Home page logo
/

basics logo Security Basics mailing list archives

RE: What defines an "incident"?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 16 Feb 2006 19:37:52 -0800

  I'd highlight the "customary or consistent with normal usage"
portion of the event definition.  While it may not yet warrant
a full CIRT/CERT/CSIRT invocation, the investigation process needs
to start at the point where it's (only?) a surprise, and not wait 
until determination of its "adverse" nature has been established.

David Gillett
 

-----Original Message-----
From: Jon Gucinski [mailto:Jgucinski () midwestbank com] 
Sent: Tuesday, February 14, 2006 12:20 PM
To: security-basics () securityfocus com
Subject: Re: What defines an "incident"?

This is purely from my current organization's 
standpoint...every place i've worked has had a slightly 
different take on it.  

An event is "any observable occurrence in a system or network 
that is viewed as customary or consistent with normal usage".  

An adverse event (I personally dislike that term) is defintes 
as "events with negative consequences such as system 
stoppages, network traffic floods, unauthorized use of system 
privileges, unauthorized access to information, unauthorized 
use of information, the introduction of malicious code, or 
any combination of these."

We'd further investigate an adverse event before labeling it 
an "incident" and convening the CIRT.  We call an incident 
"An actual or imminent threat of violation of the information 
security or acceptable use policies"

I find that having too many synonyms (i.e., scenario, 
situation, event,
incident) brings too much complexity to what is often a 
stressful situation. 

-Jon

Bob Radvanovsky <rsradvan () unixworks net> 2/11/2006 10:20 am >>>
This debate, of course, is all in good fun and purely meant 
as a "learning experience".  I'm sure that other who read 
this will (no
doubt) agree with me.

As such, what qualifies between something defined as an 
"event", versus an "occurence", versus an "incident", versus 
a "situation"?

Defined, an "event" is:

"In probability theory, an event is a set of outcomes (a 
subset of the sample space) to which a probability is 
assigned.  Typically, any subset of the sample space is an 
event (i.e. all elements of the power set of the sample space 
are events), but when defining a probability space it is 
possible to exclude certain subsets of the sample space from 
being events."

URL: http://en.wikipedia.org/wiki/Event_(probability_theory)

From what I've found the definition of "occurence" signifies 
a state or
period in time that an event occurred.  Beyond that, nothing 
else seems to describe that definition.

Defined, an "incident" is:

"Any event which is not part of the standard operation of a 
service and which causes, or may cause, an interruption to, 
or a reduction in, the quality of that service."

URL:
http://www.dream-catchers-inc.com/White%20Papers/glossary_of_t
erms-AM.htm


Subsequently, "incident" is subset to "incidental" as defined as:

"((sometimes followed by `to') minor or casual or subordinate 
in significance or nature or occurring as a chance concomitant or
consequence) "incidental expenses"; "the road will bring 
other incidental advantages"; "extra duties incidental to the 
job"; "labor problems incidental to a rapid expansion"; 
"confusion incidental to a quick change"."

URL: http://wordnet.princeton.edu/perl/webwn?s=incident 

Consequently, people have interchangably used the word 
"situation" in lieu of "incident" or "event"; thus, the 
definition of "situation" is:

"A position or condition with regard to circumstances, the 
combination of circumstances at any given time, a difficult 
or critical state of affairs; any significant combination of 
circumstances developing in the course of an event. The 
objective conditions immediately affecting an individual."

URL: http://method.vtheatre.net/dict.html 

NOTE: Mind you, this refers to actors in a play, and the 
course of events that lead to a climax within the plot; 
however, it can imply a course or series of events which may 
be applied to real-life scenarios, thus implicating an "act" 
(if you will).

In legal terms, the choice of a word can depend upon the 
severity (and its significance) of the event.  Having 
recently been chewed out by a superior officer last year 
about the incorrect use of the word "incident", law 
enforcement would prefer -- at least in public -- using 
alternative words such as "occurence" or "event" to describe 
whatever transpired.  An "incident", "situation" or 
"scenario" signifies importance towards an event that has 
transpired, and thus, if the culprit responsible for the 
event is watching television or listening to the radio, is 
being empowered by an officiant making claim to their 
"incident".  Additionally, identifying the course of 
circumstances which transpired to as an "event" or "events" 
unempowers the state of the condition following the 
circumstances leading to or from the event. 
Essentially, you've taken whomever's "wind out of their sails".

