Counting incidents.
A colleague said this to me once, and I wasn’t too sure he was entirely joking:
“We didn’t HAVE any security incidents until YOU came along.“
Many, many people reading this would be mentally adding, as I did at the time, “... that you KNOW of.“ Which is a fair enough comment, but really, people DO think this way. If someone doesn’t even consider a virus infection to count as a security incident, then what DOES count?
On the other end of the spectrum, you have people who apparently are counting a whole lot of things as “incidents.“ I’ve seen some statistics from organizations that claimed they were reporting incidents in the THOUSANDS. How in the world do you get that number? Are you counting every virus and spyware infection separately, and are you getting hundreds of machines infected per month? Are you counting all the hits on your external IDS? (I don’t count those, any more than I count the number of raindrops falling on my umbrella. Sure, if I got a leak in the umbrella, I’d be wet, and if I didn’t have the umbrella at all, I’d be REALLY wet, but what’s the point in measuring how wet I’m not getting?)
I count viruses and spyware as incidents, but I don’t count each one separately if they’re all on one machine. We usually notice it through our outbound IDS filtering, we clean it up, we scold the user, and we’re done. It’s about as annoying as cockroaches, mainly because we can’t always get users to stop leaving food out on the counter, and we can’t plug all the teeny tiny cracks. But as far as we can tell, we’re not getting elephants following the cockroaches in.
Not all incidents require what I would call an investigation, and not all investigations count as incidents. Only rarely in my world do the two overlap. I don’t count something as a security incident just because it occurred on the computer systems; our whole organization does its business on computers. You might as well call everything a physical security incident because it happened in the building. But I do get called upon to provide computer-based information in the investigation of certain HR issues. I can’t really decide whether I’m supposed to count those as “security incidents” just because my department was called in.
Misuse of computer access or circumvention of security measures: that counts as a security incident, fer sure.
Sending someone harassing IMs? That gets fuzzier. They’re just not being NICE on the computer; they’re not violating security policies (except for the “acceptable use” policies that say you have to be nice to people on the computer).
Forwarding chain email? That’s being STUPID on the computer. Not really a security matter, if you ask me, although I get as annoyed as the postmasters do when it ratchets up our email volume.
Changing a root password out from under another colleague because you don’t like him and don’t think he should be messing with your server? There’s probably not a policy against that. I’d call it a misuse of computer access, but only just barely. Is it an incident, or just an argument? (Or is it abuse?)
Maybe my colleague was right. Depending upon how you define an incident, we’re pretty damn lucky: leaving out viruses and whatnot, I’ve only had a few occasions where real misuse of computer access or circumvention of security measures has occurred. Then again, he doesn’t KNOW about any of the incidents because he doesn’t have a need to know and I don’t tell him. He probably thought those law enforcement agents sitting in my office were vendor sales babes. Whatev.
What matters in counting incidents is what my management defines them to be, and they do know what they are. If they consider them to be a threat to our business operations, and want to put them in the security column, that’s fine with me. Either way, I deal with them. What numbers I might report to an outside organization won’t be a one-to-one match with someone else’s definition of security incidents or favorite metrics, but that matters less to me. Once the security bean-counters come up with an unambiguous set of security metrics, I’ll be happy to use them in reporting, but I’m not losing sleep over it.
Nice post.
And if your agents can be mistaken for boof babes, I’ll request them for my next incident!