Computer Security Statistics: How the U.S. Government and DoD keep score
When U.S. Government and Department of Defense officials talk about probes or intrusion attempts, it’s usually one big number. You’ll hear numbers like 250,000 per hour or 6 million per day. But that’s not how these organizations keep score when it comes to computer security statistics. What you really want these organizations to disclose are the statistics for each category indicated below. While these numbers don’t paint a completely accurate picture (I’ll explain why in a future post), they provide much more information about the state of security than what is currently being presented.
U.S. CERT Incident Categories
|CAT 0||Exercise/Network Defense Testing||This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.||Not Applicable; this category is for each agency’s internal use during exercises.|
|CAT 1||*Unauthorized Access||In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource||Within one (1) hour of discovery/detection.|
|CAT 2||*Denial of Service (DoS)||An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.||Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.|
|CAT 3||*Malicious Code||Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.||Daily
Note: Within one (1) hour of discovery/detection if widespread across agency.
|CAT 4||*Improper Usage||A person violates acceptable computing use policies.||Weekly|
|CAT 5||Scans/Probes/Attempted Access||This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.||Monthly
Note: If system is classified, report within one (1) hour of discovery.
|CAT 6||Investigation||Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.||Not Applicable; this category is for each agency’s use to categorize a potential incident that is currently being investigated.|
*Defined by NIST Special Publication 800-61
Department of Defense Incident Categories
|CAT 1||Root Level Intrusion (Incident)||Unauthorized privileged access ( administrative or root access) to a DOD system.|
|CAT 2||User Level Intrusion (Incident)||Unauthorized non-privileged access (user-level permissions) to a DOD system. Automated tools, targeted exploits, or self-propagating malicious logic may also attain these privileges.|
|CAT 3||Unsuccessful Activity Attempted (Event)||Attempt to gain unauthorized access to the system, which is defeated by normal defensive mechanisms. Attempt fails to gain access to the system (i.e., attacker attempt valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. Can include reporting of quarantined malicious code.|
|CAT 4||Denial of Service (DOS) (Incident)||Activity that impairs, impedes, or halts normal functionality of a system or network.|
|CAT 5||Non-Compliance Activity (Event)||This category is used for activity that due to DOD actions (either configuration or usage) makes DOD systems potentially vulnerable (e.g., missing security patches, connections across security domains, installation of vulnerable applications, etc.). In all cases, this category is not used if an actual compromise has occurred. Information that fits this category is the result of non-compliant or improper configuration changes or handling by authorized users.|
|CAT 6||Reconnaissance (Event)||An activity (scan/probe) that seeks to identify a computer, an open port,an open service, or any combination for later exploit. This activity does not directly result in a compromise.|
|CAT 7||Malicious Logic (Incident)||Installation of malicious software (e.g., Trojan, backdoor, virus, or worm).|
|CAT 8||Investigating (Event)||Events that are potentially malicious or anomalous activity deemed suspicious and warrants, or is undergoing, further review. No event will be closed out as a Category8. Category 8 will be re-categorized to appropriate Category 1-7 or 9 prior to closure.|
|CAT 9||Explained Anomaly (Event)||Events that are initially suspected as being malicious but after investigation are determined not to fit the criteria
for any of the other categories (e.g., system malfunction or false positive).