Scribd
Upload
52 views

ETSI - Security Indicators Quick Reference Card v1.1.2

Uploaded by

michael.roussel781
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

ETSI - Security Indicators Quick Reference Card v1.1.2

Uploaded by

michael.roussel781
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

29/06/2015

Security Indicators Quick Reference Card (v1.1.2)


For ETSI and Club R2GS, designed and edited by Axel Rennoch (Fraunhofer FOKUS) and Gérard Gaudin (G²C).
This Quick Reference Card summarizes Information Security Indicator components to support users. The document stems from
the ETSI GS ISI 001 standard. Further information: https://en.wikipedia.org/wiki/Information_security_indicators.
Copyright 2013-2015. Forwarding and copying of this document is permitted for personal and educational purposes provided that authorship is retained and that the content is not modified. This work is not to be distributed for commercial advantage.

1.1. Indicators related to security incidents (Ixx)

CLASS FAMILY COMPONENT AND IDENTIFIER PARAMETERS F S D M


1 Forged domain or brand names #ev[30d], #addresses.legitimate, Ømonth[90d] + 1 3 6
FGY Website forgery
2 Forged websites #ev[30d], #org.websites, Ømonth[90d] + 2-3 2 6
SPM Spam 1 Not requested received bulk messages #ev[30d], #messages[30d], Ømonth[90d] +++ 3 3 -
1 Targeting customers’ workstations #ev[30d], #series.unique[30d], const(exposure.media) + 3 2 6,7
PHI Phishing
2 Targeting organisation’s users #ev[30d], #messages[30d] + 3 3 6,7
1 Attempt on externally accessible servers #ev.day.unique[30d], #servers +++ 1-2 2 -
INT Intrusion 2 Success on externally accessible servers #ev.unique[30d], #servers, Ømonth[90d] + 3-4 1 5-8
IEX 3 Intrusions on internal servers NEW #ev.unique[30d], #servers, Ømonth[90d] ++ 4 1 5-8
DFC Website defacement 1 Obvious and visible website defacements #ev[30d], #org.websites, Ømonth[90d] + 3 3 5-7
intrusions Misappropriation of Servers resources misappropriation
and MIS 1 #ev[30d], Ømonth[90d] sig 2 1 5-7
external resources (by external attackers)
attacks
DOS Denial of Service 1 DoS and DDoS attacks on websites #ev[30d], #org.websites + 4 3 5-7
1 Attempts to install malware on #ev[30d], #attempt.mw.unique(#types.mw) +++ 1 3 5-7
workstations
MLW Malware 2 Attempts to install malware on servers #ev[30d], #attempt.mw.unique(#types.mw) ++ 1 3 3,5-8
3 Installations on workstations #ev[30d], Ømonth[90d] ++ 1-4 1-3 3,5-8
4 Installations on internal servers #ev[30d], Ømonth[90d] + 2-4 1-3 3,5-8
Physical intrusion or Human intrusion into organizations
PHY 1 #ev[30d], Ømonth[90d] + 3 1 6
action perimeter

1 Workstations breakdowns or malfunctions #ev[30d], Ømonth[90d] ++ ~ 3 6,7


Accidental
2 Servers breakdowns or malfunctions #ev[30d], Ømonth[90d] + ~ 3 6,7
BRE breakdowns or
3 Mainframes breakdowns or malfunctions #ev[30d], Ømonth[90d] + ~ 3 6,7
malfunctions
4 Networks breakdowns or malfunctions #ev[30d], Ømonth[90d] ++ ~ 3 6,7
MDL Misdelivery content 1 Delivery of email to wrong recipient NEW #users.concerned.detected[30d], #ev[30d], #users + 1-4 1 6
IMF
Loss or theft of
LOM 1 Mobile devices belonging to org. #ev[30d], #org.devices, Ømonth[90d] + 3 3 6
mal- mobile devices
functions
1 Downtime / malfunction of log production #ev[30d], #org.systems, Ømonth[90d] ++ 3-4 3 5,6
2 Absence of possible tracking of involved
LOG Logging malfunction person #ev[30d], #org.systems, Ømonth[90d] + 1-2 2 5,6
3 Downtime/malfunction of log production
for recordings with evidential value #ev[30d], #org.systems.value, Ømonth[90d] + 3-4 3 5,6

