Low : Basic network
This condition applies when there is no
discernible network incident activity and no malicious code activity with a
moderate or severe risk rating. Under these conditions, only a routine
security posture, designed to defeat normal network threats, is warranted.
Automated systems and alerting mechanisms should be used.
Medium : Increased
alertness This condition applies when knowledge
or the expectation of attack activity is present, without specific events
occurring or when malicious code reaches a moderate risk rating. Under this
condition, a careful examination of vulnerable and exposed systems is
appropriate, security applications should be updated with new signatures
and/or rules as soon as they become available and careful monitoring of logs
is recommended. Changes to the security infrastructure are not required.
High : Known threat
This condition applies when an isolated
threat to the computing infrastructure is currently underway or when
malicious code reaches a severe risk rating. Under this condition, increased
monitoring is necessary, security applications should be updated with new
signatures and/or rules as soon as they become available and redeployment
and reconfiguration of security systems is recommended. People should be
able to maintain this posture for a few weeks at a time, as threats come and
Extreme : Full alert This
condition applies when extreme global network incident activity is in
progress. Implementation of measures in this Threat Condition for more than
a short period probably will create hardship and affect the normal
operations of network infrastructure.