Here are some real-world examples of what some organizations consider to be a security incident (most of these are taken off Universities’ publicly posted security incident plans – these are great bedtime reading, if you are into that sort of thing):
- “An IT Security Incident (“Incident”) is any activity that harms or represents a serious threat to the whole or part of […] computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources.” (source)
- “A security incident can have the following definitions: Violation of an explicit or implied security policy, Attempts to gain unauthorized access, Unwanted denial of resources, Unauthorized use of electronic resources, Modification without the owner’s knowledge, instruction, or consent, Theft or displaced University IT property” (source)
- “An information systems security incident is any event, suspected event, or discovery of a vulnerability that could pose a threat to the confidentiality, integrity, or availability of supporting systems, applications, or information.” (source)
- “An incident is the act of violating an explicit or implied security policy.” (source)
- “An information security situation that potentially poses a significant risk or could cause significant impact to University systems, assets or personnel would be classified as an incident” (source)
- “The term “incident” refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.” (source)
BTW, I really like a clear definition reportedly used by the Verizon team in VERIS: “violation of one or more of the Parkerian hexad attributes.” On the other hand, “for many enterprises, the perception is that “[we] know an incident when [we] see it” (source: “Acting on Security Monitoring: Incident Response and Forensics”).
What do we learn here? RELATIVITY RULES!
What else do we learn? Based on one definition, you may have an incident every day! Based on another one, you have an incident once a year!
P.S. A bonus question: if 2-3% of your systems (that’d be 200-600 systems out of a pool of 10,000 machines) are always compromised and running malware (viruses, RATs, PUPs, etc), is that really an incident today? Can your daily norm ALSO be an incident at the same time? Or maybe it is an incident with an action plan of “nothing”…
Posts related to the same research project: