Skip to main content

“Why Wasn’t I Notified?”: Information Security Incident Reporting Demystified

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7127)

Abstract

An information security incident, if successfully discovered and reported, initiates a distributed response process that activates a diverse collection of independent actors. Public officials, network service providers, information security companies, research organisations, and volunteers from all over the world can be involved; often without the participants realising whom they are working with. The cooperation is based on mostly informal bilateral arrangements and is aided by mutual trust accumulated over course of time. Each participant wants to limit their involvement and typically only assumes responsibility on their own actions. Information suggesting that third parties would be affected may or may not be followed up. The result is an unplanned mesh of bilateral information sharing and a formation of an ad-hoc network of partial stakeholders. No single entity exercises total control over the process, which makes it inherently uncontrollable and its results difficult to anticipate. This contrasts with the information security standards, where the process is expected to be well defined and under the control of a clearly stated leadership. The study suggests that internet-connected organisations should adopt a rather agnostic approach to information security incident reporting.

Keywords

  • Information security
  • network security
  • CSIRT
  • CERT
  • incident reporting
  • IODEF
  • security breach
  • network attack
  • abuse
  • computer break-in
  • event monitoring
  • intrusion detection
  • IDS
  • takedown notice
  • RFC
  • ISO/IEC

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-27937-9_5
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   44.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-27937-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   59.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AbuseHelper project pages, http://code.google.com/p/abusehelper/

  2. American Registry for Internet Numbers ARIN: Introduction to ARIN’s database, https://www.arin.net/knowledge/database.html#abusepoc

  3. Arvidsson, J., Cormack, A., Demchenko, Y., Meijer, J.: TERENA’s Incident Object Description and Exchange Format Requirements (RFC 3067). Internet Engineering Task Force (2001)

    Google Scholar 

  4. Asia Pacific Computer Emergency Response Team, Member Teams, http://www.apcert.org/about/structure/members.html

  5. Brownlee, N., Guttman, E.: Expectations for Computer Security Incident Response (RFC 2350, BCP 21). Internet Engineering Task Force (1998)

    Google Scholar 

  6. Brunner, E., Suter, M.: International CIIP Handbook 2008/2009, An Inventory of 25 National and 7 International Critical Information Infrastructure Protection Policies. Center for Security Studies, ETH Zurich, Switzerland (2008)

    Google Scholar 

  7. Bryk, H.: National and Government CSIRTs in Europe, Study Conducted by CERT-FI. Finnish Communications Regulatory Authority, Helsinki, Finland (2009)

    Google Scholar 

  8. Bryk, H.: A study among certain European computer security incident response teams and application of good practices in Finnish Communication Regulatory Authority. Helsinki University of Technology, Espoo, Finland (2008)

    Google Scholar 

  9. Centre for the Protection of National Infrastructure, International CIIP Directory, Issue 21 (2009) (unpublished)

    Google Scholar 

  10. CERT Coordination Center, CSIRTs with National Responsibility, http://www.cert.org/csirts/national/

  11. Commission to the European Communities: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection - Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience, COM (2009) 149 final. Brussels (2009)

    Google Scholar 

  12. Common Criteria for Information Technology Security Evaluation: Part 2: Security functional components. Version 3.1, Revision 3, Final (2009)

    Google Scholar 

  13. Cormack, A., Stikvoort, D., Woeber, W., Robachevsky, A.: IRT Object in the RIPE Database, ripe-254 (2002)

    Google Scholar 

  14. Cover, R. (ed.): Incident Object Description and Exchange Format (IODEF), http://xml.coverpages.org/iodef.html

  15. Crocker, S.: Mailbox Names for Common Services, Roles and Functions (RFC 2142). Internet Engineering Task Force (1997)

    Google Scholar 

  16. Danyliw, R., Meijer, J., Demchenko, Y.: The Incident Object Description Exchange Format (RFC 5070), Internet Engineering Task Force (2007)

    Google Scholar 

  17. DoD 5200.28-STD: Department of Defense Trusted Computer Security Evaluation Criteria. National Computer Security Center (1985)

