again, I’m thinking it would be a type
> rather than at top-level category.
>
>
>
> Also, the enisa threat taxonomy also looks interesting.
>
>
>
> Jim
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *David Treble
> *Sent:* Thursday, February 20, 2020 3:29 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: Security incident categories
>
>
>
> This email originated from outside of Stevenson University. Use caution
> with links or attachments unless you know the content is safe.
>
> Hi Jim,
>
>
>
> I was recently working on something similar for our new incident handling
> database and was able to find good inspiration from this group.
>
>
>
>
> https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2Freference-incident-classification-taxonomy&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C2102d3490a4045e0f36308d7b6439732%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637178273756749197&sdata=6E3apYXvczLYO45LwXA4VcgPrWwI%2BLqjTQB0uGQpizA%3D&reserved=0>
>
>
>
> There is a PDF you can download that contains references to other
> taxonomies such as MISP Project taxonomy.
>
>
>
> https://www.misp-project.org/taxonomies.html#_ecsirt
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.misp-project.org%2Ftaxonomies.html%23_ecsirt&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C2102d3490a4045e0f36308d7b6439732%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637178273756759193&sdata=HhlSmIbbodSathkFfpPgYwQdt9d8O0zY%2Bk1RWJVdnhY%3D&reserved=0>
>
>
>
> I created Major Categories and then aligned Sub-Types as well as adding an
> attack vector reference.  I didn’t like the alpha sort in the picklists, so
> I used the numbering system which was a bonus since that allowed me to
> better match the related sub-type to the major category and add/remove more
> in the future if necessary.
>
>
>
> An example of a reported Laptop Theft would be:  60 Information Content
> Security – 61 Unauthorized access to information – Attack Vector: Theft or
> Loss of Asset
>
>
>
> Not perfect, since this could also be an Intrusion, Availability or
> Information Gathering incident, but we can clarify this with
> Category/Sub-Type descriptions.  I’m not sure how well this will translate
> up to Executives outside IT just yet….pretty fresh approach for us.
> Executive report data tends to be reformatted anyway into selected pie
> charts, graphs, etc…  I don’t think we will be generating direct reports
> from these tracking categories.
>
>
>
> David Treble
>
> University of Manitoba
>
>
>
>
>
> [image: A close up of text on a white background Description automatically
> generated]
>
> --
>
> *+++++++++++++++++++++++++++++++++*
>
>
> *David Treble, CISM | IT Security Coordinator Information Security &
> Compliance*
>
> *E3-640 EITC | University of Manitoba*
>
> *David.Treble () umanitoba ca <David.Treble () umanitoba ca> | 204.474.8340*
>
> *Information Security starts with You!*
>
> *+++++++++++++++++++++++++++++++++*
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" <
> jbole () STEVENSON EDU>
> *Reply-To: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Thursday, February 20, 2020 at 2:00 PM
> *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] Security incident categories
>
>
>
> ISO good list of security incident categories. I am looking for something
> that works for formal IR Plans and can establish helpful metrics,
> especially for leadership outside of infosec/IT.
>
>
>
> I like the federal guidelines (
> https://www.us-cert.gov/government-users/reporting-requirements
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.us-cert.gov%2Fgovernment-users%2Freporting-requirements&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C2102d3490a4045e0f36308d7b6439732%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637178273756759193&sdata=fU3Okf4RtYIOiMPUreo7ovNwkdnR6zjvt6x5q3ktf6s%3D&reserved=0>)
> but I don’t think they cover some categories I think are important:
>
> -          Phishing attacks, especially BEC incidents with no technology
> compromise, just social engineering. Think gift card scams.
>
> -          Data breaches, especially those requiring formal notification
> (HIPAA, PCI, etc.). I think those types of incidents require their own
> category for tracking.
>
> -          Loss/theft of equipment. I’ve typically had to track these,
> especially when internal drives weren’t encrypted. Not sure if this one is
> still relevant.
>
>
>
> I’d be interested if anyone has anything better. I modified the fed
> categories a bit and came up with:
>
>
>
> Category 0 - Test/Exercise
>
> Used for any approved test or exercise, such as internal or external
> network penetration tests.
>
>
>
> Category 1 - Data Theft
>
> Any attempted or successful destruction, manipulation, or disclosure of
> sensitive, confidential or proprietary information. Includes any incident
> requiring breach notification or resulting in financial loss (Business
> Email Compromise - BEC). Does not include most typical phishing
> attacks/attempts (Category 5).
>
>
>
> Category 2 - Denial of Service
>
> An attack that *successfully* prevents or impairs the normal authorized
> functionality of networks, systems or applications by exhausting resources.
> This activity includes being the victim or participating in the DoS.
>
>
>
> Category 3 - Compromised technology asset
>
> Any incident the results in the compromise of a technology asset: host,
> network device, account, service etc. Includes  malware-infected hosts and
> account compromise due to successfully credential harvesting phishing
> attack.
>
>
>
> Category 4 - Improper Usage
>
> Any violation of acceptable computing use policies.
>
>
>
> Category 5 - Phishing
>
> An attempt to collect sensitive information via electronic communication,
> including email, social media accounts, SMS/text, phone call, etc. Does not
> include account takeovers after successful credential harvesting (Category
> 3) or
>
>
>
> Category 6 - Investigation
>
> Unconfirmed incidents that are potentially malicious or anomalous activity
> deemed by the reporting entity to warrant further review. This also
> includes any activities that do not have measureable impact - scans, probes
> or unsuccessful attempts at access.
>
>
>
> Category 7 - Loss or Theft of Equipment
>
> The loss or theft of a computing device or media storing sensitive
> information.
>
>
>
> Jim Bole
>
> Director of Information Security
>
> *Stevenson University*
>
> 1525 Greenspring Valley Road
>
> Stevenson, MD, 21153-0641
>
> jbole () stevenson edu | O: 443-334-2696
>
>
>
>
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C2102d3490a4045e0f36308d7b6439732%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637178273756769186&sdata=HxUBlOMZUI581uEATZlJNoycb1OrDWAcxQ53jBkv4N0%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community