Home > Computer Security > Computer Security Statistics: How the U.S. Government and DoD keep score

Computer Security Statistics: How the U.S. Government and DoD keep score

When U.S. Government and Department of Defense officials talk about probes or intrusion attempts, it’s usually one big number. You’ll hear numbers like 250,000 per hour or 6 million per day. But that’s not how these organizations keep score when it comes to computer security statistics. What you really want these organizations to disclose are the statistics for each category indicated below. While these numbers don’t paint a completely accurate picture (I’ll explain why in a future post), they provide much more information about the state of security than what is currently being presented.

. .

U.S. CERT Incident Categories
Source: http://www.us-cert.gov/federal/reportingRequirements.html

Category Name Description Reporting Timeframe
CAT 0 Exercise/Network Defense Testing This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. Not Applicable; this category is for each agency’s internal use during exercises.
CAT 1 *Unauthorized Access In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource Within one (1) hour of discovery/detection.
CAT 2 *Denial of Service (DoS) An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
CAT 3 *Malicious Code Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. Daily
Note: Within one (1) hour of discovery/detection if widespread across agency.
CAT 4 *Improper Usage A person violates acceptable computing use policies. Weekly
CAT 5 Scans/Probes/Attempted Access This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Monthly
Note: If system is classified, report within one (1) hour of discovery.
CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. Not Applicable; this category is for each agency’s use to categorize a potential incident that is currently being investigated.

*Defined by NIST Special Publication 800-61

. .

Department of Defense Incident Categories
Source: http://www.doncio.navy.mil/Download.aspx?AttachID=492

Category Name Description
CAT 1 Root Level Intrusion (Incident) Unauthorized privileged access ( administrative or root access) to a DOD system.
CAT 2 User Level Intrusion (Incident) Unauthorized non-privileged access (user-level permissions) to a DOD system. Automated tools, targeted exploits, or self-propagating malicious logic may also attain these privileges.
CAT 3 Unsuccessful Activity Attempted (Event) Attempt to gain unauthorized access to the system, which is defeated by normal defensive mechanisms. Attempt fails to gain access to the system (i.e., attacker attempt valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. Can include reporting of quarantined malicious code.
CAT 4 Denial of Service (DOS) (Incident) Activity that impairs, impedes, or halts normal functionality of a system or network.
CAT 5 Non-Compliance Activity (Event) This category is used for activity that due to DOD actions (either configuration or usage) makes DOD systems potentially vulnerable (e.g., missing security patches, connections across security domains, installation of vulnerable applications, etc.). In all cases, this category is not used if an actual compromise has occurred. Information that fits this category is the result of non-compliant or improper configuration changes or handling by authorized users.
CAT 6 Reconnaissance (Event) An activity (scan/probe) that seeks to identify a computer, an open port,an open service, or any combination for later exploit. This activity does not directly result in a compromise.
CAT 7 Malicious Logic (Incident) Installation of malicious software (e.g., Trojan, backdoor, virus, or worm).
CAT 8 Investigating (Event) Events that are potentially malicious or anomalous activity deemed suspicious and warrants, or is undergoing, further review. No event will be closed out as a Category8. Category 8 will be re-categorized to appropriate Category 1-7 or 9 prior to closure.
CAT 9 Explained Anomaly (Event) Events that are initially suspected as being malicious but after investigation are determined not to fit the criteria

for any of the other categories (e.g., system malfunction or false positive).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: