Security Incident

« Back to Glossary Index

Computer Security Incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of security incidents that may require action are: 

  • An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
  • Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
  • An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
  • A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
  • A system alarm or similar indication from an intrusion detection tool;
  • Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods);
  • A compromised account or system covered by one or more compliance areas;
  • Accounting discrepancies(e.g.,someone notices an 18-minute gap in the accounting log in which there is no correlation);
  • New user accounts of unknown origin;
  • New files of unknown origin and function;
  • Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files;
  • Unexplained addition, deletion, or modification of data;
  • Denial of service activity or inability of one or more users to login to an account (including admin/root logins to the console);
  • Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords; and,
  • Unusual usage patterns (e.g. programs are being compiled in the account of a user who does not know how to program).