MISCELLANEOUS CYBERSECURITY NEWS:
How a CISO collaboration of healthcare’s ‘haves’ plans to address
third-party vendor challenges - The last year has seen a broader
audience understand the disparities between the ‘haves’ and
‘have-nots’ in healthcare, in part spurred by the growing chasm
between the two groups.
https://www.scmagazine.com/feature/third-party-risk/how-a-ciso-collaboration-of-healthcares-haves-plans-to-address-third-party-vendor-challenges
A third of companies don’t offer cybersecurity training to remote
workers - A Thursday reported that 33% of companies are not offering
any cybersecurity awareness training to users who work remotely.
https://www.scmagazine.com/news/security-awareness/a-third-of-companies-dont-offer-cybersecurity-training-to-remote-workers
There’s no such thing as ‘100% security’ - CIOs and CISOs will
inevitably have to accurately answer the holy grail question from
the C-suite: Are we 100% secure?
https://www.scmagazine.com/perspective/strategy/theres-no-such-thing-as-100-security
Cisco Warns of Critical Vulnerability in EoL Small Business Routers
- Cisco this week announced that no patches will be released for a
critical-severity vulnerability impacting small business RV016,
RV042, RV042G, and RV082 routers, which have reached end of life (EoL).
https://www.securityweek.com/cisco-warns-critical-vulnerability-eol-small-business-routers
Hackers to Get a Crack at Systems Running the Pentagon in New Bug
Bounty - The Defense Department is planning the third iteration of
its Hack the Pentagon program with a focus on identifying
vulnerabilities in the operational technologies that keep the iconic
building and grounds running.
https://www.nextgov.com/cybersecurity/2023/01/hackers-get-crack-systems-running-pentagon-new-bug-bounty/381806/
Ransomware attacks persist in healthcare as impacts on patient
safety rise - Patient safety has become the driving force behind
ongoing healthcare cybersecurity risk framing and as a risk metric
for evaluating connected vendors.
https://www.scmagazine.com/analysis/ransomware/ransomware-attacks-persist-in-healthcare-as-impacts-on-patient-safety-rise
GAO - Cybersecurity High-Risk Series: Challenges in Establishing a
Comprehensive Cybersecurity Strategy and Performing Effective
Oversight.
https://www.gao.gov/products/gao-23-106415
CYBERSECURITY ATTACKS, INTRUSIONS,
DATA THEFT & LOSS:
CircleCI working with AWS to identify, rotate tokens possibly
impacted by breach - WS tokens may have been impacted by a Jan. 4
security breach, according to an update provided by the development
platform Thursday.
https://www.scmagazine.com/analysis/cloud-security/circleci-working-with-aws-to-identify-rotate-tokens-impacted-by-the-breach
Fortinet: Govt networks targeted with now-patched SSL-VPN zero-day -
Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day
vulnerability patched last month in attacks against government
organizations and government-related targets.
https://www.bleepingcomputer.com/news/security/fortinet-govt-networks-targeted-with-now-patched-ssl-vpn-zero-day/
Royal Mail, cops probe 'cyber incident' that's knackered
international mail - Royal Mail confirmed a "cyber incident" has
disrupted its ability to send letters and packages abroad, and also
caused some delays on post coming into the UK.
https://www.theregister.com/2023/01/11/royal_mail_uk_cyber_incident/
Cyberattack Cancels Classes for Des Moines Public Schools - The
largest public school system in Iowa is slated to resume classes on
Thursday, Jan. 12, following the detection of abnormal network
activity that prompted the district to pull its systems offline.
https://www.darkreading.com/attacks-breaches/cyberattack-cancels-classes-for-des-moines-public-schools
CircleCI Hacked via Malware on Employee Laptop - Software
development service CircleCI has revealed that a recently disclosed
data breach was the result of information stealer malware being
deployed on an engineer’s laptop.
https://www.securityweek.com/circleci-hacked-malware-employee-laptop
NortonLifeLock warns that hackers breached Password Manager accounts
- Gen Digital, formerly Symantec Corporation and NortonLifeLock, is
sending data breach notifications to customers, informing them that
hackers have successfully breached Norton Password Manager accounts
in credential-stuffing attacks.
