Adverse event – An event that indicates or produces an actual or potential negative consequence to State of Kansas IT systems. This includes attempted or actual system crashes, network packet floods, unauthorized use or disclosure, defacement of a webpage, and execution of malicious code. [State of Kansas rates LOW and MEDIUM Intrusion Detection reports as undesirable events. High Intrusion Detection reports are to be considered CS incidents.] Documented and verified adverse events are incidents.
Adware – Any software application, which displays advertising banners while running a program. Adware includes additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on the computer screen. It usually includes code that tracks a user’s personal information and passes it on to third parties without the user’s authorization or knowledge.
Botnet – A network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems that can be linked together), they pose a severe threat to the Government’s IT infrastructure.
Breach - Any illegal penetration or unauthorized access to a computer system that causes damage or has the potential to cause damage.
Chain of Custody - Protection of evidence by each responsible party to ensure against loss, breakage, alteration, or unauthorized handling. Protection also includes properly securing, identifying, and dating evidence.
Compromise – The unauthorized disclosure, modification, substitution, or use of sensitive information, or the successful action to invade system by evading its security. For example a computer has been compromised, when a Trojan horse has been installed.
Compromise of Integrity – Any unauthorized modification of information or data.
Cyber/Computer Security Incident – A violation or imminent threat of violation of computer security policies, acceptable uses or standard computer security policies. It is also any adverse event whereby some aspect of a computer system is compromised as: loss of data confidentiality; disruption of data integrity; disruption of availability, also known as a denial of service.
Damage – The unauthorized deliberate or accidental physical or logical modification, destruction, or removal of information or data from an IT system.
Denial of Service (DoS) – An inability to use system resources due to unavailability; for example, when an attacker has disabled a system, a network worm has saturated network bandwidth, an IP address has been flooded with external messages or the system manager and all other users become locked out of a system.
Event – Any observable or measurable occurrence in a system or network. Events may include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail, and firewall blocking a connection attempt.
Finding – An event or occurrence that may cause a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.
Firewall – A system that controls network traffic between two networks to minimize unauthorized traffic or access. Firewalls can protect networks and systems from exploitation of inherent vulnerabilities. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet.
Incident Closure or Closeout – The last phase of incident handling lifecycle.
Incident (Cyber Security) – A violation or imminent threat of violation of computer security policies, acceptable use or standard computer security practices. It is also any adverse event whereby some aspect of a computer system is compromised, such as loss of data confidentiality, disruption of data integrity, disruption, or denial of service. The types of incidents are been classified into LOW, MEDIUM or HIGH levels depending on the severity.
Incident Declaration – The phase of the incident handling lifecycle during which a State of Kansas incident number is assigned and the responsible State of Kansas organization begins its incident handling process. An incident is declared by a State of Kansas agency, staff, office, or Enterprise Security Office incident response team (IRT) the latter is recognized as being responsible for incident handling.
Incident Handling - The comprehensive management process of receiving incident indications and warnings from Intrusion Detection Systems (IDS), United States
Computer Emergency Response Team (US-CERT), law enforcement or Internet Service Providers (ISP) that an incident has occurred. It includes identifying the actual incident type, verifying the victim or perpetrator’s responsible agency, alerting the agency. It also requires reporting, responding to, mitigating, and closing a State of Kansas CS incident.
Incident Notification – This phase of the incident handling lifecycle involves the formal transmission of declared incident information to the documented incident handling or management personnel in the State of Kansas organization that is experiencing a CS incident.
Incident Oversight – The process of ongoing review and follow-up of incident status by the State of Kansas Enterprise IT Security Office, staff, or assignees to maintain accurate incident records on the number of incidents declared open, closed or cancelled. Statewide incident oversight is required for record keeping and review of closeout reports.
Incident Preparation – This phase of the incident handling lifecycle involves preparing reports and providing continuous status on the incident.
Incident Prevention – This phase of the incident handling lifecycle involves the review of alerts, warnings, and suspected events from various sources. In addition, it involves continuous system monitoring and review of risk assessments for systems with high CS incident rates.
Incident Reporting – This phase involves a formal acknowledgement by the incident handler that a CS incident has occurred and that notification of all personnel responsible for responding to, acting upon, or resolving an incident have been notified.
Incident Response – The process of acting upon known identified incidents. The process includes analysis of how the incident occurred, actions to contain the incident, eradicate the cause of the incident, repair the damage, and recover from the incident. This phase includes collection and preparation of a lessons learned report and assistance in the development of an incident report.
Incident Tracking – The process and requirement for State of Kansas and its agencies to maintain comprehensive records of all incidents from the time of declaration through closure. The state and its agencies are required to track incidents and report the status of those incidents periodically to the Enterprise Security Officer, and the Kansas IT Security Council.
Intrusion – An unauthorized, inappropriate or illegal activity by insiders or outsiders that can be considered a penetration of a system.
Intruder - A person who is the perpetrator of a computer security incident. Intruders are often referred to as “hackers” or “crackers.” Hackers are highly technical experts who penetrated computer systems; the term crackers refers to the experts with the ability to “crack” computer systems and security barriers. Most of the time “cracker” is used to refer to more notorious intruders and computer criminals. An intruder is a vandal who may be operating from within the KANWIN network or attacking from the outside.
Level of Consequence - The impact an incident has on an organization. Impact includes loss of data; the cost to a Kansas state agency or mission area; negative consequences to the organization (e.g. damage to reputation); and the magnitude of damage that must be corrected.
Malicious Code – Also known as “Malware” (malicious software), is a computer code or program designed to deny, destroy, modify, or impede a system’s configuration, programs, data files, or routines. Malicious code comes in several forms, including viruses and worms.
Misuse - Unauthorized use of an account, computer, or network by an intruder or malicious user (or insider).
Need-to-Know - The necessity for access to, knowledge of, or possession of classified or other sensitive information in order to carry out officially sanctioned duties. Responsibility for determining whether a person’s duties require possession or access to this information rests upon the individual having current possession (or ownership) of the information involved, and not upon the prospective recipient.
Pharming – An exploit of the Domain Name Server (DNS) that tries to or actually transforms the legitimate host name into another IP address. The “pharmer” sets up a website looking similar to a legitimate site and harvests personal information from unsuspecting users. Also known as “DNS cache poisoning.”
Phishing – An exploit that imitates legitimate companies’ emails to entice people to reveal sensitive or private information, or creates a replica of an existing web page to fool a user into submitting personal, financial or password data.
Rootkit – A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.
Spyware - Any technology that aids in gathering information about a person or organization without their knowledge. Sometimes this software is called a “spybot” or “tracking software.” Spyware is put in someone’s computer to secretly gather information about the user, agency or company and relay it to advertisers, foreign governments, and other interested parties. Spyware can be installed as part of a virus, worm, or result from installation of a program. Spyware is often installed without the user’s consent as a drive-by download, by clicking on some option of a deceptive pop-up or webpage, adware or email attachment.
Threat – A circumstance, condition, or event with the potential to cause harm to personnel and/or network resources in the form of destructionlosure, modification of data, DoS, and/or fraud, waste and abuse. The most common security threats are to network systems. Network security threats include impersonation, eavesdropping, DoS, packet replay/modification.
Trojan Horse – A non-self-replicating program that seems to have a useful purpose, but in reality has a different malicious purpose.
Virus – A small piece of malicious code that attaches itself to another program. It does not run on its own, but executes when the host program is run.
Worm – A type of malicious code that acts as an independent program, and can usually replicate itself without human interaction from one system to another.