1 / 13

A Common Language for Computer Security Incidents

A Common Language for Computer Security Incidents. John D. Howard, Thomas A. Longstaff Presented by: Jason Milletary 9 November 2000. The Problem. Security incident data compiled by many sources Lack of agreement between security incident terms used by different sources

teagan
Télécharger la présentation

A Common Language for Computer Security Incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Common Language for Computer Security Incidents John D. Howard, Thomas A. Longstaff Presented by: Jason Milletary 9 November 2000

  2. The Problem • Security incident data compiled by many sources • Lack of agreement between security incident terms used by different sources • Unable to combine and compare data for useful analysis

  3. Common Language Project • Cooperation between Sandia National Labs and CERT/CC • Develop a minimum set of high-level terms for security incidents • Flexible enough to allow site-specific low-level terms • Develop taxonomy for these terms • Classification scheme that defines the terms and their relationships

  4. Satisfactory Taxonomy Characteristics • Mutually exclusive • Exhaustive • Unambiguous • Repeatable • Accepted • Useful

  5. Review of Previous Taxonomies • List of terms • Trap doors, IP spoofing, dumpster diving • List of categories • Social engineering, denial-of-service • Results categories • Corruption, denial • Empirical lists • External abuse of resource, masquerading • Matrices • Vulnerabilities vs. potential perpetrators • Action-based • Interruption, interception

  6. CLP Incident Taxonomy • Events • An action directed at a target intended to change the state of that target* • Action • A step taken by a user or process in order to achieve a result* • Target • Logical entity • Data, account • Physical entity • Computer, network * The IEEE Standard Dictionary of Electrical and Electronics Terms, Sixth Edition, 1996.

  7. CLP Incident Taxonomy event

  8. CLP Incident Taxonomy • Attacks • Use of a tool to exploit a vulnerability to perform an action on a target in order to achieve an unauthorized result • Tool • Means or method by which a vulnerability is exploited • Vulnerability • System weakness in which unauthorized access can be gained • Unauthorized result • An consequence of an the event phase of an attack

  9. CLP Incident Taxonomy attack event

  10. CLP Incident Taxonomy • Incident • A distinct group of attacks involving specific attackers, attacks, objectives, sites, and timing • Attacker • Individual(s) who use one or more attacks to reach an objective • Objective • End goal of an incident

  11. CLP Incident Taxonomy incident attack event

  12. CLP Incident Taxonomy • Other terms • Site and site name • Dates • Incident numbers • Corrective action

  13. Future Plans • Implement common language • Database • Analysis of data • Forensics • Trending • Insight into hacker objectives and motives • Sharing of data between response teams

More Related