MISCELLANEOUS CYBERSECURITY NEWS:

Security pros say third parties are increasingly the cause of cybersecurity incidents - Respondents from a recent Third-Party Risk Survey believe that third parties are increasingly the cause of IT security incidents - and some say they have been the primary source of attacks in the past two years. https://www.scmagazine.com/research-article/third-party-risk/security-pros-say-third-parties-are-increasingly-the-cause-of-cybersecurity-incidents

Buying SASE: Questions to ask vendors before you commit - Choosing vendors for your secure access service edge, or SASE, solution can be difficult. https://www.scmagazine.com/resource/cloud-security/buying-sase-questions-to-ask-vendors-before-you-commit

Four lessons learned from the latest Uber breach - Uber’s recent data breach, which exposed sensitive employee and customer data to the BreachForums hacking forum, was the latest in a string of security incidents to hit the company in the last few years. https://www.scmagazine.com/perspective/breach/four-lessons-learned-from-the-latest-uber-breach

Fewer ransomware victims are paying up. But there's a catch - Cyber criminals are finding it harder to make money from ransomware attacks. But that doesn't mean ransomware is less dangerous. https://www.zdnet.com/article/fewer-ransomware-victims-are-paying-up-but-theres-a-catch/

Government watchdog: Feds fail to implement vast majority of cybersecurity recommendations - The Government Accountability Office says there's an urgent need for an updated national cybersecurity to hold federal agencies accountable. https://cyberscoop.com/government-watchdog-cybersecurity-recommendations/

Third-party risks: What organizations face - The English poet John Donne famously opined that “no man is an island entire of itself." We could just as easily say the same for today’s businesses operating in the globalized, information-rich economy. https://www.scmagazine.com/resource/cloud-security/third-party-risks-what-organizations-face

Threat intelligence: Security pros share key challenges - In today’s rapidly changing threat landscape, early actionable access to credible threat intelligence is critical. https://www.scmagazine.com/resource/threat-intelligence/threat-intelligence-security-pros-share-key-challenges

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Mailchimp says it was hacked - again - Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers’ data was exposed. It’s the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident. https://techcrunch.com/2023/01/18/mailchimp-hacked/

T-Mobile hacked to steal data of 37 million accounts in API data breach - T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs). https://www.bleepingcomputer.com/news/security/t-mobile-hacked-to-steal-data-of-37-million-accounts-in-api-data-breach/

Third-party administrator hack leads to theft of patient data for over 251K - Austin, Texas-based Bay Bridge Administrators, a third-party administrator of insurance products, recently began notifying more than 251,000 patients that their data was stolen after a network hack in September 2022. https://www.scmagazine.com/analysis/breach/third-party-administrator-hack-leads-to-theft-of-patient-data-for-over-251k

Canada’s largest alcohol retailer infected with card skimming malware twice since December - On January 12, Canadian alcohol retail giant LCBO announced that an “unauthorized party embedded malicious code” onto its website in order to steal information from customers in the process of checking out. Over five days in January, they wrote, customers “may have had their information compromised.” https://therecord.media/canadas-largest-alcohol-retailer-infected-with-card-skimming-malware-twice-since-december/

Royal Mail trials ‘operational workarounds’ following suspected ransomware attack - Royal Mail, the British postage and courier company, said on Wednesday evening it was “trialing operational workarounds” to get services moving again following a suspected ransomware attack. https://therecord.media/royal-mail-trials-operational-workarounds-following-suspected-ransomware-attack/

Breach notice confirms One Brooklyn Health cyberattack, outage in November - One Brooklyn Health issued a breach notice, shining a light on the reported network outages faced by the New York provider in November and December. https://www.scmagazine.com/analysis/breach/breach-notice-confirms-one-brooklyn-health-cyberattack-outage-in-november

FAA Says No Evidence of Cyberattack in NOTAM Outage - Human Error, Not Hackers, Behind Hourslong System Outage That Grounded Flights - Blame a contractor and not hackers for the hourslong nationwide pause on flights last week that grounded thousands of planes, says the Federal Aviation Administration. https://www.govinfosecurity.com/faa-says-no-evidence-cyberattack-in-notam-outage-a-20988

Citing cyberattack, COVID-19 impacts, Illinois hospital suspends operations - St. Margaret’s Health has temporarily suspended operations at its hospital in Peru, Illinois, as its leadership could not “find nor financially support” a new provider for its emergency room department. https://www.scmagazine.com/analysis/ransomware/citing-cyberattack-covid-19-impacts-illinois-hospital-suspends-operations

Logan Health agrees to $4.3M settlement after 2021 health data breach - Logan Health Medical Center has reached a $4.3 million settlement with the 213,543 patients and employees whose personal and protected health information was likely accessed during a Nov. 22, 2021, cyberattack. https://www.scmagazine.com/analysis/breach/logan-health-agrees-to-4-3m-settlement-after-2021-health-data-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 9 of 10)
    
    B. RISK MANAGEMENT TECHNIQUES
    
    Implementing Weblinking Relationships
    
    Customer Service Complaints
    
    Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.
    
    Monitoring Weblinking Relationships
    
    The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   SECURITY TESTING - KEY FACTORS
   
   Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:
   
   Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.
   
   Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.
   
   Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.
   
   Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.
   
   Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
   (FYI - This is exactly the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
   
   Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - This is the last Chapter on the National Institute of Standards and Technology (NIST) Handbook.  Next week we start Chapter 1.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.7 Summary

This chapter has illustrated how many of the concepts described in previous chapters might be applied in a federal agency. An integrated example concerning a Hypothetical Government Agency (HGA) has been discussed and used as the basis for examining a number of these concepts. HGA's distributed system architecture and its uses were described. The time and attendance application was considered in some detail.

For context, some national and agency-level policies were referenced. Detailed operational policies and procedures for computer systems were discussed and related to these high-level policies. HGA assets and threats were identified, and a detailed survey of selected safeguards, vulnerabilities, and risk mitigation actions were presented. The safeguards included a wide variety of procedural and automated techniques, and were used to illustrate issues of assurance, compliance, security program oversight, and inter-agency coordination.

As illustrated, effective computer security requires clear direction from upper management. Upper management must assign security responsibilities to organizational elements and individuals and must formulate or elaborate the security policies that become the foundation for the organization's security program. These policies must be based on an understanding of the organization's mission priorities and the assets and business operations necessary to fulfill them. They must also be based on a pragmatic assessment of the threats against these assets and operations. A critical element is assessment of threat likelihoods. These are most accurate when derived from historical data, but must also anticipate trends stimulated by emerging technologies.

A good security program relies on an integrated, cost-effective collection of physical, procedural, and automated controls. Cost-effectiveness requires targeting these controls at the threats that pose the highest risks while accepting other residual risks. The difficulty of applying controls properly and in a consistent manner over time has been the downfall of many security programs. This chapter has provided numerous examples in which major security vulnerabilities arose from a lack of assurance or compliance. Hence, periodic compliance audits, examinations of the effectiveness of controls, and reassessments of threats are essential to the success of any organization's security program.