In August, the National Institute for Standards and Technology released an update to their Computer Security Incident Handling Guide (SP 800-61).  This third revision of the guide offers guidance on issues that have arisen since the last release in March 2008 with an emphasis on addressing new technologies and attack vectors, changing the prioritization criteria for incident handling, and facilitating information sharing.  In this tip, we examine these major changes and discuss how you might integrate them into your security and compliance programs.

From Categories to Attack Vectors

 One of the major shifts in the newly revised guide is a move away from trying to classify security incidents into black-and-white categories.  Previous editions of the manual set forth five specific categories for incidents: denial of service, malicious code, unauthorized access, inappropriate usage, and the catch-all “multiple component”.  In practice, it was quite difficult to assign real-world incidents to these categories, as almost every incident wound up in the “multiple component” bucket.

Read more: Building a Compliant Incident Handling Program