|
MISCELLANEOUS CYBERSECURITY NEWS:
NIST: No Silver Bullet Against Adversarial Machine Learning Attacks
- Adversarial machine learning, or AML, involves extracting
information about the characteristics and behavior of a machine
learning system, and manipulating inputs in order to obtain a
desired outcome.
https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-machine-learning-attacks/
Users’ bad password hygiene to blame for leak affecting 6.9M -
Blamed the poor password practices of some of its users for the data
leak that affected nearly 7 million of its users in October.
https://www.scmagazine.com/news/23andme-says-users-bad-password-hygiene-to-blame-for-leak-affecting-6-9m
Top 5 compliance deadlines for cybersecurity pros in 2024 - The year
ahead holds a myriad of such compliance certainties for
cybersecurity professionals that range from state-level rules around
breach notifications, others tied to privacy and zero trust
deadlines for federal agencies.
https://www.scmagazine.com/news/5-cybersecurity-compliance-deadlines-in-2024
LastPass to enforce a 12-character requirement for master passwords
- Responding to the heightened threat landscape and a series of
security incidents that targeted its password manager products,
LastPass said it will now enforce a 12-character master password
requirement.
https://www.scmagazine.com/news/lastpass-to-enforce-a-12-character-requirement-for-master-passwords
Vulnerability management remains a moving target - Here, we focus on
vulnerability management and what happens when you don’t patch flaws
quickly – and why it’s often very hard to do so.
https://www.scmagazine.com/resource/vulnerability-management-remains-a-moving-target
GAO - OMB Should Improve Information Security Performance Metrics -
https://www.gao.gov/products/gao-24-106291
The new SEC disclosure rule: what security leaders need to do next -
A significant shift in how companies must comply with cybersecurity
reporting and disclosure requirements means security leaders will
begin 2024 reviewing the most efficient ways their organizations can
comply with December 18th’s ruling.
https://www.scmagazine.com/perspective/the-new-sec-disclosure-rule-what-security-leaders-need-to-do-next
What’s new for ransomware in 2024? - Security pros think a lot about
ransomware: how to avoid it, what data they manage that might be at
risk and what’s the next slimy tactic they will need to contend
with.
https://www.scmagazine.com/news/ransomware-continues-to-be-a-threat-but-is-headed-for-a-makeover-in-2024-security-pros-say
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Infostealer malware, weak password leaves Orange Spain RIPE for
plucking - A weak password exposed by infostealer malware is being
blamed after a massive outage at Orange Spain disrupted around half
of its network's traffic.
https://www.theregister.com/2024/01/04/orange_spain_outage_breach/
State AG Hits Hospital With $300K Fine for Web Tracker Use - State
regulators have fined a large New York academic medical center
$300,000 to settle privacy violations related to the organization's
prior use of tracking tools in its websites and patient portal.
https://www.govinfosecurity.com/state-ag-hits-hospital-300k-fine-for-web-tracker-use-a-24013
Data breach at healthcare tech firm impacts 4.5 million patients -
HealthEC LLC, a provider of health management solutions, suffered a
data breach that impacts close to 4.5 million individuals who
received care through one of the company's customers.
https://www.bleepingcomputer.com/news/security/data-breach-at-healthcare-tech-firm-impacts-45-million-patients/
Court hearings become ransomware concern after justice system breach
- The court system of Victoria, Australia, was subject to a
suspected ransomware attack in which audiovisual recordings of court
hearings may have been accessed.
https://www.theregister.com/2024/01/02/victoria_court_system_breach/
Estes Express Lines Says Personal Data Stolen in Ransomware Attack -
The incident was identified on October 1, 2023, and the
investigation into the matter determined that the attackers gained
access to the company’s network on September 26, 2023.
https://www.securityweek.com/estes-express-lines-says-personal-data-stolen-in-ransomware-attack/
Over 900k Impacted by Data Breach at Defunct Boston Ambulance
Service - The incident, Transformative says in a notification letter
to the affected individuals, a copy of which was submitted to the
Maine Attorney General’s Office, was detected on April 23, 2023,
roughly four months after the Boston-based Fallon Ambulance Service
ceased operations.
https://www.securityweek.com/over-900k-impacted-by-data-breach-at-defunct-boston-ambulance-service/
LoanDepot discloses cyberattack shut down systems in SEC filing -
Major mortgage lender loanDepot reported that it was the victim of a
cyberattack that forced it to shut down some of its systems Monday
in an 8K filing with the Securities and Exchange Commission (SEC).
https://www.scmagazine.com/news/loandepot-discloses-cyberattack-shut-down-systems-in-sec-filing
23andMe says users’ bad password hygiene to blame for leak affecting
6.9M - 23andMe blamed the poor password practices of some of its
users for the data leak that affected nearly 7 million of its users
in October.
https://www.scmagazine.com/news/23andme-says-users-bad-password-hygiene-to-blame-for-leak-affecting-6-9m
British Library: Finances remain healthy as ransomware recovery
continues - The British Library is denying reports suggesting the
recovery costs for its 2023 ransomware attack may reach highs of
nearly $9 million as work to restore services remains ongoing.
