Type of Security Events and Incidents

Type of Security Events and Incidents

In Security incident management, there are multiple events arising day by day. Security incidents are events that may indicate that an organization's systems or data have been compromised. As well a security event is something that has significance for system hardware or software, and an incident is an event that disrupts normal operations. 

If we talk about malware, more than 90% of malware is delivered by email and 98% of mobile device malware target Android systems. Study shows, MacOS malware has also increased by 165%. For more details you can visit the statistics at (https://purplesec.us/resources/cyber-security-statistics/)

Here I am just sharing the some of the type of incidents or events happen and that can be further recorded through SIEM or any suitable logger device by storing its event logs for further forensic analysis.

Based on impact, these events or we can say as attacks can further classified as High, Medium, Low. 

The type of infrastructure related incidents are mentioned as below.

• Buffer Overflow attacks
• Port & vulnerability Scan attack
• Password cracking
• Worm/virus outbreak
• File access failures
• Unauthorized server/service restarts
• Unauthorized changes to firewall rules
• SQL injection
• Cross site scripting

Application Security events are as

• Attempted violation of defined role
• Attempted access violations
• Critical user additions, deletions
• Creation, deletion & modification of critical application roles/groups.
• Changes to account & password policies in the application
• Changes to permissions or authorizations for critical application roles/groups.
• Changes to critical application parameters.
• Sensitive Data Exposure

Some of Database related incidents

• Granular monitoring of queries, objects and stored procedures with real-time alerts
• Monitor Access to Sensitive Data
• Insecure system architecture
• Exploiting unpatched services
• Default, Blank, and Weak Username/passwords
• Database access including logins, client IP, server IP and source program information.
• Poor Encryption and Data Breaches
• Denial-of-service Attacks
• Track execution of stored procedures, including who executed a procedure, what procedure name and when, which tables were accessed as a result.
• Track and audit administrative commands such as GRANT.

Some of Network Behavior Anomaly

• Network Traffic Pattern Analysis and Bandwidth Analysis.
• Host behaviors and traffic analysis to identify threats.
• Analysis of traffic patterns & identify nonessential ports and services for normal business operations.
• Anomaly event as belonging to a class of security events (DDoS, Scans, etc.)

Other attacks existed and can be recorded such as

• Trojan Horse Attack.
• Malware/Spyware
• Suspicious registry entries
• Unverified email attachments
• Frequent Login Attempt
• Loss or theft of equipment or component
• Brute force Attack
• Port Scanning
• Insider Breach
• Unauthorized Privilege Escalation
• Destructive Attack
• Advanced persistent threat/ Multistage Attack
• False Positive removal
• email Phishing
• Abnormal browsing behavior
• Client side information leakage
• Cookie Injection
• Traffic sent to and from unknown location
• Excessive bandwidth consumption or memory consumption
• Unapproved changes configuration

Although organizations should be able to handle any incident, they should focus on handling incidents. Every organization should develop their own cyber response framework to defend themselves.

-DR