diff --git a/Documentation/Usage.md b/Documentation/Usage.md index efa7bc0..2d1403d 100644 --- a/Documentation/Usage.md +++ b/Documentation/Usage.md @@ -20,7 +20,7 @@ The taxonomy itself does not have any rule on how it needs to be used and theref Often, the clarification depends on the point of view. Some examples: * C2 server network connection: A network connection between a client computer, infected by a malware, to a Command & Control server: This IoC is both classifiable as "Malicious Code / Infected System" (for the client computer) as well as "Malicious Code / C2 Server" (for the server). -* Phishing page: A hacked website abused as phishing page is both "Information Content Security / Unauthorised modification of information" (for the website) as well as "Fraud / Phishing" (for any user). +* Phishing page: A hacked website abused as phishing page is both "Information Security / Unauthorised modification of information" (for the website) as well as "Fraud / Phishing" (for any user). A tricky issue is statistics: Does a data record, which is then multiply classified, count for all its classifications, or proportionally? This is, again, left to the user to decided. However, it should be clearly stated in the statistics description, how the numbers are composed. diff --git a/Documentation/howtogetstarted.md b/Documentation/howtogetstarted.md index 32180b1..320baac 100644 --- a/Documentation/howtogetstarted.md +++ b/Documentation/howtogetstarted.md @@ -9,7 +9,7 @@ Using the Reference Security Incident Taxonomy in your environment doesn't requi ## Multiple values -Security incidents often don't fall into one single classification. For example an incident can involve an attacker conducting multiple login attempts (Intrusion Attempts / Login attempts) with the purpose of gaining -unauthorized- access to information (Information Content Security / Unauthorised access to information). Another example is where an infected system (Malicious Code / Infected System) communicates with an external server to receive commands (Malicious Code / C2 Server). +Security incidents often don't fall into one single classification. For example an incident can involve an attacker conducting multiple login attempts (Intrusion Attempts / Login attempts) with the purpose of gaining -unauthorized- access to information (Information Security / Unauthorised access to information). Another example is where an infected system (Malicious Code / Infected System) communicates with an external server to receive commands (Malicious Code / C2 Server). When multiple values apply, the **primary** classification of an incident is the **intent** of the attacker, whereas the **secondary** classification can then be the means, or the transport mechanism, used to conduct the attack. For the above example, the infected system is the primary classification, where the C2 Server would be the secondary classification. diff --git a/working_copy/humanv1.md b/working_copy/humanv1.md index fc4b2f8..ddf98a2 100644 --- a/working_copy/humanv1.md +++ b/working_copy/humanv1.md @@ -37,10 +37,10 @@ Generated from [machine readable version](machinev1). Please **DO NOT** edit thi | Availability | Misconfiguration | Software misconfiguration resulting in service availability issues, e.g., DNS server with outdated DNSSEC Root Zone KSK. | | Availability | Sabotage | Physical sabotage, e.g., cutting wires or malicious arson. | | Availability | Outage | An outage caused, for example, by air conditioning failure or natural disaster. | -| Information Content Security | Unauthorised Access to Information | Unauthorised access to information, e.g., by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents. | -| Information Content Security | Unauthorised Modification of Information | Unauthorised modification of information, e.g., by an attacker abusing stolen login credentials for a system or application, or ransomware encrypting data. Also includes defacements. | -| Information Content Security | Data Loss | Loss of data caused by, for example, hard disk failure or physical theft. | -| Information Content Security | Leak of Confidential Information | Leaked confidential information, e.g., credentials or personal data. | +| Information Security | Unauthorised Access to Information | Unauthorised access to information, e.g., by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents. | +| Information Security | Unauthorised Modification of Information | Unauthorised modification of information, e.g., by an attacker abusing stolen login credentials for a system or application, or ransomware encrypting data. Also includes defacements. | +| Information Security | Data Loss | Loss of data caused by, for example, hard disk failure or physical theft. | +| Information Security | Leak of Confidential Information | Leaked confidential information, e.g., credentials or personal data. | | Fraud | Unauthorised Use of Resources | Using resources for unauthorised purposes including profit-making ventures, e.g., the use of email to participate in illegal profit chain letters or pyramid schemes. | | Fraud | Copyright | Offering or installing copies of unlicensed commercial software or other copyright protected materials (also known as Warez). | | Fraud | Masquerade | Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it. | diff --git a/working_copy/machinev1 b/working_copy/machinev1 index 9c72a38..05cb645 100644 --- a/working_copy/machinev1 +++ b/working_copy/machinev1 @@ -284,7 +284,7 @@ }, { "description": "Besides a local abuse of data and systems the information security can be endangered by a successful account or application compromise. Furthermore attacks are possible that intercept and access information during transmission (wiretapping, spoofing or hijacking). Human/configuration/software error can also be the cause.", - "expanded": "Information Content Security", + "expanded": "Information Security", "value": "information-content-security" }, {