Computer Security Incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of security incidents that may require action are:
- An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
- Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
- An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
- A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
- A system alarm or similar indication from an intrusion detection tool;
- Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods);
- A compromised account or system covered by one or more compliance areas;
- Accounting discrepancies(e.g.,someone notices an 18-minute gap in the accounting log in which there is no correlation);
- New user accounts of unknown origin;
- New files of unknown origin and function;
- Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files;
- Unexplained addition, deletion, or modification of data;
- Denial of service activity or inability of one or more users to login to an account (including admin/root logins to the console);
- Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords; and,
- Unusual usage patterns (e.g. programs are being compiled in the account of a user who does not know how to program).