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
Ransomware Attack Affects 1,000 Vessels Worldwide - A ransomware
attack shut down servers hosting software used to manage the crewing
and maintenance schedules of about 1,000 vessels across the globe.
https://www.govinfosecurity.com/ransomware-attack-affects-1000-vessels-worldwide-a-20939
Third-party administrator hack leads to theft of patient data for
over 251K - Austin, Texas-based Bay Bridge Administrators, a
third-party administrator of insurance products, recently began
notifying more than 251,000 patients that their data was stolen
after a network hack in September 2022.
https://www.scmagazine.com/analysis/breach/third-party-administrator-hack-leads-to-theft-of-patient-data-for-over-251k
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous
webpage disclosures to explain their limited role and responsibility
with respect to products and services offered through linked
third-party websites. The level of detail of the disclosure and its
prominence should be appropriate to the harm that may ensue from
customer confusion inherent in a particular link. The institution
might post a disclosure stating it does not provide, and is not
responsible for, the product, service, or overall website content
available at a third-party site. It might also advise the customer
that its privacy polices do not apply to linked websites and that a
viewer should consult the privacy disclosures on that site for
further information. The conspicuous display of the disclosure,
including its placement on the appropriate webpage, by effective use
of size, color, and graphic treatment, will help ensure that the
information is noticeable to customers. For example, if a financial
institution places an otherwise conspicuous disclosure at the bottom
of its webpage (requiring a customer to scroll down to read it),
prominent visual cues that emphasize the information's importance
should point the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example
Java or Active X, when the customer clicks on a particular
hyperlink. Mobile code is used to send small programs to the user's
browser. Frequently, those programs cause unsolicited messages to
appear automatically on a user's screen. At times, the programs may
be malicious, enabling harmful viruses or allowing unauthorized
access to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
customer.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
(FYI
- This is the type of independent diagnostic testing that we
perform. Please refer to
http://www.internetbankingaudits.com/ for information.)
Penetration tests, audits, and assessments can use the
same set of tools in their methodologies. The nature of the
tests, however, is decidedly different. Additionally, the
definitions of penetration test and assessment, in particular, are
not universally held and have changed over time.
Penetration Tests. A penetration test subjects a system to
the real - world attacks selected and conducted by the testing
personnel. The benefit of a penetration test is to identify the
extent to which a system can be compromised before the attack is
identified and assess the response mechanism's effectiveness.
Penetration tests generally are not a comprehensive test of the
system's security and should be combined with other independent
diagnostic tests to validate the effectiveness of the security
process.
Audits. Auditing compares current practices against a set
of standards. Industry groups or institution management may create
those standards. Institution management is responsible for
demonstrating that the standards they adopt are appropriate for
their institution.
Assessments. An assessment is a study to locate security
vulnerabilities and identify corrective actions. An assessment
differs from an audit by not having a set of standards to test
against. It differs from a penetration test by providing the tester
with full access to the systems being tested. Assessments may be
focused on the security process or the information system. They may
also focus on different aspects of the information system, such as
one or more hosts or networks.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
(HGA)20.6.5
Mitigating Network-Related Threats
The assessment
recommended that HGA:
- require stronger I&A for
dial-in access or, alternatively, that a restricted version
of the mail utility be provided for dial-in, which would
prevent a user from including files in outgoing mail
messages;
- replace its current modem
pool with encrypting modems, and provide each dial-in user
with such a modem; and
- work with the mainframe
agency to install a similar encryption capability for
server-to-mainframe communications over the WAN.
As with previous risk
assessment recommendations, HGA's management tasked COG to analyze
the costs, benefits, and impacts of addressing the vulnerabilities
identified in the risk assessment. HGA eventually adopted some of
the risk assessment's recommendations, while declining others. In
addition, HGA decided that its policy on handling time and
attendance information needed to be clarified, strengthened, and
elaborated, with the belief that implementing such a policy would
help reduce risks of Internet and dial-in eavesdropping. Thus, HGA
developed and issued a revised policy, stating that users are
individually responsible for ensuring that they do not transmit
disclosure-sensitive information outside of HGA's facilities via
e-mail.
|