|
MISCELLANEOUS CYBERSECURITY NEWS:
Ohio court: Non-physical software damage in ransomware attack not
covered under insurance - The Supreme Court of Ohio ruled that a
ransomware attack against a business should not be covered by
insurance because the attack did not physically or directly cause
harm to the tangible components of the software programs encrypted
in the incident.
https://www.scmagazine.com/analysis/ransomware/ohio-court-non-physical-software-damage-in-ransomware-attack-not-covered-under-insurance
https://www.bankinfosecurity.com/ohio-supreme-court-says-ransomware-physical-damage-a-20808
2023 workforce predictions: Lack of talent will haunt firms as
leadership comes under scrutiny - It’s hard out there for a
cybersecurity recruiter - at least that’s what many of the
predictions submitted this year by IT professionals are saying.
https://www.scmagazine.com/feature/careers/2023-workforce-predictions-lack-of-talent-will-haunt-firms-as-leadership-comes-under-scrutiny
2023 tech predictions: AI and machine learning will come into their
own for security - The upcoming year seems to be the time security
and technology professionals think artificial intelligence and
machine learning will have mass application for security and
detection.
https://www.scmagazine.com/feature/emerging-technology/2023-tech-predictions-ai-and-machine-learning-wicome-into-their-own-for-security
Why organizations tend to fall short on secure data management -
Security teams have had challenges on where to start with data
management for several years.
https://www.scmagazine.com/perspective/data-security/why-organizations-tend-to-fall-short-on-secure-data-management
Scripps Health, Avalon Healthcare reach settlements after data
breaches - States have ramped up enforcement efforts against
entities affected by ransomware and other data privacy breaches,
particularly those in healthcare, over the last year.
https://www.scmagazine.com/analysis/ransomware/scripps-health-avalon-healthcare-reach-settlements-after-data-breaches
Healthcare disruptions rise due to ransomware attacks, though
reporting gaps limit insights - Ransomware attacks on healthcare
delivery organizations doubled between 2016 and 2021, from 43
reported attacks to 91.
https://www.scmagazine.com/analysis/ransomware/healthcare-disruptions-rise-due-to-ransomware-attacks-though-reporting-gaps-limit-insights
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Security pros question why breached Louisiana hospital system took
two months to notify patients - A breach at the Lake Charles
Memorial Health System in Louisiana has some security researchers
wondering why it took almost two months to notify affected patients.
https://www.scmagazine.com/news/breach/security-pros-question-why-breached-louisiana-hospital-system-took-two-months-to-notify-patients
Yes, It’s Time to Ditch LastPass - The password manager’s most
recent data breach is so concerning, users need to take immediate
steps to protect themselves. An illustration with a collage of
browsers and cyber security icons. YOU'VE HEARD IT again and again:
You need to use a password manager to generate strong, unique
passwords and keep track of them for you.
https://www.wired.com/story/lastpass-breach-vaults-password-managers/
Thousands of Citrix servers vulnerable to patched critical flaws -
Thousands of Citrix ADC and Gateway deployments remain vulnerable to
two critical-severity security issues that the vendor fixed in
recent months.
https://www.bleepingcomputer.com/news/security/thousands-of-citrix-servers-vulnerable-to-patched-critical-flaws/
Children's Hospital Expects Weekslong Ransomware Recovery - Nearly a
week after a ransomware attack forced a network shutdown at
Toronto's Hospital for Sick Children, patients are still
experiencing delays in treatment and diagnostic procedures.
https://www.govinfosecurity.com/childrens-hospital-expects-weekslong-ransomware-recovery-a-20817
UK's Guardian newspaper breaks news of ransomware attack on itself -
UK broadsheet media outlet The Guardian has become the victim of a
ransomware attack which seems to have taken out a large chunk of
office-based systems.https://www.theregister.com/2022/12/21/the_guardian_hit_by_ransomware/
Data Breach at Louisiana Healthcare Provider Impacts 270,000
Patients - Southwest Louisiana healthcare provider Lake Charles
Memorial Health System (LCMHS) is informing roughly 270,000 patients
that their personal and medical information was compromised in a
data breach.
https://www.securityweek.com/data-breach-louisiana-healthcare-provider-impacts-270000-patients
Crooks copy source code from Okta’s GitHub repository - Intruders
copied source code belonging to Okta after breaching the identity
management company's GitHub repositories.
https://www.theregister.com/2022/12/23/okta_code_copy_hack/
Ransomware gang apologizes, gives SickKids hospital free decryptor -
The LockBit ransomware gang has released a free decryptor for the
Hospital for Sick Children (SickKids), saying one of its members
violated rules by attacking the healthcare organization.
https://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/
Canadian mining firm shuts down mill after ransomware attack - The
Canadian Copper Mountain Mining Corporation (CMMC) in British
Columbia has announced that it was the target of a ransomware attack
that impacted its operations.
