SV: [i-taxonomy] FYI: [Fwd: Draft NIST documents]


Subject: SV: [i-taxonomy] FYI: [Fwd: Draft NIST documents]
[email protected]
Date: Mon Mar 12 2001 - 11:17:52 CET



Security:Restricted

Hi,

Yes, they are using the term attack as they have already decided (and
configured their IDS to react) what kind of security incidents that are
considered to be (classified as) an attack against their
networks/systems. All this according to their policies and
experiences.This differ between organisations as they may have a
different view on security incidents and what might be considered as an
attack.
This reasoning is strongly connected with the organisations security
policy and tolerance level (do we see a probe as an abuse or is it a
security incident that is the first step to an attack) and the severity
grade of the security incident.

The term (IT)attack is a narrower than the term (IT)security incident
as it is (according to me) considered to be a (IT)security incident
with a high/severity grade that has to be handled very prompt as it
otherwise may cause the organisation great loss, both in availability
and economically (compare with a skirmish at the Swedish/Danish border
where some Danish soldiers kills some Swedish soldiers. This is
considered to be a security incident with very high severity, but it is
not considered as an attack (which can lead to war). This security
incident would certainly lead to some juridical issues. If this happens
between South and North Corea it may be considered to be a security
incident with the highest severity and also considered as an attack.
The outcome could be completely different). One can say that an attack
is a qualification of security incident.

Opinions are welcome!

--jimmy-

<--------------------------------------------------------------------->
Telia AB
TeliaCERT
Jimmy Arvidsson Phone: +46 (0)8-713 1889
SE-123 86 Farsta Cell.: +46 (0)70-513 1889
SWEDEN Fax: +46 (0)706 175 101
Fingerprint: 3B69 E9AE 2BA7 18BE D28A 6D03 637F 9A64 E65F 3A18
<-------------------------------------------------------------------->

-----Ursprungligt meddelande-----
Från: [email protected] [SMTP:[email protected]]
Skickat: den 12 mars 2001 10:15
Till: [email protected]; [email protected]
Kopia: [email protected]
Ämne: [i-taxonomy] FYI: [Fwd: Draft NIST documents]

This is forwarded message from IDWG mailing list.

Recent NIST drafts may be interesting both for TF-CSIRT and ITDWG
http://csrc.nist.gov/publications/drafts.html

The draft guidance document on Intrusion Detection systems
http://csrc.nist.gov/publications/drafts/idsdraft.pdf
is more related to our IODEF work.

I could agree with author of the original message that we should
recommend them to include reference to on-going work on IDEF and IODEF
standardisation.

However, I would like to ask Jimmy and others to look at the terminology
used, particularly, in section 7.2.6. IDSs and Excessive Attack
Reporting.

They don't use "Incident" as reporting issue, but talk only about Attack
reporting, naming, etc.

Unfortunately, time for comments is very short - March 14, 2001.
 <<Fil: [i-taxonomy] FYI_ [Fwd_ Draft NIST documents].TXT>>
<<Meddelande: Draft NIST document>>



This archive was generated by hypermail 2a24 : Mon Mar 12 2001 - 11:17:54 CET