An incident is an adverse event to information technology (such as a system, network, or services) that results in damage, loss (of money, access, services, or data integrity or confidentiality), or other negative impacts on the organization. Cybersecurity incidents typically involve an internal or external actor using technology to negatively impact an organization.
Port scans and other probes, emails that appear to be scams or phishing, or other common events are not incidents unless they cause negative impacts.
What are some examples of cybersecurity incidents?
Common types of incidents include when an organization experiences:
ransomware (a type of malicious software [malware] that infects a system or device and denies the owner or administrator access until a ransom is paid)
cyber extortion (actual or threatened malicious activity by a third party who demands payment or other action)
viruses and other malware
hacking (for example, to deface a webpage or obtain data without authorization)
denial of service (DoS) attacks (paralyzing a computer system or network by flooding it with data)
phishing (sending emails that purport to be legitimate in order to induce individuals to trigger malware or to reveal information, such as passwords or financial information)
business email compromise (BEC) – phishing or other scams leveraging email accounts, either spoofed or compromised, of executives or high-level employees, often to make fraudulent wire transfers or to obtain data or access without authorization
other social engineering attacks (the use of deception to manipulate individuals into divulging confidential information that may be used for improper purposes)
data breaches (the unauthorized acquisition, access to, or disclosure of confidential, sensitive, or otherwise non-public information in the public body’s custody or control)
identity theft or fraud that occurs through technology
- threaten the security of the Commonwealth's data or communications or
- result in exposure of data protected by federal or state laws
(ii) other incidents compromising the security of the public body's information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies.
If you have a question about whether an incident meets the above criteria, it is better to err on the side of reporting it.
When must incidents be reported?
Under Virginia Code § 2.2-5514, incidents must be reported to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered.
Are reports of cybersecurity incidents confidential?
Yes. Reports submitted by phone or through the incident reporting form go to the Virginia Fusion Center. Fusion Center information is confidential. See Va. Code § 52-48.
Do I still need to report a resolved cybersecurity incident?
Yes. ALL cybersecurity incidents meeting the criteria of the Virginia Code § 2.2-5514 (effective July 1, 2022) requires all state and local public bodies to report allabove law must be reported, even if no assistance is required or if the incident has already been resolved.
What if the cybersecurity incident occurred more than 24 hours ago?
All cybersecurity incidents meeting the criteria of the Virginia Code § 2.2-5514 (effective July 1, 2022) must be reported, even if the 24-hour reporting deadline has passed.
Will someone be contacting me after I submit the report?
If you select the YES button to request assistance on the form, state cybersecurity personnel will contact you. If you select NO and do not request assistance, state cybersecurity personnel will follow up with you only if additional details are needed.
How can I tell if a cybersecurity incident is happening?
The following are clues that an information security incident may be in progress, or one may have already occurred. These indicators can have legitimate explanations and be part of day-to-day operations. The key in determining whether a suspected event is a legitimate event or is actually an incident is recognizing when things happen without explanation or in ways that are contrary to your policies and procedures.
Unsuccessful logon attempts
Accounting/system/network logs discrepancies that are suspicious (g., gaps/erasures in a log in which no entries whatsoever appear, or an account obtains root access without going through the normal sequence necessary to obtain this access)
“Door knob rattlin” (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts)
New user accounts not created by system administrators
New files or unfamiliar file names
Modifications to file lengths or dates (especially in system executable files)
Attempts to write to system files or changes in system files
Modification or deletion of data
Changes in file permissions
Logins into dormant accounts (one of the best SINGLE indicators)
A system alarm or similar indication from an intrusion detection tool
Denial of Service (DoS) (DDoS) (e.g. inability of one or more users to login to an account; inability of customers to obtain information or services via system)
Abnormally slow or poor system performance
Unauthorized operation of a program or sniffer device to capture network traffic (e.g., presence of cracking utilities)
Unusual time of usage (remember, more computer security incidents occur during non-working hours than any other time)
Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program; use of commands/functions not normally associated with user's job)
Physical theft and intrusion (e.g., theft of laptop computer with critical information)