UID Identity usurpation 1 User impersonation #ev[30d], Ømonth[90d] + 2-4 1 4-7


1 Privilege escalation by exploitation of #ev[30d], Ømonth[90d] + 4 2 4-8
software or config vul.
2 Privilege escalation by social engineering #ev[30d], Ømonth[90d] sig 3 2 4-8
3 Use of admin rights illicitly granted by #ev[30d], Ømonth[90d] sig 3 3 4-8
Rights (or privileges) admin
RGH
usurpation or abuse 4 Use of time-limited rights after period #ev[30d], Ømonth[90d] sig 3 2 4-8
IDB
5 Abuse of privileges by admin #ev[30d],#admins.mis[30d], Ømonth[90d] sig 3-4 2 4-8
Internal 6 Abuse of privileges by operator or user #ev[30d], #applications, Ømonth[90d] sig 2-3 3 4-8
deviant 7 Illicit use of rights not removed (after #users.mis[30d], Ømonth[90d] sig 3 2 4-8
behaviour
departure or position change)
Misappropriation of Server resources misappropriation by an
MIS 1 #users.mis(remote)[30d], Ømonth[90d] sig 1 1 4-7
resources internal source
Illicit access to Access to hacking website
IAC 1 #inc[30d], Ømonth[90d] + 4 1 5,6
Internet (from internal workstation)
Deactivating of logs
LOG 1 Deactivating of logs recording by an admin #admins.performing.detected[30d], Ømonth[90d] sig 2-3 3 5,6
recording

1.2. Consolidated indicators of the previous IEX, IMF, IDB security incidents

Non-patched or 1 Exploitation of sw vul. w/o available patch #ev[30d], #inc.categorized.detected, Ømonth[60d] key 3 3 3-6
VNP poorly patched vul. 2 Exploitation of non-patched sw vul. #ev[30d], #inc.categorized.detected, Ømonth[60d] key 3 3 3-6
IWH exploitation 3 Exploitation of poorly-patched sw vul. #ev[30d], #inc.categorized.detected, Ømonth[60d] key 3 3 3-6
Conf. vul.
whole VCN 1 Exploitation of config flaw #ev[30d], #inc.categorized.detected, Ømonth[60d] key 3 2 2,4-6
exploitation
incident
class UKN Unknown incidents 1 Not categorized sec incidents #ev[30d], #inc.categorized.detected, Ømonth[90d] key 3-4 2 4-6
Incidents on not Sec. inc. on non-inventoried/not-managed
UNA 1 #ev[30d], #inc.categorized.detected, Ømonth[90d] key 3-4 3 1,5,6
addressed assets assets

Conventions: F (frequency rate: +/++/+++; sig=significant; key to know; ?=undefined), S (severity level: 1[low]-4[highest]; ~[depend on sensitivity]), D (detection rate: 1[very difficult]-3[easy]), M (maturity KPSI)
“#” number (quantitative amount); “[30d]” time interval (e.g. 30 days); “Ø“ average; “Σ” sum over all incidents; “Ømonth“ average value of this indicator in last month, “org.xx” xx in the organization
Abbreviations: AP (access point), ev (event), FW (firewall), inc (incident), mis (misbehaving), mw (malware), org (company or organisation), OS (oper.sys.), sec (security), sw (software), vul (vulnerability)
29/06/2015

