MISCELLANEOUS CYBERSECURITY NEWS:

Think of cyber insurance as a strategic business decision - The cyber insurance market has been valued at roughly $12 billion and could triple to more than $29 billion by 2027. Cyber insurance, unlike automobile and some other forms of insurance, has not yet been made mandatory, but it’s set to become indispensable to companies involved in merger or partnership negotiations, or in raising money from investors. https://www.scmagazine.com/perspective/ransomware/think-of-cyber-insurance-as-a-strategic-business-decision

How to improve workload security - Securing cloud workloads can be difficult: You're running applications and processes on a far-off server that your organization doesn't control. Yet there are several initiatives you can take to make your cloud workloads as safe as possible. https://www.scmagazine.com/resource/cloud-security/how-to-improve-workload-security

How Walmart allocates its cyber resources equitably across its vast empire - For the CISO of any large or complex organization, being able to equitably implement security controls across your highly distributed enterprise - ensuring that no division is underserved or overlooked - is no easy challenge. https://www.scmagazine.com/feature/leadership/spreading-the-wealth-how-walmart-allocates-its-cyber-resources-equitably-across-its-vast-empire

DDoS attacks continue to cripple organizations: here’s how to stay prepared - By now, most people have visited a website only to find it shut down, often because the site may have experienced a Distributed Denial of Service (DDoS) attack. https://www.scmagazine.com/perspective/cybercrime/ddos-attacks-continue-to-cripple-organizations-heres-how-to-stay-prepared

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Morley reaches $4.3M settlement after hacking incident leads to data theft for 694K - Morley Companies reached a $4.3 million settlement with the 694,000 individuals affected by its August 2021 data theft, reported to the public in February 2022. https://www.scmagazine.com/analysis/ransomware/morley-reaches-4-3m-settlement-after-hacking-incident-leads-to-data-theft-for-694k

Godfather uses ‘web fakes’ to serve-up a ‘banking trojan that’s impossible to refuse’ - Using imagery and verbiage from the iconic movie starring Marlon Brando, researchers reported that the Android banking trojan Godfather has been using “web fakes” to attack more than 400 targets across 16 countries, including mobile banking applications, cryptocurrency wallets, and crypto exchanges. https://www.scmagazine.com/news/cybercrime/godfather-uses-web-fakes-to-serve-up-a-banking-trojan-thats-impossible-to-refuse

Latest breach of Okta’s GitHub repositories raises concerns about broader supply chain attack - Security researchers on Thursday said while yesterday’s disclosure by Okta that its GitHub repositories were accessed are unrelated to two other attacks this year, it does raise concerns that all of these breaches may be a part of a larger event and could foreshadow a significant supply chain attack for organizations reliant upon Okta for identity and access services. https://www.scmagazine.com/news/cloud-security/latest-breach-of-oktas-github-repositories-raises-concerns-about-broader-supply-chain-attack

Researchers advise teams to change master passwords and 2FA keys after LastPass disclosure - Password manager company LastPass gave an update of its security incident from August, which prompted security researchers to tell admins that they really need to take steps to protect their environments. https://www.scmagazine.com/analysis/cloud-security/researchers-advise-teams-to-change-master-passwords-and-2fa-keys-after-lastpass-disclosure

Morley reaches $4.3M settlement after hacking incident leads to data theft for 694K - Morley Companies reached a $4.3 million settlement with the 694,000 individuals affected by its August 2021 data theft, reported to the public in February 2022. https://www.scmagazine.com/analysis/ransomware/morley-reaches-4-3m-settlement-after-hacking-incident-leads-to-data-theft-for-694k

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)
    
    B. RISK MANAGEMENT TECHNIQUES
    
    Introduction
    
    Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.
    
    Planning Weblinking Relationships
    
    In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:
    
    1)  due diligence with respect to third parties to which the financial institution is considering links; and
    
    2)  written agreements with significant third parties.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   SECURITY TESTING
   
   Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.
   
   In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.
   
   A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.1 Mitigating Payroll Fraud Vulnerabilities

To remove the vulnerabilities related to payroll fraud, the risk assessment team recommended the use of stronger authentication mechanisms based on smart tokens to generate one-time passwords that cannot be used by an interloper for subsequent sessions. Such mechanisms would make it very difficult for outsiders (e.g., from the Internet) who penetrate systems on the WAN to use them to attack the mainframe. The authors noted, however, that the mainframe serves many different agencies, and HGA has no authority over the way the mainframe is configured and operated. Thus, the costs and procedural difficulties of implementing such controls would be substantial. The assessment team also recommended improving the server's administrative procedures and the speed with which security-related bug fixes distributed by the vendor are installed on the server.

