- Attempts (either failed or successful) to gain unauthorized access to a system or it’s data/information
- Unwanted disruption or denial of service
- The unauthorized use of a system for the processing or storage of data
- Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent
- Unauthorized access, alteration, disclosure, loss, theft or acquisition of non-electronic confidential information
- Confidential information may be defined by agency policy or by Arizona law
Report any activities that meet these criteria for being an incident. When reporting activity that may be the work of multiple intruders, we request that you report each incident separately.
Description of the Activity:
Reporting incidents to SIPC helps to promote greater security awareness and improve the security of services provided by the Internet. By reporting the incident, information can be collected about this activity and if evident, correlate other incidents to this intrusion. One of the most important parts of the incident report is a description of the intruder’s activity. Mention any vulnerabilities which may have been exploited, modifications that were made to the system, or software that was installed. You may include references to advisories or other documents which describe the activity in more detail.
Log Extracts Showing the Activity:
Whenever possible, include log entries showing the activity with the report, particularly when the logs provide significant detail. Log entries that are not related to the intruder activity should be removed to help avoid confusion. If the intruder’s activity generated a large number of very similar entries, it is usually sufficient to extract a sample portion of the log, indicate this in your message. A quick estimate of the number of log entries is useful as well. A description of the log format will be helpful and very important for log entries that do not include descriptive text, or are generated by tools that are not widely distributed. When sending log entries, ensure that you do not violate any non-disclosure policies that your agency has in place. If the logs do not show the intruder’s activity (perhaps because they were deleted by the intruder), then state this clearly in the report to help minimize requests for this information.
Time Zone and the Accuracy of your Clock:
Clearly identify the time zone for your comments and logs. A time zone relative to GMT (or UTC) is preferred, since less formal time zone designations can be misinterpreted. If the times recorded in the log entries are known to be inaccurate by more than a minute or two, include a statement of this inaccuracy. If the system was synchronized with a national time server, mention this fact as well.
Reporting Issues and Alternatives:
Electronic mail also provides an accurate and efficient medium for exchanging information too complex to discuss over the telephone, such as dumps, or large log files. E-Mail also provides a reliable log of communications that may be referred too when responding to the incident. If you are disconnected from the Internet to recover from a compromise, or if you are unable to send mail due to a denial of service attack, contact SIPC on the telephone hot line. Occasionally, a compromised system’s electronic mail will be monitored by the intruder. If you are unable to obtain Internet mail access from the system, and do not want to alert the intruder by using e-mail on the compromised system, contact SIPC on the telephone. When electronic mail is not available or provides inadequate security, and you have logs or other information that is not easily conveyed on the telephone, send the information via FAX.