- November 23, 2020: Added references for DNS incidents.
- August 10, 2020: Updated the description of DNS Incidents (General Security Incident type) and added examples.
The Security Incidents risk vector involves a broad range of events related to the undesirable access of a company’s data or resources, including personal health information, personally identifiable information, trade secrets, and intellectual property. They’re grouped into the Breach Security Incidents and General Security Incidents categories.
Multiparty incidents, which are individual Security Incidents that impact multiple companies, can impact a company either directly as the original target or indirectly as a third party of the primarily targeted company.
We also track a range of security events that contribute to any loss of information, known collectively as the “CIA Triad.”
- Confidentiality: Indicates if access to sensitive data is restricted to the appropriate parties. Any unauthorized access due to a malicious attack or an internal error is considered a breach.
- Integrity: Indicates if data remains in its original form and is unaltered over its life cycle.
- Availability: Indicates if data is reliably accessible at all times.
Breach Security Incidents
Breach Security Incidents involves serious events that usually result in a successful cyberattack and/or data compromise by unauthorized individuals. Breach Security Incidents are ratings-impacting.
|Crimeware||An instance of malware installed for the purpose of acquiring unauthorized data or assets.|
|Espionage||An incident of unauthorized network or system access exhibiting the motive of state-sponsored or industrial espionage, where trade secrets or IP are frequently targeted.|
|Intrusion||Unauthorized access which does not involve exfiltration of records or other resources.|
|Phishing||An attack in which fraudulent email is used to mimic the access of an authorized employee or legitimate contact.|
|Ransomware||An attack designed to block access to a computer system until a sum of money is paid.|
|Social Engineering||An attack which uses deception to trick individuals into divulging unauthorized information or access.|
|Web Apps||An incident in which a web application was the attack vector, including code level vulnerabilities in the application and thwarted authentication mechanisms.|
General Security Incidents
General Security Incidents involves other kinds of security events that may still affect security ratings, such as employee error or misconduct. General Security Incidents are considered more severe than Other Disclosures. Some categories of General Security Incidents are ratings-impacting, while others are informational only and do not impact the rating.
|Account Takeover (Employee)||An attacker gains unauthorized access into a service through the use of employee's account credentials.|
|Account Takeover (User)||An attacker gains unauthorized access into a service through the use of a user’s account credentials.|
|DNS Incident||An organization lost control or never had control of one of the associated assets, as defined by the DNS record.
|Human Error||An incident involving unintentional actions that directly compromise a sensitive asset.|
|Internal Incident||An incident discovered by the company in question and remediated with no apparent compromise.|
|Lost/Stolen Asset||An incident where an information asset went missing, whether through misplacement or malice.|
|Lost/Stolen Asset (Encrypted)||An incident where an encrypted asset went missing, whether through misplacement or malice, with no evidence of encryption compromise.|
|Other Incident||A security incident that does not fall into one of the other categories.|
|Point of Sale (PoS)||Remote attacks against the environments where retail transactions are conducted, specifically where purchases are made.|
|Privilege Abuse||An unapproved or malicious use of organizational resources beyond what is authorized.|
|Unknown||A security incident where certain classification details pertaining to the event are unknown.|
|Unsecured Database||A database is left unsecured due to error and the data is accessible by third parties.|