IAM Related Incident Classes

Context	IAM
Title	A Classification of IAM Related Incident Classes
Contributors	David Doret 10 (1668 days ago) David Doret (Open Measure) 2 (1357 days ago)
Version	`1.0` EARLY DRAFT
Summary	To measure IAM related incidents, it is necessary to define what is an IAM related incident. This requires a classification of IAM related incident classes. This page is a placeholder where to progressively consolidate references to IAM related incident classes.
See Also
TODO	Consider moving this classification to a dedicated Incident Classes wiki space to provide plenty of room for documentation and extensions.

Approach

In order to enable the measurement of IAM related, it is necessary to establish a classification of IAM related incident classes. At this point, this page is a placeholder where references to IAM related incident classes are progressively inventories. It is by no mean complete.

Call for contributions

If you are aware of classes not yet referenced on this page or if you are aware of complementary source references, please let us know and contribute.

Classification

Class	Definition	Sources
Phishing	Class: Information Gathering Attempt to gather information on a user or a system through phishing methods. Including; Mass emailing aimed at collecting data for phishing purposes with regard to the victims (Dissemination of phishing emails: Art. 7 [H], Art. 7 [G]) Hosting web sites for phishing purposes (Hosting of phishing sites: Art. 7 [F]	ENISA and Europol EC3, 2017
Login attempt	Class: Intrusion Attempt and Intrusion Attempt to log in to services or authentication / access control mechanisms. Including: Unsuccessful login by using sequential credentials for gaining access to the system (Brute-force attempt:, Art. 2, 6 and 11 [A] - Art. 3,7 and 8 [F]) Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys. (Password cracking attempt: - Art. 2, 6 and 11 [A] - Art. 3,7 and 8 [F]) Unsuccessful login by using system access credentials previously loaded into a dictionary. (Dictionary attack attempt: - Art. 2, 6 and 11 [A] - Art. 3,7 and 8 [F])	ENISA and Europol EC3, 2017
Unauthorised access to a system or component by bypassing an access control system in place.	Class: Intrusion Type: (Successful) Exploitation of vulnerability Actual intrusion by exploiting vulnerability in the system, component or network. Unauthorised access to a system or component by bypassing an access control system in place. (Control system bypass: (Art. 2 [A], Art. 3 and 7 [F])	ENISA and Europol EC3, 2017
Compromising an account	Class: Intrusion Actual intrusion in a system, component or network by compromising a user or administrator account. Unauthorised access to a system or component by using stolen access credentials. (Theft of access credentials: Art. 6 [A], Art. 3 and 7 [F])	ENISA and Europol EC3, 2017
Unauthorised access	Class: Information Security Unauthorised access to a particular set of information Unauthorised access to a system or component (Unauthorised access to a system: - Art. 2 [A] - Art. 3 and 7 [F]) Unauthorised access to a set of information (Unauthorised access to information: - Art. 2 [A] - Art. 3 and 7 [F] - Art. 5, 6 and 25 [G]) Unauthorised access to and sharing of a specific set of information (Data exfiltration: - Art. 2 [A])	ENISA and Europol EC3, 2017
Unauthorised modification/deletion	Class: Information Security Class description: Unauthorised change or elimination of a particular set of information. Unauthorised changes to a specific set of information (Modification of information: - Art. 4, 7 and 8 [A] - Art. 5 [F]) Unauthorised deleting of a specific set of information (Deleting of information: - Art. 4 [A] - Art. 5 [F])	ENISA and Europol EC3, 2017
Other IAM related incident
Non-IAM related incident