A computer incident is a violation or imminent threat of a violation of a security policy or security practice. It includes any adverse event or activity that affects the security of computer systems or networks. These adverse events affect the organization’s security and may result in loss of confidentiality, integrity, or availability.

The terms computer incident and computer security incident mean the same thing and are used interchangeably. For example, some organizations have computer security incident response teams (CSIRTs) and CSIRT plans instead of computer incident response teams (CIRTs) and CIRT plans.

An imminent threat of violation is an incident that is about to occur. This term commonly refers to emerging threats, such as viruses or worms that are rapidly spreading. Even if the organization isn’t infected now, it will be if action is not taken quickly.

In the context of this chapter, an event is any observable occurrence within a system or network, which includes any activity on the network, such as users accessing files, or data transmitted over the network. Not all events are incidents. Adverse events are those with a negative result. They can include any types of attacks on systems or networks.

Multiple types of computer incidents affect organizations, including:

• Denial of service (DoS) attack—A DoS attack is an attack that prevents a system from providing a service. A DoS attack comes from a single attacker. A distributed denial of service (DDoS) attack comes from multiple systems.
• Malicious code—Malicious code is any type of malicious software or malware, which includes viruses, worms, Trojan horses, and other types of software intended to infect a system. Viruses and other malware that are replicating and causing harm to computers are “in the wild.”
• Unauthorized access—Unauthorized access occurs any time an attacker is able to access data without authorization. Unauthorized access can be gained from different types of social engineering attacks and from technical attacks used to gain access or control to systems. Unauthorized access often results in loss of confidentiality.
• Inappropriate usage—Inappropriate usage occurs when employees or internal users violate acceptable use policies (AUPs) or other internal policies. It can be as simple as a user going to a malicious website identified as off limits in the AUP, a user copying proprietary data from a secure system to an insecure system, or a user installing peer-to-peer (P2P) software on his or her system when it is prohibited in the AUP.
• Multiple component—Multiple component is an incident that includes two or more incidents at the same time. For example, malware could infect a system and then be used to launch a DoS attack on other systems.

A computer incident response team (CIRT) is a group of people who respond to incidents. The CIRT team can be designated in advance or formed as needed. For example, a large organization may have a group of security professionals designated as the CIRT. When an incident occurs, the CIRT responds. A smaller organization may not have a formal CIRT. Instead, when an incident occurs, information technology (IT) professionals respond to the incident as an informal CIRT.

The CIRT plan is a formal document that outlines an organization’s response to computer incidents. It formally defines a security incident and may also designate the CIRT team. The following sections outline the purpose and elements of a CIRT plan.