https://www.theregister.com/2024/01/08/british_library_finances_remain_healthy/
US mortgage lender loanDepot confirms ransomware attack - Leading
U.S. mortgage lender loanDepot confirmed today that a cyber incident
disclosed over the weekend was a ransomware attack that led to data
encryption.
https://www.bleepingcomputer.com/news/security/us-mortgage-lender-loandepot-confirms-ransomware-attack/
Law Firm Orrick Reveals Extensive Data Breach, Over Half a Million
Affected - Orrick, Herrington & Sutcliffe, a law firm that
specializes in cyberattacks, last week disclosed that more than
600,000 individuals were impacted by a data breach that happened in
early 2023.
https://www.securityweek.com/law-firm-orrick-reveals-extensive-data-breach-over-half-a-million-affected/
Online museum collections down after cyberattack on service provider
- Museum software solutions provider Gallery Systems has disclosed
that its ongoing IT outages were caused by a ransomware attack last
week.
https://www.bleepingcomputer.com/news/security/online-museum-collections-down-after-cyberattack-on-service-provider/
ProxyShell-targeting Babuk Tortilla
ransomware decrypted after hacker’s arrest - The decryption key for
the Babuk ransomware variant that targeted the ProxyShell
vulnerabilities in Microsoft Exchange is publicly available
following its creator’s arrest.
https://www.scmagazine.com/news/proxyshell-targeting-babuk-tortilla-ransomware-decrypted-after-hackers-arrest
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
prioritization.
A. Board and Management Oversight
(Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process
for outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking
transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems,
databases and applications.
8. Data integrity of e-banking transactions, records, and
information.
9. Establishment of clear audit trails for e-banking
transactions.
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11
to 14):
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to
ensure availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few
weeks, as they relate to e-banking and the underlying risk
management principles that should be considered by banks to address
these issues.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2 of 2)
4) Accountable Activities - The responsibility for performing
risk assessments should reside primarily with members of management
in the best position to determine the scope of the assessment, and
the effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation - Documentation of the risk assessment process
and procedures assists in ensuring consistency and completeness, as
well as accountability. Documentation of the analysis and results
provides a useful starting point for subsequent assessments,
potentially reducing the effort required in those assessments.
Documentation of risks accepted and risk mitigation decisions is
fundamental to achieving accountability for risk decisions.
6) Enhanced Knowledge - Risk assessment increases management's
knowledge of the institution's mechanisms for storing, processing,
and communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates - Risk assessments should be updated as new
information affecting information security risks are identified
(e.g., a new threat, vulnerability, adverse test result, hardware
change, software change or configuration change). At least once a
year, senior management should review the entire risk assessment to
ensure relevant information is appropriately considered.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
CYCLE
Like
other aspects of information processing systems, security is most
effective and efficient if planned and managed throughout a computer
system's life cycle, from initial planning, through design,
implementation, and operation, to disposal. Many security-relevant
events and analyses occur during a system's life. This chapter
explains the relationship among them and how they fit together. It
also discusses the important role of security planning in helping to
ensure that security issues are addressed comprehensively.
This chapter examines:
1) system security plans,
2) the components of the computer system life cycle,
3) the benefits of integrating security into the computer system
life cycle, and
4) techniques for addressing security in the life cycle
8.1 Computer Security Act Issues for Federal Systems
Planning is used to help ensure that security is addressed in a
comprehensive manner throughout a system's life cycle. For federal
systems, the Computer Security Act of 1987 set forth a statuary
requirement for the preparation of computer security plans for all
sensitive systems. The intent and spirit of the Act is to improve
computer security in the federal government, not to create
paperwork. In keeping with this intent, the Office of Management and
Budget (OMB) and NIST have guided agencies toward a planning process
that emphasizes good planning and management of computer security
within an agency and for each computer system. As emphasized in this
chapter, computer security management should be a part of computer
systems management. The benefit of having a distinct computer
security plan is to ensure that computer security is not overlooked.
The act required the submission of plans to NIST and the National
Security Agency (NSA) for review and comment, a process which has
been complemented. Current guidance on implementing the Act requires
agencies to obtain independent review of computer security plans.
This review may be internal or external, as deemed appropriate by
the agency.
A "typical" plan briefly describes the important security
considerations for the system and provides references to more
detailed documents, such as system security plans, contingency
plans, training programs, accreditation statements, incident
handling plans, or audit results. This enables the plan to be used
as a management tool without requiring repetition of existing
documents. For smaller systems, the addresses specific
vulnerabilities or other information that could compromise the
system, it should be kept private. It also has to be kept
up-to-date.
"The purpose of the system security plan is to provide a basic
overview of the security and privacy requirements of the subject
system and the agency's plan for meeting those requirements. The
system security plan may also be viewed as documentation of the
structured process of planning adequate, cost-effective security
protection for a system." - OMB Bulletin 90-08 |
