Incident Confirmation – A combination of the following activities can represent a security incident and thus require action. Although observing one of these symptoms is generally inconclusive, observing one or more of these symptoms in conjunction is motivation for further scrutiny:
- Unsuccessful logon attempts;
- Unexplained system crashes;
- Unexplained poor system performance;
- Port scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts);
- Unusual usage times(statistically, more security incidents occur during non-working hours than any other time); and
- An indicated last time of usage of an account that does not correspond to the actual last time of usage for that account