Incident definition and response

Another news story suggesting that a hacker “may have breached” information but that personal information “was not compromised.” If you want to read the full story then go here. I’m not sure it’s even a story worth reporting. This particular university has a large computer science department – so we have a large number of students, with access to huge computer facilities, and they get surprised when they find “unauthorized movies and games on the network.” Not exactly a case worthy of Sherlock Holmes.

But it does raise the issue of what comprises an incident, how we identify and categorise an incident, and what is an appropriate response. I found this definition of an incident here:

An Information Security incident is an event which appears to be a breach of the organisation’s Information Security safeguards.

Going back to America, here is the definition from the Commonwealth of Virginia website at

Incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event

Taking this further, it goes on to state

An event is any observable occurrence in a system, network, and/or workstation

Actually, I think the guidance on this website is pretty good common sense stuff. But back to the original point: would you call in the police in the case of a server compromise where no private data has been compromised but you know that an attacker has been able to create accounts and upload files? Well I have a professional approach and a personal opinion. My personal opinion is that our law enforcement have better things to do than chase after miscreants who have found an unpatched hole into a server and use it as their own personal file store: in this case we shouldn’t have opened the hole in the first place. We can argue the ethics some other time but let’s fix the problem rather than create another one by mounting an expensive and time consuming investigation when we also have a business to focus on. We need to use discretion and common sense and not always blindly follow a policy.

Anyway, to finish off, here’s an interesting blog on incident response for the more technically minded: Lots of links to other resources and some good narrative too.