A Common Language for Computer Security Incidents - PowerPoint PPT Presentation

About This Presentation
Title:

A Common Language for Computer Security Incidents

Description:

Lack of agreement between security incident terms used by different sources ... Develop a minimum set of high-level terms for security incidents ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 14
Provided by: jasonmi5
Category:

less

Transcript and Presenter's Notes

Title: A Common Language for Computer Security Incidents


1
A Common Language for Computer Security Incidents
  • John D. Howard, Thomas A. Longstaff
  • Presented by
  • Jason Milletary
  • 9 November 2000

2
The Problem
  • Security incident data compiled by many sources
  • Lack of agreement between security incident terms
    used by different sources
  • Unable to combine and compare data for useful
    analysis

3
Common Language Project
  • Cooperation between Sandia National Labs and
    CERT/CC
  • Develop a minimum set of high-level terms for
    security incidents
  • Flexible enough to allow site-specific low-level
    terms
  • Develop taxonomy for these terms
  • Classification scheme that defines the terms and
    their relationships

4
Satisfactory Taxonomy Characteristics
  • Mutually exclusive
  • Exhaustive
  • Unambiguous
  • Repeatable
  • Accepted
  • Useful

5
Review of Previous Taxonomies
  • List of terms
  • Trap doors, IP spoofing, dumpster diving
  • List of categories
  • Social engineering, denial-of-service
  • Results categories
  • Corruption, denial
  • Empirical lists
  • External abuse of resource, masquerading
  • Matrices
  • Vulnerabilities vs. potential perpetrators
  • Action-based
  • Interruption, interception

6
CLP Incident Taxonomy
  • Events
  • An action directed at a target intended to change
    the state of that target
  • Action
  • A step taken by a user or process in order to
    achieve a result
  • Target
  • Logical entity
  • Data, account
  • Physical entity
  • Computer, network
  • The IEEE Standard Dictionary of Electrical and
    Electronics Terms, Sixth Edition, 1996.

7
CLP Incident Taxonomy
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
8
CLP Incident Taxonomy
  • Attacks
  • Use of a tool to exploit a vulnerability to
    perform an action on a target in order to achieve
    an unauthorized result
  • Tool
  • Means or method by which a vulnerability is
    exploited
  • Vulnerability
  • System weakness in which unauthorized access can
    be gained
  • Unauthorized result
  • An consequence of an the event phase of an attack

9
CLP Incident Taxonomy
attack
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Vulnerability
Design
Implementation
Configuration
Tool
Physical Attack
Information Exchange
User Command
Script or Program
Autonomous Agent
Toolkit
Data Tap
Distributed Tool
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Unauthorized Result
Increased Access
Disclosure of Information
Corruption of Data
Denial of Service
Theft of Resources
10
CLP Incident Taxonomy
  • Incident
  • A distinct group of attacks involving specific
    attackers, attacks, objectives, sites, and timing
  • Attacker
  • Individual(s) who use one or more attacks to
    reach an objective
  • Objective
  • End goal of an incident

11
CLP Incident Taxonomy
incident
attack
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Unauthorized Result
Increased Access
Disclosure of Information
Corruption of Data
Denial of Service
Theft of Resources
Vulnerability
Design
Implementation
Configuration
Tool
Physical Attack
Information Exchange
User Command
Script or Program
Autonomous Agent
Toolkit
Data Tap
Distributed Tool
Attackers
Hackers
Spies
Terrorists
Corporate Raiders
Profession Criminals
Vandals
Voyeurs
Objectives
Challenge, status, thrill
Political gain
Financial gain
Damage
12
CLP Incident Taxonomy
  • Other terms
  • Site and site name
  • Dates
  • Incident numbers
  • Corrective action

13
Future Plans
  • Implement common language
  • Database
  • Analysis of data
  • Forensics
  • Trending
  • Insight into hacker objectives and motives
  • Sharing of data between response teams
Write a Comment
User Comments (0)
About PowerShow.com