Join Mike Chapple for an in-depth discussion in this video Identifying and classifying security incidents, part of CySA+ Cert Prep: 3 Cyber Incident Response.
- [Narrator] Before we can talk about cybersecurity incident response, we need to have a common understanding of what constitutes a security incident. Let's talk about some common vocabulary used by cybersecurity incident handlers. We'll talk about events, adverse events, and incidents. A security event is any occurrence in a system, network, or application that may have security implications. There's no requirement that a security event be malicious or dangerous.
If a user attempts to login to a system, that's a security event, even if the login was successful and authentic. If a firewall accepts or denies a connection request, that's a security event. If a user accesses a webpage or a file on a server, you guess it, that's a security event. Every organization experiences thousands or even millions of security events each day. Adverse security events are a subset of security events that have some negative consequence.
A user logging into a system with his or her assigned account would be a security event but it wouldn't be an adverse event. However, a user logging into a system with someone else's account would be an adverse event. There are many other types of adverse events. Activities that cause a network segment failure, disclosure of sensitive information, the loss of critical data, or infection by malware would all constitute adverse security events. Security incidents are adverse security events that have either caused or threatened to cause a violation of the organization's security policies.
If an attacker steals sensitive information and provides it to a competitor, that's clearly a security incident. Some adverse events may not rise to the level of a security incident, however. For example, if someone launches a botnet attack against your web server, that might not rise to the level of a security incident unless it actually affects the availability of your website. You can think of these as a set of nested definitions. Every security incident is an adverse security event and every adverse security event is a security event.
However, we can have security events that are not adverse events and adverse events there are not incidents. It's important to know and understand these terms as you develop and implement your organization's cybersecurity incident response plan. As we cover the process of incident response, we're generally discussing only those adverse events that do rise to the level of a security incident. I need to make one more important point before we move on.
Just because an adverse event doesn't rise to the level of a security incident doesn't mean that you don't need to do anything about it. Cybersecurity teams respond to adverse events all the time and make changes to controls that better defend the organization. The distinction is that unless there's a real or threatened violation of a security policy, we don't need to go to the trouble of activating the organization's incident response plan. We just handle these adverse events as part of our day to day activity.
Now that we have this terminology under our belts, we can move on and discuss incident handling in more detail.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Identifying and classifying security incidents
- Determining incident severity
- Building an incident response program
- Notification, mitigation, recording, and reporting
- Incident symptoms
- Conducting forensic investigations
- Password, network, software, and device forensics