Home page logo
/

basics logo Security Basics mailing list archives

What defines an "incident"? - Part 1
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 16 Feb 2006 14:04:50 +1100


Hello All,
Bob has added a good point to the discussion with the requirements to
define an '"event", versus an "occurrence", versus an "incident", versus
a "situation"'.

{Bob stated} Until an "attack attempt" has been: (1) proven as an
"attack", (2) was successful, and (3) have an idea as to who is
responsible for the attack attempt -- the current state leading from the
course of circumstances would remain as an "event" -- nothing more.

However, point 1 is correct. An attack is not just a set of random
occurrences. There needs to be intent. An accidental occurrence or
uninformed mistake (for example) may seem to be an attack, but are just
events and incidents.

Even if not successful, an attempted attack may still be classified as
an incident. The Long Island Nuclear Power plant suffered a near melt
down a number of years ago. The controls sufficed to stop the escalation
of this event into a catastrophe, but it is still seen as an incident
(though not an attack).

Citibank's security was compromised a number of years ago and they lost
a large sum of money. There is now some idea of some of the people
involved, but even before this, it was still both an attack and an
incident. Though you do not know who is responsible, there may be an
attack.

A more general example. If you are mugged in a dark alley but do not see
your assailants, you have still been attacked. If you run away and they
do not succeed, it is still an attempt.

In addition in respect to computer attacks, the attempt itself is a
crime. In a country by country (non-exclusive) breakdown;
Australia (Cth)
        Criminal Code Act 1995 (Cth) amened by the Criminal Code
Amendment (Theft, Fraud, Bribery and Related Offences) Act 2000 and the
Cybercrime Act 2001 (Cth)
        Possession or control of data with intent to commit a computer
offence (s. 478.3)
                        3 years max.

NSW (Australia)
        Crimes Act 1900, ss. 308-308I (added by Crimes Amendment
(Computer Offences) Act 2001)
        Possession or control of data with intent to commit serious
computer offence (s. 308F)
                        3 years max.
        Producing, supplying or obtaining data with intent to commit
serious computer offence (s.308G)
                        2 years max.

United Kingdom
        Unauthorised access with intent to commit or facilitate
commission of further offences (s.2)
                        5 years max. /and/or fine

United States (Federal) - too many states to list here
        United States Code 18 USC S1029 etc. (Added by Computer Fraud
and Abuse Act 1986)
        Recording of dialling, routing, addressing and signalling
information (S 3121 etc)
                        1 year max. and/or fine
        Fraud and related activity in connection with computers (s 1030)
                        10 years max. 1st offence (up to 20 subsequent)

Canada
        Criminal Code (RS 1985, c. C-46) Part XI: Wilful and Forbidden
Acts in respect of Certain Property
        Mischief in relation to data (s. 430(1.1))
                        Up to life (in cases of actual danger to life)
or 2 years

Regards,
Craig

        Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP
G7799 GCFA AFAIM
Manager - Computer Assurance Services
BDO Chartered Accountants & Advisers
Level 19, 2 Market Street,
Sydney, NSW 2001
Telephone: +61 2 9286 5555
Fax: +61 2 9993 9705
Direct: +61 2 9286 5497
<Mailto:CWright () bdosyd com au>




Until an "attack attempt" has been: (1) proven as an "attack", (2) was
successful, and (3) have an idea as to who is responsible for the attack
attempt -- the current state leading from the course of circumstances
would remain as an "event" -- nothing more.



Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • What defines an "incident"? - Part 1 Craig Wright (Feb 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault