Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • The Obsession with Faster Cybersecurity Incident Reporting
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware

The Obsession with Faster Cybersecurity Incident Reporting

4 years ago Tim Erlin
The Obsession with Faster Cybersecurity Incident Reporting

Requirements for reporting cybersecurity incidents to some regulatory or government authority are not new, but there has always been a large amount of inconsistency, globally, in exactly what the requirements are. More recently, there’s been a growing trend across government and regulatory bodies in the United States towards shorter timeframes for reporting of cybersecurity incidents. Here’s a brief rundown of the recent activity.

At the end of last year, the US Congress passed the National Defense Authorization Act (NDAA). The final version of the NDAA included a cybersecurity incident notification rule that applies only to critical infrastructure entities. It leaves the final threshold for notification to be determined by the Director of the Cybersecurity Incident Review Office, but states that “in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.” This part of the legislation went through several revisions, however. The House version included a 72 hour notification that applied more broadly, and also a 24 hour notification requirement for ransomware payments. In mid-March, both the House and Senate passed a separate bill, the “Cyber Incident Reporting for Critical Infrastructure Act,” included in the “Consolidated Appropriations Act,” that clearly specifies a 72 hour reporting requirement for critical infrastructure entities.     

Also at the end of last year, the FDIC waded into the incident notification pool with a 36 hour requirement. The final rule was issued by The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC). Affected organizations must be compliant by May 1, 2022. The National Law Review points out that “[t]his timeline is shorter than any U.S. state data breach notification law and surpasses even the tightest time frame on U.S. books.”

Finally, to round out this trend, the Securities and Exchange Commission (SEC) issued in March a proposed rule that requires 48 hour notification for a subset of covered entities. This rule would specifically apply to registered investment advisers (RIAs), registered investment companies (RICs) and business development companies (BDCs). That list leaves out other publicly traded companies that the SEC regulates.  As this is a proposed rule, it’s open for comments for 60 days after publication.

While there is certainly other cybersecurity content in these rules, the focus around notification is over-balanced towards timeliness and away from completeness. Whether it’s 72, 48, or 36 hours, no organization is going to have a full picture of a cybersecurity incident in that amount of time. Investigating an incident takes time, and it’s not an easy process. An attacker may have been present in the environment for weeks or months, and unraveling their activity over that period of time requires skill, diligence, and patience.

A focus on timeliness of reporting, without a corresponding focus on completeness, feeds a news cycle that favors headlines over analysis. Reporting on the latest incident is far more interesting than reporting on the completed analysis of last year’s incident, especially if that analysis isn’t actually available.

Timely reporting of incidents does have value. It allows outside organizations, whether regulatory bodies or governments, to respond to incidents. It allows for the aggregation of data, and potentially for understanding larger patterns at play, which, in turn, allows for more rapid response to a multi-pronged incident that spans organizations or industries.

Completeness of reporting has equal, if not greater, value. By understanding the details of an incident, ideally the full timeline, both the affected organization and others can implement controls and mitigations to prevent any attacks that use similar tools or patterns. Industry organizations can use the data to deliver insights. We can see the value of this type of information today in annual reports like the Verizon Data Breach Investigations report, and in tools like the MITRE ATT&CK framework. 

But the detailed data collected on incidents are often incomplete, or provided voluntarily. Standards for what a complete incident report contains and methodologies for producing one are held largely in private, for profit organizations. Raising the baseline on incident investigations benefits everyone, and there are some signs that industry and government will head in this direction.

The launch of the Cyber Safety Review Board as part of CISA promises to adopt a new approach to investigating nationally significant incidents, and to bring a new level of transparency to the process. The CSRO is often compared to the National Transportation Safety Board. Over its history, the NTSB has issued more than 14,000 safety recommendations, with a whopping 73% of them being adopted by the entities to which they were directed.  If the CSRO follows the same path, we may see impactful cybersecurity recommendations coming directly out of this more public, more transparent process for investigations.

On a smaller scale, the SEC demonstrates an approach that addresses completeness and transparency as well. While the focus of the proposed SEC rule may be on fast reporting, it also includes an interesting requirement to provide updates within 48 hours “if any previously reported information about a significant cybersecurity incident becomes materially inaccurate or if the adviser discovers new material information related to an incident.” Since the SEC is focused on informing investors of risk, it’s likely that this type of information will be more publicly available because of this rule, assuming it’s adopted as-is.

With the continuously changing threat environment, increasingly rigorous reporting requirements are likely to proliferate. It’s important that the trend in timeliness of reporting be balanced with emphasis on the quality and completeness of the data as well.

The post ” The Obsession with Faster Cybersecurity Incident Reporting” appeared first on TripWire

Source:TripWire – Tim Erlin

Tags: Critical Severity, Finance, Goverment, Malware, Ransomware, TripWire

Continue Reading

Previous New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems
Next 5 Social Engineering Attacks to Watch Out For

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

22 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

24 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

1 day ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

1 day ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT