-
Notifications
You must be signed in to change notification settings - Fork 202
Classification Example: Lost device
One of the most common incidents reported by organizations or all types and sizes is the loss of mobile devices, such as laptops or mobile phones. This can be either due to employee error or theft of the asset by an external party. In many cases it will be difficult to know if a device was lost or stolen, but we suggest classifying it as a loss (internal.error) rather than theft (external.physical) unless there is good reason to suspect the latter. This is not a blind/unwarranted assumption; if one is unsure what happened to the device, the variety of "loss or misplacement" is appropriate and historical data shows devices are lost far more often than stolen.
We will focus this example on a lost device scenario, specifically a lost laptop. This incident is one of the least complex to VERISize because (typically) there will only be one actor, action, and asset. We assume here that the device is password-protected with full disk encryption implemented.
It is a very common error to see lost laptops modeled as a confidentiality loss, but not a corresponding availability loss. Remember, the organization has lost the use of an asset. Availability should be listed in the affected attributes.
#Incident description
- Actor
- Internal
- Motive: NA
- Variety: End-user
- Internal
- Action
- Error
- Variety: Loss
- Vector: Carelessness
- Error
- Asset
- Variety: Laptop
- Ownership: Victim
- Variety: Laptop
- Attribute
- Confidentiality
- Data dislosure: No
- Notes: Laptop was password protected and encrypted
- Confidentiality
- Availability
- Loss
The classification of this everyday incident is pretty straightforward. The actor in this example is assumed to be a typical //End-user//, but could be any other variety of insider or partner as well. The action is simply //Loss// under the Error category and the asset variety is //Laptop//, which could easily be modified to record lost phones, documents, etc. Since VERIS' attribute of //:attributes#confidentiality_possession// also encompasses the notion of loss of possession or control, it is included for all lost assets. The more obvious attribute of //:attributes#availability_utility// is also recorded unless the device and all data since the last backup can be fully recovered.
In this case, the device is password protected and encrypted, and unless there is positive evidence of data disclosure, we can record 'No' for that variable under Confidentiality. If it wasn't password protected and/or encrypted, we'd need to change that to 'Potentially' to account for the fact that our data is now at-risk of disclosure. Moreover, the variety and amount of the data involved would need to be included. If we received evidence that data was disclosed to unauthorized parties (e.g., it's posted on the web or used for fraud), we'd need to record 'Yes' for the data_disclosure variable.
{
"action": {
"error": {
"variety": [
"Loss"
],
"vector": [
"Carelessness"
]
}
},
"actor": {
"internal": {
"motive": [
"NA"
],
"variety": [
"End-user"
]
}
},
"asset": {
"assets": [
{
"variety": "U - Laptop"
}
]
},
"attribute": {
"availability": {
"variety": [
"Loss"
]
},
"confidentiality": {
"data": [
{
"amount": 16,
"variety": "Personal"
}
],
"data_disclosure": "Potentially",
"data_total": 16,
"notes": "",
"state": [
"Stored unencrypted"
]
}
},
"discovery_method": "Other",
"impact": {
"overall_rating": "Unknown"
},
"incident_id": "demo001",
"reference": "http://www.youtube.com/watch?v=_T35QhLx_KI",
"schema_version": "1.2",
"security_incident": "Confirmed",
"summary": "Unencrypted laptop lost or misplaced by a hapless employee.",
"timeline": {
"incident": {
"year": 2013
}
},
"victim": [
{
"country": "US",
"employee_count": "1 to 10",
"industry": 621111,
"notes": "",
"state": "NY",
"victim_id": "Vandelay Industries"
}
]
}