    Google Scholar 

  18. Dörges, T.: Information Security Exchange Formats and Standards. Slides for the presentation held during FIRST 2009 Conference in Kyoto (2009)

    Google Scholar 

  19. Eronen, J., Röning, J.: Graphingwiki - a Semantic Wiki extension for visualising and inferring protocol dependency. Paper presented in the First Workshop on Semantic Wikis “SemWiki 2006 - From Wiki to Semantics,” co-Located with the 3rd Annual European Semantic Web Conference (ESWC), Budva, Montenegro, June11-14 (2006)

    Google Scholar 

  20. European Government CERTs Group, EGC Emergency Contact Information (unpublished)

    Google Scholar 

  21. European Network and Information Security Agency: Inventory of CERT activities in Europe, http://www.enisa.europa.eu/act/cert/background/inv/files/inventory-of-cert-activities-in-europe

  22. Finnish Communications Regulatory Authority: On information security and functionality of Internet access services, Regulation 13 A/2008 M. Finnish Communication Regulatory authority, Helsinki, Finland (2008)

    Google Scholar 

  23. Finnish Parliament: Act on the Protection of Privacy in Electronic Communications 516/2004, Edita Publishing Oy, Helsinki, Finland (2004)

    Google Scholar 

  24. Forum of Incident Response and Security Teams, Alphabetical list of FIRST Members, http://www.first.org/members/teams/

  25. Fraser, B.: Site Security Handbook (RFC 2196). Internet Engineering Task Force (1997)

    Google Scholar 

  26. Grenman, T.: Autoreporter – Keeping the Finnish Network Space Secure. Finnish Communications Regulatory Authority, CERT-FI, Helsinki, Finland (2009)

    Google Scholar 

  27. Harju Maakohus (Harju District Court): Court decision in criminal case 1-09-3476(07221000080), judge Julia Vernikova, Tallinn (2010); (only available in Estonian)

    Google Scholar 

  28. ISO/IEC 27001:2005(E): Information technology. Security techniques. Information security management systems. Requirements. International standard, First edition (2005)

    Google Scholar 

  29. ISO/IEC 27002:2005(E): Information technology — Security techniques — Code of practice for information security management. International standard, First edition (2005)

    Google Scholar 

  30. Killalea, T.: Recommended Internet Service Provider Security Services and Procedures (RFC 3013, BCP 46). Internet Engineering Task Force (2000)

    Google Scholar 

  31. Knecht, T.: Abuse contact information (prop-079-v003), http://www.apnic.net/policy/proposals/prop-079

  32. Latin American and Caribbean Internet Addresses Registry LACNIC: Allocation of Autonomous System Numbers (ASN), LACNIC Policy Manual (v1.3 - 07/11/2009), http://lacnic.net/en/politicas/manual4.html

  33. MITRE Corporation, Common Event Expression, http://cee.mitre.org/

  34. Pethia, R., Crocker, S., Fraser, B.: Guidelines for the Secure Operation of the Internet (RFC 1281). Internet Engineering Task Force (1991)

    Google Scholar 

  35. Porvoo magistrate’s court: Decision 09/863 in criminal case R 09/446 (2009) (only available in Finnish)

    Google Scholar 

  36. Ruefle, R., Rajnovic, D.: FIRST Site Visit Requirements and Assessment, version 1.0. Forum of Incident Response and Security Teams (2006)

    Google Scholar 

  37. S-Cure: Trusted Introducer for CSIRTs in Europe, Appendix B: Information Template for “accredited” CSIRTs, version 4.0. Trusted Introducer (2009)

    Google Scholar 

  38. Scarfone, K., Grance, T., Masone, K.: Computer Security Incident Handling Guide - Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-61, Revision 1. National Institute of Standards and Technology (2008)

    Google Scholar 

  39. Shafranovich, Y., Levine, J., Kucherawy, M.: An Extensible Format for Email Feedback Reports, Internet-Draft version 4. MARF Working Group (2010)

    Google Scholar 

  40. Trusted Introducer, Team Info, Listed Teams by Name, https://www.trusted-introducer.org/teams/alpha_LICSA.html

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Koivunen, E. (2012). “Why Wasn’t I Notified?”: Information Security Incident Reporting Demystified. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)