The Forum of Incident Response and Security Teams (FIRST) has published TLP 2.0, a new version of its Traffic Light Protocol (TLP) standard, five years after the release of the initial version.
The TLP standard is used in the computer security incident response team (CSIRT) community to facilitate the greater sharing of sensitive information.
It also indicates any sharing limitations recipients have to consider when communicating potentially sensitive info with others.
“TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared,” FIRST says.
“TLP labels and their definitions are not intended to have any effect on freedom of information or ‘sunshine’ laws in any jurisdiction.”
With the updated standard, FIRST maintains the rule that the source of information should communicate the TLP label in writing or verbally, depending on the TLP designation.
Information sources are also required to ensure that recipients of TLP-labeled info understand and abide by the TLP sharing guidance.
Changes in the new TLP 2.0 standard
Compared to TLP 1.0, TLP 2.0 replaces the TLP:WHITE label with TLP:CLEAR and adds an additional TLP: AMBER+STRICT label for an extra limited disclosure level within organizations.
The new standard also clarifies the previous label description to improve human readability and make it easier to understand disclosure limitations.
FIRST also “removed synonyms and colloquialisms to improve accessibility for non-native English speakers and ease of translation, focused on consistent language and terminology, adding definitions for community, organization, and clients, and added a colors table to include RGB, CMYK, and hexadecimal color codes.”
According to FIRST, the color-coded TLP labels should be applied based on the audience that should have access to the shared sensitive information:
- TLP:RED = For the eyes and ears of individual recipients only, no further disclosure.
- TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
- TLP:AMBER+STRICT restricts sharing to the organization only.
- TLP:GREEN = Limited disclosure, recipients can spread this within their community.
- TLP:CLEAR = Recipients can spread this to the world, there is no limit on disclosure.
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
When applying these TLP labels, those sharing the information should consider the foreseeable risk of its misuse, if it should be used to increase awareness in the broader community, and its impact on organization privacy, reputation, or operations.
“We are increasingly spreading more confidential and sensitive information inside our community, inside companies, inside business sectors, inside countries, and worldwide,” FIRST TLP-SIG co-chair Don Stikvoort said.
“We need systems that are easy to use, simple to understand, and straightforward enough that translation does not impact the meaning to ensure that we share sensitive information with the appropriate audience. The updated and modernized TLP version 2.0 does just that.”
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!