(a) A system alarm or similar indication from an intrusion detection tool

(b) Suspicious entries in system or network accounting (e.g., a UNIX user obtains root access without going through the normal sequence necessary to obtain this access)

(c) Accounting discrepancies (e.g., someone notices an 18-minute gap in the accounting log in which no entries whatsoever appear)

(d) Unsuccessful logon attempts

(e) Unexplained, new user accounts

(f) Unexplained, new files or unfamiliar file names

(g) Unexplained modifications to file lengths or/or dates, especially in system executable files

(h) Unexplained attempts to write to system files or changes in system files

(i) Unexplained modification or deletion of data

(j) Denial of service or inability of one or more users to login to an account

(k) System crashes

(l) Poor system performance

(m) Unauthorized operation of a program or sniffer device to capture network traffic

(n) "Door knob rattling" (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts)

(o) Unusual time of usage (remember, more security incidents occur during non-working hours than any other time)

(p) An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user

(q) Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)

Although no single one of these typical symptoms of security incidents is generally by itself conclusive, observing one or more of these symptoms should prompt you to investigate events more closely. You should in this vein work with other personnel at your organization who possess the appropriate technical and computer security knowledges to determine exactly what has occurred. Collective judgment is typically better than a single person's judgment when it comes to identifying incidents.