Security Basics mailing list archives
FW: Security incident or operational incident?
From: "Laundrup, Jens" <Jens.Laundrup () METROKC GOV>
Date: Thu, 12 Oct 2006 08:12:52 -0700
From the sounds of it, someone needs a little more training!
I would say it is a security incident even though there is no malicious intent. It has impacted the security state of the network. An un-authorized action by an authorized user (in this case an admin) is a security issue regardless of intent (we are assuming it was an accident but what if the admin purposely did it? Can you prove their intent?). A security program should have a series of "buckets" wherein security incidents are categorized and each bucket has a series of actions associated with it. Depending on what security framework your management has opted to use and how structured it is determines how complex it is. Example: Category A - Seriously jeopardized security/integrity/availability Category B - Jeopardized security/integrity/availability Category C - Affected security/integrity/availability posture Category D - Did not affect security/integrity/availability Class 1 - Directed malicious intent by a person/program Class 2 - Undirected malicious intent by a person/program Class 3 - Unauthorized action by an authorized person/program Class 4 - Authorized action by an authorized person/program Then classify each incident based on this and for each crossroads, identify the action. What you had was a C3 incident. A worm in the wild that brings down your network is a A2 A script kiddie that does not like your post and brings down your network A1 As long as you can place it in the matrix, consider it a security item. Some should just be logged and forgotten (until it becomes habitual), others require some real action. Jens -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of ttate () ctscorp com Sent: Tuesday, October 10, 2006 1:06 AM To: security-basics () securityfocus com Subject: Security incident or operational incident? As we all know, the tenets of information security are confidentiality, integrity & availability. How do you separate out an operational incident from a security incident? For example, is it a security incident or operational incident when an admin accidentally deletes an OU in AD containing users or computers when working in the GPO management console? The admin is authorized to perform all and any tasks in AD. In this case by deleting the OU, the users no longer had access to the system, hence the availability tenet comes into play. But the issue was not caused by some malicious intent but by a perceived flaw in the Microsoft application. Who would think that you could delete OU's in the GPO management console? Thanks for your thoughts. Regards, Troy ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Security incident or operational incident? ttate (Oct 10)
- Re: Security incident or operational incident? sami seclist (Oct 10)
- <Possible follow-ups>
- RE: Security incident or operational incident? Mark Palmer (Oct 10)
- FW: Security incident or operational incident? Laundrup, Jens (Oct 13)