2. Indicators related to vulnerabilities (Vxx)


CLASS FAMILY COMPONENT AND IDENTIFIER PARAMETERS F S D M
1 Server accessed by an admin with unsecure #ev[30d], #admins.system[30d], Ømonth[90d] sig 2-3 1 4-6
protocols
2 P2P client in a workstation #users.installing[30d], Ømonth[90d] ++ 3 2 5,6
Dangerous protocols 3 VoIP client in a workstation #users.installing[30d], Ømonth[90d] ++ 1 2 5,6
PRC
used 4 Outbound connection dangerously set up #users.installing[30d], Ømonth[90d] ++ 2 2 5,6
5 Not compliant lap top computer used to #users.connecting[30d], #laptops, Ømonth[90d] ++ 3 2 2,5,6
establish a connection
6 Other unsecure protocols used #ev[30d], Ømonth[90d] + 2-3 1-2 5,6
1 Outbound controls bypassed #users.performing[30d], Ømonth[90d] sig 2-4 1 5,6
IAC Internet illicit access
2 Anonymisation site used #users.performing[30d], Ømonth[90d] sig 3 3 5,6
1 File recklessly downloaded #ev[30d], Ømonth[90d] ++ 2-3 2 5,6
2 Personal public instant messaging account #users.performing[30d], Ømonth[90d] + 3 2 5,6
Copyright 2013-2015. Forwarding and copying of this document is permitted for personal and educational purposes provided that authorship is retained and that the content is not modified. This work is not to be distributed for commercial advantage.

File illicit transfer


FTR used (for business file exchanges)
VBH with outside
3 Personal public messaging account used #users.performing[30d], Ømonth[90d] sig 2 2 5,6
Behaviour (for business file exchanges)
vulnerabili 1 Workstations accessed in admin mode #users.performing[30d], Ømonth[60d] + 2-3 2 2,4-6
ties
2 Personal storage devices used #ev[30d], Ømonth[90d] ++ 3 1 2,4-6
Workstation used 3 Personal devices used w/o #users.performing[30d], #devices.personal, Ømonth[90d] ++ 2 1 2,4,6
WTI w/o relevant usual compartmentalization (BYOD)
security 4 Not encrypted sensitive files exported #ev[30d], Ømonth[90d] ++ 4 1 5,6
5 Personal software used #users.performing[30d], Ømonth[60d] + 2-3 3 2,5,6
6 Mailbox/internet access admin mode NEW #users.concerned[30d], Ømonth[60d] + 4 3 2,4-6
1 Weak passwords used #ev[30d], #accounts.users, Ømonth[90d] sig 3 2 2,4,6
Passwords illicitly
PSW 2 Passwords not changed #ev[30d], #accounts.users, Ømonth[90d] sig 2 2 2,4,6
handled or managed
3 Admin passwords not changed #ev[30d], #accounts.admins, Ømonth[90d] sig 3 2 2,4,6
Access rights illicitly
RGH 1 No compliant user rights granted by admin #admins.performing[30d], #admins, Ømonth[90d] +++ 3 2 2,4-6
granted
1 Exploited by phishing message exchanges #users.performing[month], #users, Ømonth[90d] + 3 2 6,7
HUW Human weakness
2 By exchanges secrets through online media #users.performing[month], #users, Ømonth[90d] + 1 1-2 6,7

VSW WSR Webserver sw. vul. 1 Web applications sw vul. #ev[30d], #applications.web, Ømonth[90d] + 3-4 3 3,6
Software OSW OS sw. vul 1 OS sw vul. regarding servers #ev[30d], #server.ext.visible, Ømonth[90d] + 2-3 3 3,6
vul.
WBR Webbrowser sw. vul. 1 Webbrowser sw. vul. #ev[30d], #workstations, Ømonth[90d] ++ 2-4 3 3,6

Dangerous or illicit Dangerous or illicit services on externally 1,2,


DIS 1 #ev[30d], #server.ext.visible, Ømonth[90d] + 2-3 2
services accessible servers 5,6
Log production Insufficient size of the space allocated for
LOG 1 #ev[30d], #org.systems, Ømonth[90d] sig 1 2 2,5,6
shortcomings logs
FWR Weak FW config. 1 Weak FW filtering rules #ev[30d], #FW, Ømonth[90d] sig 2 1 2,6
VCF Workstation wrong 1 Workstation with bad AV/FW NEW #users.concerned[30d], Ømonth[60d], #workstations ++ 4 3 2,5,6
WTI
configured 2 Autorun feature enabled on workstations #ev[30d], #workstations, Ømonth[60d] + 2-3 3 2,6
Configura
tion vul. 1 Access rights configuration not compliant #users.detected[30d], Ømonth[60d] + 3 3 2,4-6
with security policy
User accounts 2 Not compliant access rights on logs #ev[30d], #servers, Ømonth[60d] + 2-3 2/3 2,4-6
UAC
wrongly configured 3 Generic and shared admin account #ev[30d], #OS+#DB+#applications, Ømonth[60d] sig 2-3 3 2,4,6
4 Accounts w/o owners #ev[30d], #OS+#DB+#applications, Ømonth[60d] + 3 2/3 2,6
5 Inactive accounts #ev[30d], #OS+#DB+#applications, Ømonth[60d] + 2 2 2,4,6

