Home page logo
/

basics logo Security Basics mailing list archives

RE: What defines an "incident"? - Part 2
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 16 Feb 2006 16:22:19 +1100


<Is the correlation between a place and time required?  If so, what
constitutes the correlation factors?>

There will have to be a follow-up post on this. It could be said simply
that the source at a time signifies the attacker, but than we would also
need to look at the alternatives:
        1       Spoofed addresses
        2       Zombie and other compromised hosts
        3       delayed attacks, etc

Site as place could result in a single system or a distributed group.

Time (date) comes as:
        1       Reporting date  - the first date that the incident was
recorded
        2       starting date   - 1st known incident activity
        3       ending date             - last known incident activity

"correlation" now that is another can or worms.

More later,
Craig

-----Original Message-----
From: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Sent: 16 February 2006 2:33
To: Craig Wright; security-basics () securityfocus com
Subject: RE: What defines an "incident"? - Part 2

Henceforth, such that an "event" is either: (1) an un-acknowledged
"attack", or (2) is an "attack" that has not been proven as an "attack".

OK...makes sense regarding "incident" because it correlates to a place
and time.  Is the correlation between a place and time required?  If so,
what constitutes the correlation factors?

-rad

----- Original Message -----
From: Craig Wright [mailto:cwright () bdosyd com au]
To: Craig Wright [mailto:cwright () bdosyd com au],
security-basics () securityfocus com
Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Subject: RE: What defines an "incident"? - Part 2



Hi again,

CERT/CC held a number of workshops in 1997/1998 with representatives
from the DoD, NIST, Sandia etc. One of the Results from this was a
preliminary taxonomy for computer security terms.

From this an event was to defined to involve one Action and one
target.

To "steal" a quote without fully referencing it this time (hay I have
to leave something for everyone else to look up...)

Event - An action directed at a target that is intended to result in a

change of state, or status, of the target.

A Process would thus include actions to probe, scan, authenticate,
bypass or flood a running computer process or execution thread.

Incident - A group of attacks that can be distinguished from other
attacks because of the attackers, attacks, objectives, sites, and
timing.

Etc and I can go on or read the following:
Radatz, John, ed. (1996) "The IEEE Standard Dictionary of Electrical
and Electronic Terms", 6th ed. (NY: Institute of Electrical and
electronic Engineers), p 1087.

Howard, John D (April 1997) "An Analysis of Security Incidents on the
Internet, 1989-1995, PhD dissertation", Pittsburgh, PA: Dept. of
Engineering and Public Policy, Carnegie Mellon University (see also
Http://www.cert.org)

So from this we have;
      People attack computers
      People attack for a variety of objectives (what they intend to
accomplish)


Regards
Craig



Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential.
If you are not the intended recipient, you must not use or disclose
the information. If you have received this email in error, please
inform us promptly by reply email or by telephoning +61 2 9286 5555.
Please delete the email and destroy any printed copy.


Any views expressed in this message are those of the individual
sender. You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently
confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]