Nowadays, there has been a striking increase in electronic communication between people and this increased communication between people and machines is affecting every industry. Information systems are very critical assets in any organization and vulnerabilities in those systems can be exploited by attackers or malicious users to cause an incident threatening the security. In this scenario, there has been an increase in computer security incidents threatening confidentiality, availability, and integrity of information. Such incidents can be made to occur deliberately with malicious intent or can be caused unintentionally.
An incident can be defined as any unexpected action, event or an occurrence that has an immediate or potential effect. A security incident hampers the security and stability of information systems. There are several definitions of security incidents.
In general, a security incident is an event that violates the security of the information systems causing a breach of their confidentiality, integrity, and availability of critical information. Depending on the type of incident, there are various problems caused by the incident which depends on the extent of the incident, people affected by the incident and the consequence of the incident.
An incident can be made to occur deliberately by an authorized or unauthorized person, hardware, software or process.
Categories of Incidents
Security incidents are divided into five categories:
- Denial-of-Service Incidents
Denial of service incident prevents the usage of system, network or application by the legitimate user by exhausting the resources maliciously. The resources like central processing unit, memory, bandwidth and disk space can be maliciously exhausted by initiating the denial of service attack.
- Malicious Code Incidents
Malicious code is a code that is added or changed in any part of the software system to divert the normal operations of the system causing a security breach or any undesired activity . Malicious code incident occurs when an attacker inserts a malicious program in the system with an intent to damage or destroy all the system's data.
- Unauthorized Access Incidents
Unauthorized access incident is an attempt by an attacker to gain access to resources maliciously that he/she is not supposed to have. Currently, the PC platforms have weaker user authentication procedures which can easily be exploited and anyone with physical access to the system can boot it and compromise its information integrity and confidentiality.
- Inappropriate Usage Incidents
Inappropriate usage incident refers to an incident that violates the acceptable computing use policies of an organization. These type of incidents pose a relatively lesser security risk to organization's information asset as compared to other categories of incidents but handling inappropriate usage incidents is quite same as handling the other security-related incidents.
- Multiple Component Incidents
Multiple component incidents refer to one incident that includes two or more than two incidents in a single occurrence. Multiple component incidents are said to occur when more than two incidents occur together in a single instance of an incident.
Security Incidents Handling
Security incidents are inevitable in any organization that involves the use of computer system or computer networks. To handle a security incident, one needs to know how to respond to them immediately. This is done by establishing an incident response capability in an organization.
According to NIST’s guideline to handle the security incidents, it has been said that "to handle a computer security incident, a formal incident response capability must be created and operated in every organization".
The goal of an incident response must be to achieve the following objectives:
- Prevents a disjointed response to incidents
- To provide a confirmation if an incident has occurred or not
- Promotes the collection of accurate data for analysis
- Enable proper retrieval and handling of digital evidence
- Protecting privacy rights of the users as given by law
- Minimizing loss to the operations of the business
- Taking criminal or civil action against attackers
- Providing detailed and correct reports
- Providing early detection of an incident
- Minimizing outside exposure of important data
- Protecting the reputation of the organization
- Educating senior staff
- Promoting quick detection and prevention of similar incidents in the future
Computer Security Incident Response Team (CSIRT)
A very important element in handling security incidents is the computer security incident response team (CSIRT's). To handle the computer security incidents effectively, many articles, reports, guides etc advice on setting up the CSIRT in every organization to handle the security incident. CSIRT consists of a well-formed team providing support and services for effectively handling, preventing and responding to computer security incidents.
Authored By - Alisha Khattar
TCS Cyber Security Practice