After input from COG security specialists and application owners, HGA's managers accepted most of the risk assessment team's recommendations. They decided that since the residual risks from the falsification of time sheets were acceptably low, no changes in procedures were necessary. However, they judged the risks of payroll fraud due to the interceptability of LAN server passwords to be unacceptably high, and thus directed COG to investigate the costs and procedures associated with using one-time passwords for Time and Attendance Clerks and supervisor sessions on the server. Other users performing less sensitive tasks on the LAN would continue to use password-based authentication.

While the immaturity of the LAN server's access controls was judged a significant source of risk, COG was only able to identify one other PC LAN product that would be significantly better in this respect. Unfortunately, this product was considerably less friendly to users and application developers, and incompatible with other applications used by HGA. The negative impact of changing PC LAN products was judged too high for the potential incremental gain in security benefits. Consequently, HGA decided to accept the risks accompanying use of the current product, but directed COG to improve its monitoring of the server's access control configuration and its responsiveness to vendor security reports and bug fixes.

HGA concurred that risks of fraud due to unauthorized modification of time and attendance data at or in transit to the mainframe should not be accepted unless no practical solutions could be identified. After discussions with the mainframe's owning agency, HGA concluded that the owning agency was unlikely to adopt the advanced authentication techniques advocated in the risk assessment. COG, however, proposed an alternative approach that did not require a major resource commitment on the part of the mainframe owner.

The alternative approach would employ digital signatures based on public key cryptographic techniques to detect unauthorized modification of time and attendance data. The data would be digitally signed by the supervisor using a private key prior to transmission to the mainframe. When the payroll application program was run on the mainframe, it would use the corresponding public key to validate the correspondence between the time and attendance data and the signature. Any modification of the data during transmission over the WAN or while in temporary storage at the mainframe would result in a mismatch between the signature and the data. If the payroll application detected a mismatch, it would reject the data; HGA personnel would then be notified and asked to review, sign, and send the data again. If the data and signature matched, the payroll application would process the time and attendance data normally.

HGA's decision to use advanced authentication for time and attendance Clerks and Supervisors can be combined with digital signatures by using smart tokens. Smart tokens are programmable devices, so they can be loaded with private keys and instructions for computing digital signatures without burdening the user. When supervisors approve a batch of time and attendance data, the time and attendance application on the server would instruct the supervisor to insert their token in the token reader/writer device attached to the supervisors' PC. The application would then send a special "hash" (summary) of the time and attendance data to the token via the PC. The token would generate a digital signature using its embedded secret key, and then transfer the signature back to the server, again via the PC. The time and attendance application running on the server would append the signature to the data before sending the data to the mainframe and, ultimately, the payroll application.

Although this approach did not address the broader problems posed by the mainframe's I&A vulnerabilities, it does provide a reliable means of detecting time and attendance data tampering. In addition, it protects against bogus time and attendance submissions from systems connected to the WAN because individuals who lack a time and attendance supervisor's smart token will be unable to generate valid signatures. (Note, however, that the use of digital signatures does require increased administration, particularly in the area of key management.) In summary, digital signatures mitigate risks from a number of different kinds of threats.

HGA's management concluded that digitally signing time and attendance data was a practical, cost-effective way of mitigating risks, and directed COG to pursue its implementation. (They also noted that it would be useful as the agency moved to use of digital signatures in other applications.) This is an example of developing and providing a solution in an environment over which no single entity has overall authority.

20.6.2 Mitigating Payroll Error Vulnerabilities

After reviewing the risk assessment, HGA's management concluded that the agency's current safeguards against payroll errors and against accidental corruption and loss of time and attendance data were adequate. However, the managers also concurred with the risk assessment's conclusions about the necessity for establishing incentives for complying (and penalties for not complying) with these safeguards. They thus tasked the Director of Personnel to ensure greater compliance with paperwork-handling procedures and to provide quarterly compliance audit reports. They noted that the digital signature mechanism HGA plans to use for fraud protection can also provide protection against payroll errors due to accidental corruption.