What are some common indications that a security incident is occurring?
There are certain indications or “symptoms” of an incident that deserve attention, especially if they occur in combination with one another. These indications or “symptoms” are: • Unexplained system crashes preceded by anomalous system activity • Bookmark or web site historical references that the user did not place on the system • Inappropriate content on the system • Login information not how the user left it • High activity on an account that has had virtually no activity for months • Many new files created without explanation, often with novel or strange file names • Changes in file lengths or dates (e.g., a user should be suspicious if he/she observes that the .EXE files have grown) • Data modification or deletion (e.g., files disappear or are corrupted) • Denial of service • Unexplained, poor system performance (e.g., unusually slow system response time) • Indications of a virus (e.g., “I LOVE YOU”‘ or “GOTCHA” message is displayed, or there are frequent unexplained system “beeps
