cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wverkooijen
Viewer

Is unavailability due to certificate expiration a security incident

Hi,

 

we are starting with a security team and wonder when unavailability issues are a security incident. When unavailability occurs due to errors made by employees that maintain certificates, does this count as a security incident?

 

 

1 Reply
denbesten
Community Champion

The trick is that not all incidents are security incidents.  In this case, I would tend to classify it primarily as an operational incident because it does not inherently lead to exposure or compromise.  That said, "Availability" is part of the CIA triangle, so if one wants the extra workload, one could make the case for it belonging to security.

 

In my organization, all non-trivial IT incidents are reported to a 24x7 cross-functional triage team.  That team is trained to both rate the severity and to identify which teams need to be engaged/woken, possibly including security.  Also, the triage team sends a daily IT-wide email summarizing the previous day's significant incidents, which gives us all the opportunity to follow up if mis-diagnosis is suspected or if we find a possible triage-process improvements.

 

One clear (to me) security concern with cert expiration is the risk of it devaluing awareness training under the "boy who called wolf" theory.  Training generally includes that warnings should be taken seriously.  If accepting the expired cert warning becomes the official workaround, we are tacitly training our users that it is OK to ignore warnings. 

 

In the "post-hoc" review, I probably would recommend the cert issuance/renewal process be amended to include adding a reminder to the appropriate calendar(s).  Or perhaps your CA can send out "15-day reminder emails".