All right, we're going to be jumping right into some definitions and severity criteria. Because this will actually set the framework for some of the other more basic things that we'll be diving into. So we just want to make sure you have this foundational understanding of what we mean when we throw somebody's turns out there. Starting off some common terms that you definitely going to need to know. You're going to need to know what an event is, and it's simply any observable occurrence in a system, network, or organization. Now an event may or may not lead to or be incident that has yet to be determined. It could be system crashing, it could be entries in event logs, high number of regularities from users, like users logging in to stuff that they normally don't, that type of thing, ransomware messages on systems. These are all things that could be advanced, but they may not turn into an incidence because a ransomware message could be a false positive or could be a lot of different things. That doesn't necessarily mean it turns into a full on incident. Now, an incident is an adverse event that causes something to happen on the network in the systems, or it makes a threat happen. Now an incident implies harm or an attempt to harm. But it could necessarily not necessarily be an actual harmful thing. It could just be malicious code. It can be probes, it could be network scans or scans of your web service from the outside, which may not necessarily be full-out disruptive or destructive, but it does cause some type of response there. Now some common core terms that you need to memorize include confidentiality, which is basically to property that information's not disclose to entities, people, processes, systems or organizations that have not been authorized to see or access that information. Availability, which is a property of being able to access that information on-demand. In other words, it's pretty much the counter to denial-of-service. The data, the information, the systems and processes are always available. Then the third pillar here is integrity, and this is really trying to ensure that there's no unauthorized modification of any data system, process, or organizational status without proper authorization. Everything that we talk about and information security really hinges on one of or a combination of these pillars. Now some other terms you need to remember are, chain of custody. This is the process basically shows current and all past retention of a piece of evidence. Once we collect the piece of evidence, we maintain a chain of custody so that if, for example, it turns into some type of legal case where law enforcement has to get involved, we know already destroyed the case by not maintaining a proper chain of custody. There's also chain of evidence, which is a process that shows who obtained the evidence, where and when the evidence was obtained, who secured it, and who had control or possession of it? Now, there's also responder. This could be the person net responds initially on the first on the scene conducts a starting response. You will also see this listed as first responder as well. Some other terms include malware. This is malicious software that's designed to damage, disable, or steal information, take control of a device or system or the network. Pretty much any software that is put there with malicious intent to do malicious things is considered to be malware. Again, malicious may be defined different from organization to organization. There's also a rootkit. We're going to look at a rootkit and some of the demonstrations later in this skills path. Really a rootkit is a set of tools that an attacker uses to gain root-level access to a host. It really is to conceal the attackers activities. You really shouldn't be worried as much about what a rootkit is doing to you as you should be worried about what it's hiding from you because that's primarily what they're used for. There's also threat actor, malicious operator that performs attacks against an organization to make threats turn into actual incidents. That's what a threat actor is. Now we do want to at the end here talk about severity ratings and criteria and I want to be clear on this. We're giving you candidate baseline framework to work from here. You can take this and really craft it into your own severity ratings and criteria that suit your organization and how you organize your data, segregate and secure your data. So you don't have to use this model exactly. It is a baseline foundational example that you can use to build your own severity ratings and criteria model from. But we discuss here at Level 1, which is unauthorized access, this is considered to be the most serious type and the most serious severity rating because it means that a threat actor or a malicious source has gained unauthorized access to your network, your systems, or your data. Level 2 is denial-of-service. It's considered generally to be second, almost devastating. But now we'll talk about specific this as we go through. But I want to point out that these numbers as far as 1, 2, it could vary depending on the type of organization and what types of data they're trying to protect and how to try and protect it. There's also improper usage, scans, probes, and attempted access to be level 5 and then level 6, which is the least impactful, usually would just be an investigation incident, lack system crashing or something like that. The level 6 incidents there, they may not even be. It's straddle the fence between incident and event. It could be an event that's just barely over defense being an incident. That's what you look at it as a level 6. Let's talk specifically about level 1. It's the most serious level. A threat actor has successfully penetrated environment or gotten to some data or something like that, usually warrants the most amount of response and it has the potential to be the most damaging to the organization. The keyword there is it has the potential. Level 2 is denial of service. It is a very serious level. It's threat actors have successfully interrupted the availability. Remember, we talked about this CIA Triad and denial-of-service is really affecting or trying to take out a commission, the A on the CIA Triad. This could be as serious as impactful as level 1 depending on the organization type. Again, if you're an organization that primarily provides data or you provide, let's say, trading information and that information is not available, that might be just as impactful or more impactful. Then an actual full unauthorized access. Again, take these as a general standard or a general reference to you and know that you will change it per organization based on what you consider to be the most severe in your organization. Level 3, malicious code or malware, probably the most common. Commonly a payload of a phishing attack. You know, a lot of times we've seen with phishing attacks, the payload is some piece of JavaScript. Is something that will try and steal credentials. Or it could be a full-up piece of code that actually jumps into memory on the machine that of the person that clicked on that phishing e-mail and actually runs and gives the threat actor controlled at machine. This is what a Level 3 might look like. Level 4, improper usage. Now this is common and generally low impact. It's usually an incident involves mostly internal staff administration, and what we mean by that is it's usually a case of someone internally using a resource or an asset in a way that it shouldn't be used. Now, this could still be significant if the improper usage is found that, for example, be breaking the law, gambling, human exploitation, that type of thing could lead to a definitely turning into situation to where it ends up being a actual, it can turn into a level 1 quite easily. Now level 5, these are extremely common. You really can't do anything to stop these. For example, if you look at your outside facing website now, if you're of any size and organization, you're probably getting scan lock a million times a minute. Just by the very nature of being connected to and facing the Internet, you're getting scanned. This is just me doing a little CT scan against the InfoSec Institute.com side to show you just how common that is and what it actually looks like. This could be a leading indicator of a more serious level of in, in other words, if you see a lot of port scans coming from a single source, it could be a lead indicator that something was serious is getting ready to happen. Then the last one, level 6 here is the least serious. It may not go any further than an initial investigation. An example might be an employee reporting weird behavior that turns out to be, for example hardware failure or something like that. Hey, my mouse is jumping all over the screen as if someone else is controlling it. Then you go and investigate and you find out that it's because the little infrared thing on the bottom of your mouse is 30. Or your touchpads extremely filtering, you need to clean that. It could be an example of where you thought it was an incident you went to investigate and it goes no further and then you market office being series. Hopefully that little definitions in severity criteria breakdown was helpful to you and I hope to see you again in another skill session. As always, feel free to shoot on e-mail questions to us and we will respond to you right away. Thank you very much.
