MISCELLANEOUS CYBERSECURITY NEWS:

Prolific ShinyHunters hacker jailed, ordered to repay $5 million - A key member of the ShinyHunters hacking group was sentenced to three years’ imprisonment for his role in the theft and sale of hundreds of millions of records stolen from more than 60 companies. https://www.scmagazine.com/news/prolific-shinyhunters-hacker-jailed-ordered-to-repay-5-million

Here’s how to get proactive about complying with the SEC’s cybersecurity rules - We’re now in 2024, and with it comes a new set of challenges that today’s security leaders must face. https://www.scmagazine.com/perspective/heres-how-to-get-proactive-about-complying-with-the-secs-cybersecurity-rules

Researchers Spot Critical Security Flaw in Bosch Thermostats - Thermostats sold across the globe by German multinational engineering company Bosch contained a flaw allowing hackers to cut power to the heating system and override the firmware, warn researchers from cybersecurity firm Bitdefender. https://www.govinfosecurity.com/researchers-spot-critical-security-flaw-in-bosch-thermostats-a-24103

A guide to getting the right cyber insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. https://www.scmagazine.com/resource/a-guide-to-getting-the-right-cybersecurity-insurance

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Fidelity National Financial confirms data of 1.3 million customers exposed in cyberattack - Fidelity National Financial disclosed in an 8K filing with the Securities and Exchange Commission (SEC) on Dec. 10 that 1.3 million customers had their data exposed in a cyberattack. https://www.scmagazine.com/news/fidelity-national-financial-confirms-data-of-13-million-customers-exposed-in-cyberattack

FTC settles unprecedented case against geolocation data broker - The Federal Trade Commission (FTC) on Tuesday announced its first ever settlement with a data broker for selling location data, alleging the company peddled consumers’ precise locations and allowed third parties to track visits to health care providers, houses of worship and similarly sensitive destinations. https://therecord.media/ftc-settles-case-geolocation-data-broker-xmode-outlogic

British Library starts restoring services online after hack - It is the first significant step in the complete restoration of services for those using the UK's largest library. https://www.bbc.com/news/entertainment-arts-67976183

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    CONTROLS TO PROTECT AGAINST MALICIOUS CODE
    
    Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.
    
    Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.
    
    Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.
    
    Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.
    
    Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.
    
    Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."
    
    Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.
    
    An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY STRATEGY (1 of 2)
   
   Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include
   
   1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
   2)  Layered controls that establish multiple control points between threats and organization assets, and
   3)  Policies that guide officers and employees in implementing the security program.
   
   An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.
   
   The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.2 Benefits of Integrating Security in the Computer System Life Cycle
 
 Although a computer security plan can be developed for a system at any point in the life cycle, the recommended approach is to draw up the plan at the beginning of the computer system life cycle. Security, like other aspects of a computer system, is best managed if planned for throughout the computer system life cycle. It has been a tenet of the computer community that it costs ten times more to add a feature in a system after it has been designed than to include the feature in the system at the initial design phase. The principal reason for implementing security during a system's development is that it is more difficult to implement it later (as is usually reflected in the higher cost of doing so). It also tends to disrupt ongoing operations.
 
 Security also needs to be incorporated into the later phases of the computer system life cycle to help ensure that security keeps up with changes in the system's environment, technology, procedures, and personnel. It also ensures that security is considered in system upgrades, including the purchase of new components or the design of new modules. Adding new security controls to a system after a security breach, mishap, or audit can lead to haphazard security that can be more expensive and less effective that security that is already integrated into the system. It can also significantly degrade system performance. Of course, it is virtually impossible to anticipate the whole array of problems that may arise during a system's lifetime. Therefore, it is generally useful to update the computer security plan at least at the end of each phase in the life cycle and after each re-accreditation. For many systems, it may be useful to update the plan more often.
 
 Life cycle management also helps document security-relevant decisions, in addition to helping assure management that security is fully considered in all phases. This documentation benefits system management officials as well as oversight and independent audit groups. System management personnel use documentation as a self-check reminder of why decisions were made so that the impact of changes in the environment can be more easily assessed. Oversight and independent audit groups use the documentation in their reviews to verify that system management has done an adequate job and to highlight areas where security may have been overlooked. This includes examining whether the documentation accurately reflects how the system is actually being operated.
 
 Within the federal government, the Computer Security Act of 1987 and its implementing instructions provide specific requirements for computer security plans. These plans are a form of documentation that helps ensure that security is considered not only during system design and development but also throughout the rest of the life cycle. Plans can also be used to be sure that requirements of Appendix III to OMB Circular A-130, as well as other applicable requirements, have been addressed.
 
 Different people can provide security input throughout the life cycle of a system, including the accrediting official, data users, systems users, and system technical staff.