- [Instructor] Before we can talk about cybersecurity incident response, we need to have a common understanding of what constitutes a security incident. Let's talk about some common vocabulary used by cybersecurity incident handlers. We'll talk about events, adverse events, and incidents. A security event is any occurrence in a system, network, or application that may have security implications. There's no requirement that a security event be malicious or dangerous.
If a user attempts to log in to a system, that's a security event, even if a log in was successful and authentic. If a firewall accepts or denies a connection request, that's a security event. If a user accesses a webpage or a file on a server, you guessed it, that's a security event. Every organization experiences thousands or even millions of security events each day. Adverse security events are a subset of security events that have some negative consequence.
A user logging in to a system, with his or her assigned account, would be a security event but it wouldn't be an adverse event. However, a user logging in to a system with someone else's account would be an adverse event. There are many other types of adverse events. Activities that cause a network segment failure, disclosure of sensitive information, the loss of critical data, or infection by malware would all constitute adverse security events. Security incidents are adverse security events that have either caused or threatened to cause a violation of the organization's security policies.
If an attacker steals sensitive information and provides it to a competitor, that's clearly a security incident. Some adverse events may not rise to the level of the security incident however. For example, if someone launches a botnet attack against your web server, that might not rise to the level of the security incident unless it actually affects the availability of your website. You can think of this as a set of nested definitions. Every security incident is an adverse security event and every adverse security event is a security event.
However, we can have security events that are not adverse events and adverse events that are not incidents. It's important to know and understand these terms as you develop and implement your organization's cybersecurity incident response plan. As we cover the process of incident response, we're generally discussing only those adverse events that do rise to the level of a security incident. I need to make one more important point before we move on.
Just because an adverse event doesn't rise to the level of a security incident doesn't mean that you don't need to do anything about it. Cybersecurity teams respond to adverse events all the time and make changes to controls that better defend the organization. The distinction is that unless there's a real or a threatened violation of a security policy, we don't need to go to the trouble of activating the organization's incident response plan. We just handle these adverse events as part of our day-to-day activity.
Now, that we have this terminology under our belts, we can move on and discuss incident handling in more detail.
- Creating an incident response team
- Classifying incidents
- Building an incident response program
- Identifying symptoms of incidents
- Conducting forensic investigations
- Logging and monitoring