India CERT to Require 6-Hour Incident Reporting; Microsoft Fixes Privilege Escalation Flaw in Azure PostgreSQL DB; US Banks Now Have 36 Hour Incident Response Reporting Deadline

There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter.

John Pescatore

This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs.

Johannes Ullrich

The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you're using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how.

Lee Neely

It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush?

Moses Frost

Privilege escalation flaws are very difficult to prevent and dangerous for on-premises systems. But for cloud providers, a simple privilege escalation flaw is deadly as it destroys the illusion of cross-tenant isolation of data.

Johannes Ullrich

Microsoft patched the databases on February 25th, so you're covered. They recommend setting up private network access to flexible servers to minimize further exposure. Fundamentally make sure that you're not needlessly exposing access to services, leverage security services and options to also monitor access to ensure protections are what you think they are. Read the Wiz research blog (https://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql/) for more details on the ExtraReplica flaw.

Lee Neely

While, on the surface, this seems to be tragic, I guess the real question is how prevalent the PostgreSQL Flexible Server deployment is going to be. Having a system with a disclosed vulnerability in your cloud service provider is a double-edged sword. While there was a privileged escalation flaw in PostgreSQL because this is a cloud provider, each PostgreSQL instance can be patched and remediated without the user necessarily worrying about it. With on-premises software, we often see that it is the case that servers go unpatched. The question is a tricky one to weigh in on. Cloud-hosted and shared infrastructure vs. on-premises and private. Which one is safer, less risky, or more secure? Is it better or worse than it is cloud-hosted? Only time will tell.

Moses Frost

The FDIC currently requires incident reporting with 72 hours of detection, so this is a significant move forward. But the FDIC, along with the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, took input from industry and narrowed the definition of what constitutes a “notification incident” to those that actually caused some harm – probing/scanning would not qualify. 36 hour response will be tough for many but the financial sector certainly needs the toughest requirements.

John Pescatore

Essentially if you're a federally insured or regulated financial institution, this applies. Make sure that you review your agency specific guidance for reporting and note the examples of incidents that were released to clarify the initially overly vague 'Computer-Security Incident' in the initial legislation. Expect your examiners to verify that you have both the notification and definition of what you need to report. As other organizations, CISA, DHS, etc. are looking for incident reporting, it'd be a good idea to make sure you know what that would mean if you're required to comply, to include what information you would rather not share and establishing the relationship required for reporting or assistance.

Lee Neely

This has been a right, known as the “right to erasure” or more commonly referred to as the “right to be forgotten,” to those based in the EU and covered by the EU General Data Protection Regulation (GDPR). A key point to note is that while the personal data is removed from the search results, the data is still available on the sites hosting that data. Under GDPR, individuals also need to exercise their right to erasure with the sites hosting their personal data.

Brian Honan

With more privacy legislation including the "right to be forgotten" knowing how to exercise that right is important and varies by service. Be sure you understand the process and limitations available. Google outlines the process and limits of what they will do on their Remove select PII or doxing content from Google Search help page: https://support.google.com/websearch/answer/9673730: Remove select personally identifiable info (PII) or doxxing content from Google Search

Lee Neely

Not a terrible big deal. Disable Netatalk (it is no longer needed) and apply patches as they become available. This affects many Linux based network storage systems. Synology and QNAP are just the two out of them responsible enough to release an advisory.

Johannes Ullrich

Patch your NAS, make sure it's not exposed to the Internet. Remove unneeded apps and user accounts, watch for unexpected additions. Ideally don’t allow SMB or AFP through your boundary, require a VPN for the access. If you must allow the direct connection, only allow it from trusted devices.

Lee Neely

Interesting attack group leverages typically unmonitored systems for their ingress and egress point. Smart move. Most companies do not realize how vulnerable and easy it is to leverage these systems for C2. There are three things to look for in the article. The command channel for the attacker group, how they leverage EWS On-Premises, and then they mention the Mandiant M365 Hardening Guides. My advice for those considering keeping on-premises servers. Don't.

Moses Frost

Having standards should help suppliers design for an appropriate level of security. Making them voluntary may be a double-edged sword if the goal is to raise the bar consistently across the board. The trick will be adding security to existing satellites, often not sized or otherwise equipped to add that workload. One hopes that industry input can be gathered during a RFC comment for the new standards to make them both relevant and achievable.

Lee Neely