BKP Back-up malfunction 1 Malfunction server hosted safeguards NEW #ev[30d], #servers.safeguards, Ømonth sig 3 3 6,7
IDS IDS/IPS malfunction 1 Full unavailability of IDS/IPS #ev[30d], #IDS/IPS, Ømonth[90d] sig 3 3 5,6
Illicit Wi-Fi access Wi-Fi devices installed on the network w/o 2,6
WFI 1 #ev[30d], #APs.WiFi, Ømonth[180d] sig 4 3
VTC points any official authorisation
General Remote access points used to gain 5
sec. RAP Illicit remote access 1 #ev[30d], #AP.authorized, Ømonth[180d] ? 3 1
technical unauthorised access
vul. Illicit network Devices or servers connected to org. 1
NRG 1 #ev[30d], #equipment.authorized, Ømonth[90d] sig 3 2/3
connections network w/o being reg./managed
Physical access -
PHY 1 Not operational phy. access control means #ev[30d], #areas.protected, Ømonth[90d] sig 2-3 2
control

DSC Discovery of attacks 1 Excessive time to discovery NEW #ev[30d], #inc.detected [30d], sig 4 1 6
1 Excessive time of windows of risk exposure time.risk(>limit.policy.sec), Ømonth[90d] + 3-4 2 3
VNP Not patched vul.
2 Rate of not patched systems #ev[30d], #systems, Ømonth[90d] sig 2 2 3
Not reconfigured 2
VNR 1 Rate of not reconfigured systems #ev[30d], #systems.reconfigured, Ømonth[90d] sig 2 3
systems
VOR 1 Reactions plans launched w/o experience #ev[30d], #reactionplans.launched, Ømonth[90d] sig 2 3 6,7
RCT Reaction plans feedback
General
sec. org.
2 Reaction plans unsuccessfully launched #ev[30d], # reactionplans.launched, Ømonth[90d] sig 4 3 6,7
vul. 1 Launch of new IT projects w/o information #ev[30d], #projects.launched, Ømonth[90d] + 3 3 6
classification
Security in IT 2 Launch of new specific IT projects w/o risk #ev[30d], #projects.launched, Ømonth[90d] + 3 3 6
PRT
projects analysis
3 Launch of new IT projects of a standard #ev[30d], #projects.launched, Ømonth[90d] + 3 3 6
type w/o identification of vul. and threats

3. Indicators as regards impact measurement (IMP)


Average cost to tackle a critical sec.
COS costs 1 Σcost.inc[30d], Øcost.inc[30d], Øcost.inc(all)[120d]
incident
1 Due to whole sec incidents Σtime.inc[30d], Øtime.inc[30d], Øtime[90d]
IMP
Average time of 2 Due to successful malicious attacks Σtime.inc[30d], Øtime.inc[30d], Øtime[90d]
TIM
website downtime 3 Due to malfunctions/unintentional sec. Σtime.inc[30d], Øtime.inc[30d], Øtime[90d]
incidents

Conventions: F (frequency rate: +/++/+++; sig=significant; key to know; ?=undefined), S (severity level: 1[low]-4[highest]; ~[depend on sensitivity]), D (detection rate: 1[very difficult]-3[easy]), M (maturity KPSI)
“#” number (quantitative amount); “[30d]” time interval (e.g. 30 days); “Ø“ average; “Σ” sum over all incidents; “Ømonth“ average value of this indicator in last month, “org.xx” xx in the organization
Abbreviations: AP (access point), ev (event), FW (firewall), inc (incident), mis (misbehaving), mw (malware), org (company or organisation), OS (oper.sys.), sec (security), sw (software), vul (vulnerability)

You might also like