And, from a liability perspective, the choice of the words 
"event" or "occurence" provides little significance towards 
any acts committed as being a purposeful "attack" or act of 
violence.  If you were a stockholder to a larger company, and 
someone had maliciously attacked a server with a barrage of 
attack methods, your first role is "containment", attempting 
to "contain" the event.  This means calming down stockholders 
who may be upset about the attack.  Secondly, if the attack 
was successful, and you have determined it as such, if there 
was loss of property, financial information, or life, then 
changing to another word with greater significance will 
greater bearing esp. if/when the individual or group of 
individuals is apprehended.  If nothing has been determined, 
the attack attempt remains just that, an attempt, or "event".

Be careful in your choice of words, as they have significance 
and pose more bearing and meaning psychologically to most 
people.  If you misuse a word inappropriately, you can 
sometimes cause panic or states of confusion (or dismay) when 
there are no reasons for such conditions. 
Thus, choose your words *carefully*.

Until an "attack attempt" has been: (1) proven as an 
"attack", (2) was successful, and (3) have an idea as to who 
is responsible for the attack attempt -- the current state 
leading from the course of circumstances would remain as an 
"event" -- nothing more.

I've included the previous comments from a "virus attack" in 
reference to his definition of an "incident".  Comments 
anyone (yeah, I know...I've got to be INSANE to ask, but I am...)

-rad


----- Original Message -----
From: Craig Wright [mailto:cwright () bdosyd com au]
To: dave kleiman [mailto:dave () davekleiman com]
Cc: security-basics () securityfocus com
Subject: RE: Forensic/Cyber Crime Investigator



Definately friendly. Please do not see anything in any other manner.
 
I am firstly enjoying the debate and secondly debate is the 
heart of 
knowledge. Even if neither party comes to an agreement on terms at
least a
good debate on the subject should give each party a better
understanding of
their own perspective and a more logical manner of comprehension.
 
More on the other responses later this morning...
 
Regards
Craig

    -----Original Message----- 
    From: dave kleiman [mailto:dave () davekleiman com] 
    Sent: Fri 10/02/2006 3:44 AM 
    To: security-basics () securityfocus com 
    Cc: 
    Subject: RE: Forensic/Cyber Crime Investigator
    Craig,
    
    I hope you are taking this as a friendly discussion
    
    Answers inline..
    
         -----Original Message-----
         From: Craig Wright
       
        
         Virus attacks etc as you put are incidents. The average
         (and all but maybe a rare exception) organisation will
         treat these as incidents. They do not take them to court
         nor have the intention of doing such. To take your Virus
         example. This is an incident, it requires a response. It
         does not require a forensic analysis of the system, nor
         would this be generally done..... etc
    
     


Liability limited by a scheme approved under Professional Standards 
Legislation in respect of matters arising within those States and 
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential.
If you are not the intended recipient, you must not use or disclose
the
information. If you have received this email in error, please inform
us
promptly by reply email or by telephoning +61 2 9286 5555. Please
delete the
email and destroy any printed copy.  

Any views expressed in this message are those of the individual
sender. You
may not rely on this message as advice unless it has been
electronically
signed by a Partner of BDO or it is subsequently confirmed by letter
or fax
signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its 
attachments due to viruses, interference, interception, corruption
or
unauthorised access.


--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched 
consulting experience.
Tailor your education to your own professional goals with 
degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response 
Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------


NOTICE: This electronic mail message and any files transmitted with 
it are intended exclusively for the individual or entity to which it 
is addressed. The message, together with any attachment, may contain 
confidential and/or privileged information. Any unauthorized review, 
use, printing, saving, copying, disclosure or distribution is 
strictly prohibited. If you have received this message in error, 
please immediately advise the sender by reply email and delete all 
copies.


--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting 
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]