https://www.bleepingcomputer.com/news/security/canadian-mining-firm-shuts-down-mill-after-ransomware-attack/
Cyberattack Threatens Release of Port of Lisbon Data - The Port of
Lisbon, one of Europe’s busiest ports is under cyberattack with
reporting indicating the criminals are threatening to release
confidential port financial information unless their ransom demands
are met.
https://maritime-executive.com/article/cyberattack-threatens-release-of-port-of-lisbon-data
Lubbock heart hospital updates patients on July data breach - The
Lubbock Heart & Surgical Hospital has completed its review of its
July 12, 2022 data breach and will be updating patients whose data
has been affected.
https://www.lubbockonline.com/story/news/local/2022/12/31/lubbock-heart-hospital-updates-patients-on-july-data-breach/69767917007/
https://www.jdsupra.com/legalnews/lubbock-heart-surgical-hospital-reports-6782813/
NJ hospital CentraState diverting patients after cyberattack, IT
shutdown - CentraState Medical Center in New Jersey, Hospital for
Sick Children (SickKids), and Queen Elizabeth Hospital (QEH) in
Barbados are facing continued disruptions due to cybersecurity
incidents in the last few weeks.
https://www.scmagazine.com/analysis/ransomware/nj-hospital-centrastate-diverting-patients-after-cyberattack-it-shutdown
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
Due Diligence
A financial institution should conduct sufficient due
diligence to determine whether it wishes to be associated with the
quality of products, services, and overall content provided by
third-party sites. A financial institution should consider more
product-focused due diligence if the third parties are providing
financial products, services, or other financial website content. In
this case, customers may be more likely to assume the institution
reviewed and approved such products and services. In addition to
reviewing the linked third-party's financial statements and its
customer service performance levels, a financial institution should
consider a review of the privacy and security policies and
procedures of the third party. Also, the financial institution
should consider the character of the linked party by considering its
past compliance with laws and regulations and whether the linked
advertisements might by viewed as deceptive advertising in violation
of Section 5 of the Federal Trade Commission Act.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND
APPLICATION
Testing Risks to Data Integrity, Confidentiality, and
Availability. Management is responsible for carefully controlling
information security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
Confidentiality
of Test Plans and Data. Since knowledge of test planning and
results may facilitate a security breach, institutions should
carefully limit the distribution of their testing information.
Management is responsible for clearly identifying the individuals
responsible for protecting the data and provide guidance for that
protection, while making the results available in a useable form to
those who are responsible for following up on the tests. Management
also should consider requiring contractors to sign nondisclosure
agreements and to return to the institution information they
obtained in their testing.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
(HGA)20.6.3
Mitigating Vulnerabilities Related to the Continuity of Operations
The assessment
recommended that COG institute a program of periodic internal
training and awareness sessions for COG personnel having contingency
plan responsibilities. The assessment urged that COG undertake a
rehearsal during the next three months in which selected parts of
the plan would be exercised. The rehearsal should include attempting
to initiate some aspect of processing activities at one of the
designated alternative sites. HGA's management agreed that
additional contingency plan training was needed for COG personnel
and committed itself to its first plan rehearsal within three
months.
After a short
investigation, HGA divisions owning applications that depend on the
WAN concluded that WAN outages, although inconvenient, would not
have a major impact on HGA. This is because the few time-sensitive
applications that required WAN-based communication with the
mainframe were originally designed to work with magnetic tape
instead of the WAN, and could still operate in that mode; hence
courier-delivered magnetic tapes could be used as an alternative
input medium in case of a WAN outage. The divisions responsible for
contingency planning for these applications agreed to incorporate
into their contingency plans both descriptions of these procedures
and other improvements.
With respect to
mainframe outages, HGA determined that it could not easily make
arrangements for a suitable alternative site. HGA also obtained and
examined a copy of the mainframe facility's own contingency plan.
After detailed study, including review by an outside consultant, HGA
concluded that the plan had major deficiencies and posed significant
risks because of HGA's reliance on it for payroll and other
services. This was brought to the attention of the Director of HGA,
who, in a formal memorandum to the head of the mainframe's owning
agency, called for (1) a high-level interagency review of the plan
by all agencies that rely on the mainframe, and (2) corrective
action to remedy any deficiencies found.
HGA's management agreed
to improve adherence to its virus-prevention procedures. It agreed
(from the point of view of the entire agency) that information
stored on PC hard disks is frequently lost. It estimated, however,
that the labor hours lost as a result would amount to less than a
person year--which HGA management does not consider to be
unacceptable. After reviewing options for reducing this risk, HGA
concluded that it would be cheaper to accept the associated loss
than to commit significant resources in an attempt to avoid it. COG
volunteered, however, to set up an automated program on the LAN
server that e-mails backup reminders to all PC users once each
quarter. In addition, COG agreed to provide regular backup services
for about 5 percent of HGA's PCs; these will be chosen by HGA's
management based on the information stored on their hard disks.
|
