Here are some real-world examples of what some organizations consider to be a security incident (most of these are taken off Universities’ publicly posted security incident plans – these are great bedtime reading, if you are into that sort of thing):
- “An IT Security Incident (“Incident”) is any activity that harms or represents a serious threat to the whole or part of […] computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources.” (source)
- “A security incident can have the following definitions: Violation of an explicit or implied security policy, Attempts to gain unauthorized access, Unwanted denial of resources, Unauthorized use of electronic resources, Modification without the owner’s knowledge, instruction, or consent, Theft or displaced University IT property” (source)
- “An information systems security incident is any event, suspected event, or discovery of a vulnerability that could pose a threat to the confidentiality, integrity, or availability of supporting systems, applications, or information.” (source)
- “An incident is the act of violating an explicit or implied security policy.” (source)
- “An information security situation that potentially poses a significant risk or could cause significant impact to University systems, assets or personnel would be classified as an incident” (source)
- “The term “incident” refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.” (source)
BTW, I really like a clear definition reportedly used by the Verizon team in VERIS: “violation of one or more of the Parkerian hexad attributes.” On the other hand, “for many enterprises, the perception is that “[we] know an incident when [we] see it” (source: “Acting on Security Monitoring: Incident Response and Forensics”).
What do we learn here? RELATIVITY RULES!
What else do we learn? Based on one definition, you may have an incident every day! Based on another one, you have an incident once a year!
P.S. A bonus question: if 2-3% of your systems (that’d be 200-600 systems out of a pool of 10,000 machines) are always compromised and running malware (viruses, RATs, PUPs, etc), is that really an incident today? Can your daily norm ALSO be an incident at the same time? Or maybe it is an incident with an action plan of “nothing”…
Posts related to the same research project:
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.