- What is a security
of incidents defined by Cert.org
- What we need to know
- What to report
- What is the procedure
of information policy
What is a security incident
- Loss of confidentiality of information
- Compromise of integrity of information
- Denial of service
- Misuse of service, systems or information
- Damage to systems
of Incidents defined by Cert.org
There are various types of incidents that according
to CERT.org, are classified the following way:
A probe is characterized by unusual attempts to gain access
to a system or to discover information about the system. One
example is an attempt to log in to an unused account. Probing
is the electronic equivalent of testing doorknobs to find
an unlocked door for easy entry. Probes are sometimes followed
by a more serious security event, but they are often the result
of curiosity or confusion.
A scan is simply a large number of probes done using an
automated tool. Scans can sometimes be the result of a misconfiguration
or other error, but they are often a prelude to a more directed
attack on systems that the intruder has found to be vulnerable.
An account compromise is the unauthorized use of a computer
account by someone other than the account owner, without involving
system-level or root-level privileges
(privileges a system administrator or network manager
has). An account compromise might expose the victim to serious
data loss, data theft, or theft of services.
The lack of root-level access means that the damage can usually
but a user-level account is often an entry point for greater
access to the system.
A root compromise is similar to an account compromise,
except that the account
that has been compromised has special privileges on the system.
The term root is derived from an account on UNIX systems that
typically has unlimited, or "superuser", privileges.
Intruders who succeed in a root compromise can do just about
anything on the victim's system, including run their own programs,
change how the system works, and hide traces of their intrusion.
A packet sniffer is
a program that captures data from information packets as they
travel over the network. That data may include user names,
passwords, and proprietary information that travels over the
network in clear text. With perhaps hundreds
or thousands of passwords captured by the sniffer, intruders
can launch widespread attacks on systems. Installing a packet
sniffer does not necessarily require privileged access. For
most multi-user systems, however, the presence of a packet
sniffer implies there has been a root compromise.
Denial of Service
The goal of denial-of-service attacks is not to gain unauthorized
access to machines
or data, but to prevent legitimate users of a service from
using it. A denial-of-service attack can come in many forms.
Attackers may "flood" a network with large volumes
of data or deliberately consume a scarce or limited resource,
such as process control blocks or pending network connections.
They may also disrupt physical components
of the network or manipulate data in transit, including encrypted
Exploitation of Trust
Computers on networks often have trust relationships with
one another. For example, before executing some commands,
the computer checks a set of files that specify which other
computers on the network are permitted to use those commands.
If attackers can forge their identity, appearing to be using
the trusted computer, they may be able to gain unauthorized
access to other computers.
Malicious code is a general term for programs that, when
executed, would cause undesired results on a system. Users
of the system usually are not aware of the program until they
discover the damage. Malicious code includes Trojan
and worms. Trojan horses
and viruses are usually hidden in legitimate programs or files
that attackers have altered to do more than what is expected.
Worms are self-replicating programs that spread with no human
intervention after they are started. Viruses are also self-replicating
programs, but usually require some action on the part of the
to spread inadvertently to other programs or systems. These
sorts of programs can lead to serious data loss, downtime,
denial of service, and other types of security incidents.
Internet Infrastructure Attacks
These rare but serious attacks involve key components
of the Internet infrastructure rather than specific systems
on the Internet. Examples are network name servers, network
access providers, and large archive sites on which many users
depend. Widespread automated attacks can also threaten the
infrastructure. Infrastructure attacks affect a large portion
of the Internet and can seriously hinder the day-to-day operation
of many sites.
What we need to know
When you fill out the Incident Report Form, it is important
that you make sure you include all the information you have
available for us to understand and respond to it properly.
The form will help you find the answers to all the questions
that will enable us to provide you with the best assistance.
What to report
FORTH Cert is at your service in information
security matters. We are interested in reports on deliberate
illegal acts to harm computer systems and networks.
We encourage you to report any activities that you feel meet
the following criteria for being an incident.
1. attempts (either failed or successful) to gain unauthorised
access to a system
2. unwanted disruption or denial of service
3. the unauthorised use of a system for the processing or
storage of data
4. changes to system hardware, firmware, or software characteristics
without the owner's knowledge, instruction, or consent
5. loss, theft, missing
6. website defacement
7. attacks or attempts of attack against the Internet infrastructure,
such as name services and the backbone.
What is the procedure
When you have something to report, you fill out the Incident
Report Form with as much information as you can. If the incident
is of high importance and critical infrastructures
are at stake, you can always contact us either by phone, fax,
or email which you can find here
When we receive the report, you will be sent an automated
your message has been sent to our team together with a ticketing
number for any further correspondence.
We then delegate to the expert that deals with specific incidents
and we send you another email giving you his/her contact details.
After that, he/she will contact you to take matters forward
and assist you with your case.
Once a case is resolved it will be put into our cases archive.
of information policy
FORTH Cert will not release any information
about the site's involvement in an incident, without the site's
explicit permission to do so. While this policy ensures that
can report your incident in privacy, it also means that we
cannot put you in contact with other sites involved in the