Download Taxonomy of Computer Security Incidents

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts

Trusted Computing wikipedia , lookup

Malware wikipedia , lookup

Wireless security wikipedia , lookup

Unix security wikipedia , lookup

Computer security wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Mobile security wikipedia , lookup

Cyberattack wikipedia , lookup

Social engineering (security) wikipedia , lookup

Cybercrime wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Taxonomy of Computer Security
Incidents
Yashodhan Fadnavis
How does it help?
• Taxonomy gives common names to event
• Security against a ‘class’ of attacks
Satisfying Taxonomy
•
•
•
•
•
•
Mutually Exclusive
Exhaustive
Unambiguous
Repeatable
Accepted
Useful
Listing Terms
• E.g. Password sniffing, Brute force attacks,
Eavesdropping, Harassment, Covert Channels,
Viruses, Logic Bombs, Software loopholes, WEP
loopholes, Source address spoofing, Software piracy,
Degradation of services, Session hijacking
• Failed six satisfying properties = Bad Taxonomy.
• Lists can be never ending.
Listing categories
Cheswick and Bellovin List
Stealing
passwords
Social
Engineering
•Password
sniffing
•Brute
force
•Eavesdropping
•Harassment
Bugs and Authentication
backdoors
Failures
•Covert
•Software
channels
loopholes
•Viruses
•Logic Bombs
Protocol
Failures
Info Leakage
•WEP
•Software
Loopholes
Piracy
•Source
Address
spoofing
DoS
•Degradation
Of Service
•Session
Hijacking
Other taxonomies
• Result categories
• Empirical categories
• Matrices
Incident Taxonomy
• Events: An action directed at a target which is
intended to result in change of the state of the
target.
• Action: Step taken by a user or a process to
achieve a result.
• Target: A computer or a network logical entity.
Action + Target = Event
Event
Action
Probe
Target
Account
Process
Scan
Data
Flood
Network
Authenticate
Computer
Bypass
Spoof
Read
Attack
Attack
Event
Tool
Vulnerability
Physical Attack
Design
Information
Exchange
User
Command
Script or
program
Autonomous
Agent
Toolkit
Implementation
Configuration
Action
Target
Probe
Account
Scan
Process
Flood
Data
Authenticate
Component
Bypass
Computer
Unauthorized
result
Increased Access
Disclosure of
Information
Corruption of
Information
Spoof
DoS
Read
Theft of
resources
Incident
• Incident: A group of attacks that can be
distinguished from other attacks because of
the uniqueness of the attackers, objectives,
sites and timing.
Attackers
Attack
Objectives
Incident Taxonomy
Incident
Attacker
Objectives
Hackers
Challenge,
Status, Thrill
Spies
Political Gain
Terrorists
Corporate
Attackers
Professional
Criminals
Vandals
Voyeurs
Financial
Gain
Damage
Federal Incident Reporting Guidelines
• Agency name
• Point of contact information including name, telephone, and email
address
• Incident Category Type (e.g., CAT 1, CAT 2, etc.)
• Incident Timestamp
• Source IP, Destination IP, port, and protocol
• Operating System, including version, patches, etc.
• System Function (e.g., DNS/web server, workstation, etc.)
• Antivirus software installed, including version, and latest updates
• Location of the system(s) involved in the incident (e.g. Clemson)
• Method used to identify the incident (e.g., IDS, audit log analysis, system
administrator)
• Impact to agency
• Resolution
Federal Agency Incident Categories
Category
Name
Reporting Timeframe
CAT 0
Exercise/Network Defense Testing
Not Applicable; this category is for each
agency's internal use during exercises.
CAT 1
*Unauthorized Access
Within one (1) hour of
discovery/detection.
CAT 2
*Denial of Service (DoS)
Within two (2) hours of
discovery/detection if the successful
attack is still ongoing and the agency is
unable to successfully mitigate activity.
CAT 3
*Malicious Code
Daily
Note: Within one (1) hour of
discovery/detection if widespread
across agency.
CAT 4
*Improper Usage
Weekly
CAT 5
Scans/Probes/Attempted Access
Monthly
Note: If system is classified, report
within one (1) hour of discovery.
CAT 6
Investigation
Not Applicable; this category is for each
agency's use to categorize a potential
incident that is currently being
investigated.
Questions?
Related documents
Self Matters: Confronting Stress and Taking Care of yourself
Self Matters: Confronting Stress and Taking Care of yourself
Direct variation
Direct variation
Practice Based Improvement Log
Practice Based Improvement Log
Comprehensive All-Hazard Emergency Response Plan Overview
Comprehensive All-Hazard Emergency Response Plan Overview
PHYSICAL PLANT Incident Investigation Director’s Checklist
PHYSICAL PLANT Incident Investigation Director’s Checklist
Security and Assurance in IT organization
Security and Assurance in IT organization
Direct variation
Direct variation
Exposure Report
Exposure Report
A Common Language for Computer Security Incidents
A Common Language for Computer Security Incidents
Greatly Reduced risk of potentially fatal cat transmitted viruses such
Greatly Reduced risk of potentially fatal cat transmitted viruses such
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
Incident, injury, trauma and illness record
Incident, injury, trauma and illness record