Incident categories. Version (final version) Procedure (PRO 303)

Transcription

1 Version (final version) Procedure (PRO 303) Classification: PUBLIC / Department: GOVCERT.LU

2 Table Contents Table Contents Introduction Overview Purpose Scope Reference Definitions and abbreviations Information security incident definition Category allocation... 7 Department GOVCERT.LU 2/7 Creation date (final version) : 04 Feb 2013

3 1 Introduction 1.1 Overview Once an incident report has been received, it should be treated efficiently and rapidly in order to help the constituent solve the problem. The categorisation incidents helps GOVCERT.LU to plan actions to resolve the incident and help the constituent respect the reporting timeframe. The categorisation incidents also supports the definition standard incident response procedures for each type incident. 1.2 Purpose The aim this procedure is to define: the incident categories used by GOVCERT.LU, how a category is allocated to an incident, and the reporting timeframe for constituents for each type incident. 1.3 Scope This procedure concerns the GOVCERT.LU ticketing tool, its members and its constituents Reference [1] PRS 401 Incident management process [2] SP ( [3] CSIRT Case Classification - Example for Enterprise CSIRT ( [4] US CERT ( Definitions and abbreviations Abbreviation NIST CAT AV Definition National Institute Standards and Technology Incident category Antivirus Table 1: Definitions and abbreviations Department GOVCERT.LU 3/7 Creation date (final version) : 04 Feb 2013

4 2 Information security incident definition An information security incident (or incident) is a single or a series unwanted or unexpected information security events 1&2 that have a significant probability compromising business operations and threatening information security 3. 3 For each category incident, a reporting timeframe applies for the concerned constituent. The reporting timeframe is the timeframe within which the constituent should report the incident. Once this timeframe has exceeded, GOVCERT.LU cannot guarantee that the incident will be resolved efficiently. The reporting timeframe is defined according to the sensitivity the targeted system(s) as follows: Critical system: a critical system is a system, application, data, or other resources that is essential to the survival an organization. When a critical system fails or is interrupted, core operations are significantly impacted. Non critical system: system, application, data, or other resources which do not have strong impact on the good operation the constituency if compromised. 1 An event is an occurrence or change in a particular set circumstances: (NOTE 1) An event can be one or more occurrences, and can have several causes. (NOTE 2) An event can consist something that does not happen. (NOTE 3) An event can sometimes be referred to as an incident or an accident. 2 An information security event is an identified occurrence a system, service or network state indicating a possible breach information security policy or failure safeguards, or a previously unknown situation that may be relevant to security. 3 where information security means preservation confidentiality, integrity and availability information. Department GOVCERT.LU 4/7 Creation date (final version) : 04 Feb 2013

5 Warning: When update this table; please update also the table 2 in the incident reporting guidelines for constituent procedure (PRO 301) Category Name Description CAT 1 Compromised information Successful destruction, corruption, or disclosure sensitive corporate information or Intellectual Property. CAT 2 Compromised Asset Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. CAT 3 Unauthorized Access In this category an individual (internal or external) gains logical or physical access without permission to a national or local network, system, application, data, or other resource. CAT 4 Malicious Code Malicious stware (e.g. virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Organizations are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) stware. CAT 5 (Distributed) Denial Service An attack that successfully prevents or impairs the normal authorized functionality networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. CAT 6 Theft or Loss Theft or loss sensitive equipment (Laptop, hard disk, media etc.) belonging to the organization. CAT 7 Phishing Use fraudulent computer network technology to entice organization's users to divulge important information, such as obtaining users' bank account details and credentials by deceptive s or fraudulent web site Critical system if widespread across organization, otherwise one (1) day. Within two (2) hours if the successful attack is still ongoing and the organization is unable to successfully mitigate activity. Within one (1) day Reporting Timeframe Non critical system if widespread across organization, otherwise one (1) day. if the successful attack is still ongoing and the organization is unable to successfully mitigate activity. Within one (1) week Within one (1) day CAT 8 Unlawful activity Fraud / Human Safety / Child Porn. Computer-related incidents a criminal nature, likely to involve law enforcement, Global Investigations, or Loss Prevention. Within six (6) hours Within one (1) day CAT 9 Scans/Probes/Attempted This category includes any Within two (2) Department GOVCERT.LU 5/7 Creation date (final version) : 04 Feb 2013

6 Category Name Description Access activity that seeks to access or identify an organization computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial service. CAT 10 Policy Violations Deliberate violation Infosec policy, such as: inappropriate use corporate asset such as computer, network, or application; unauthorized escalation privileges or deliberate attempt to subvert access controls. Table 2: Critical system Within six (6) hours Reporting Timeframe Non critical system weeks Within one (1) week The categories and attacks are based on a mix categories proposed by NIST, FIRST and US-CERT. Department GOVCERT.LU 6/7 Creation date (final version) : 04 Feb 2013

7 3.1 Category allocation Table 2 describes all the categories incidents. A category is allocated by constituent and GOVCERT.LU to an incident according to the following flow chart: Category allocation flow Comments GOVCERT.LU Constituent - The reading order table 2 is from the top down. Table 2 provides the inputs for N (CAT 1, CAT 2, CAT 3, CAT 4 CAT 9 and CAT 10). New incident N= 1 (CAT 1) - Incidents are categorized on a firstmatch basis by the constituent. Matching Category/Inc ident? Y N N= N+1 (CAT 2) Category allocation Ticket opening Sending the incident report - CAT modification and/or CATs adding CATs? Y CAT Mod/Add N End Figure 1: Category allocation flow The constituent choses the category that fits best such as described in figure 1. During the identification phase 4 GOVCERT.LU can (if judged necessary) (1) change this category (false encoding by the constituent) and/or (2) add others categories. 4 See PRS 401 Department GOVCERT.LU 7/7 Creation date (final version) : 04 Feb 2013