|
MISCELLANEOUS CYBERSECURITY NEWS:
Will the movement to ban ransom payments gain steam in 2024? -
Policies and regulations around ransomware payments are widely
expected to change in 2024, but how and to what effect remains in
flux.
https://www.cybersecuritydive.com/news/ransom-payment-ban-outlook/705316/
Who pays, and why: A researcher examines the ransomware victim’s
mindset - What makes one ransomware victim more likely to pay up
than another? That’s what one Dutch researcher set out to find,
analyzing national police and incident response data on hundreds of
cases over the last four years.
https://therecord.media/ransomware-victim-mindset-dutch-study-tom-meurs
Number of breach victims dropped 16% in 2023, but now the bad news…
- The good news is the number of individuals impacted by a data
breach in 2023 dropped 16% compared to the previous year. The awful
news is the number of data compromises is up 78%, a new all-time
percentage increase high.
https://www.scmagazine.com/news/breach-victims-dropped-16-in-2023-but-now-the-bad-news
AI developers must now report tests results to the government - The
Biden EO on AI used Defense Production Act authorities to compel AI
developers to report AI safety test results to the Department of
Commerce. Such companies must now share this information on the most
powerful AI systems - and must report on large computing clusters
capable of training these systems.
https://www.scmagazine.com/news/4-takeaways-from-biden-administrations-update-to-ai-security-goals
GAO - Agencies Need to Enhance Oversight of Ransomware Practices and
Assess Federal Support - Ransomware software that makes data and
systems unusable unless ransom is paid - can severely impact
government operations and critical infrastructure.
https://www.gao.gov/products/gao-24-106221
Artificial Intelligence: GAO's Work to Leverage Technology and
Ensure Responsible Use - Artificial intelligence generally refers to
computer systems that can solve problems and perform tasks that have
traditionally required human intelligence.
https://www.gao.gov/products/gao-24-107237
Microsoft fell victim to OAuth attack it issued warning about -
Microsoft disclosed it was also victimized by cyberespionage
criminals who abused OAuth applications to access protected
corporate accounts.
https://www.scmagazine.com/news/microsoft-fell-victim-to-oauth-attack-it-issued-warning-about
Canadian Man Sentenced to Prison for Ransomware Attacks - A Canadian
involved in numerous ransomware and other types of cyberattacks
against businesses, government entities, and individuals in Canada
was sentenced last week to two years in prison.
https://www.securityweek.com/canadian-man-sentenced-to-prison-for-ransomware-attacks/
In 2024, the cybersecurity industry awaits more regulation - and
enforcement - Private sector companies and critical infrastructure
providers will face unprecedented demands for product security,
intelligence sharing and transparency on data security.
https://www.cybersecuritydive.com/news/cyber-enforcement-regulation/706141/
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Over 340,000 Jason’s Deli customers potentially impacted in
credential-stuffing attack - Hackers have an unending appetite to
steal and then slice and dice personally identifiable information (PII).
https://www.scmagazine.com/news/over-340000-jasons-deli-customers-potentially-impacted-in-credential-stuffing-attack
LoanDepot ransomware attack exposes data on almost 17M customers -
The number of individuals impacted makes it the most widespread
compromise of customer data in the spree of attacks targeting the
real estate sector.
https://www.cybersecuritydive.com/news/loandepot-ransomware-exposes-17M-people/705169/
HPE joins the 'our executive email was hacked by Russia' club - HPE
has become the latest tech giant to admit it has been compromised by
Russian operatives.
https://www.theregister.com/2024/01/25/hpe_russia_email_attack/
UK water giant admits attackers broke into system as gang holds it
to ransom - Southern Water confirmed this morning that criminals
broke into its IT systems, making off with a "limited amount of
data."
https://www.theregister.com/2024/01/23/southern_water_confirms_cyberattack/
Nearly 800 GoAnywhere instances are unpatched, exposed to critical
CVE - Although patching lags, the number of hosts with publicly
exposed and vulnerable admin interfaces are limited.
https://www.cybersecuritydive.com/news/goanywhere-unpatched-critical-CVE/705759/
How a mistakenly published password exposed Mercedes-Benz source
code - Mercedes-Benz accidentally exposed a trove of internal data
after leaving a private key online that gave “unrestricted access”
to the company’s source code, according to the security research
firm that discovered it.
https://techcrunch.com/2024/01/26/mercedez-benz-token-exposed-source-code-github/
Local governments in Colorado, Pennsylvania and Missouri dealing
with ransomware - Multiple local governments are dealing with
cyberattacks, including ransomware incidents, this week, causing
outages and problems for county hospitals, libraries and other local
services.
https://therecord.media/local-governments-across-us-dealing-with-ransomware
23andMe: Raw genetic data stolen in months-long cyberattack -
23andMe said raw genomic data and health reports were among the data
stolen in a breach lasting between late April and late September
2023.
https://www.scmagazine.com/news/23andme-raw-genetic-data-stolen-in-months-long-cyberattack
Schneider Electric hit by ransomware attack against its
sustainability business division - Cactus ransomware reportedly
claimed credit for the mid-January attack, and the company unit
hopes to restore operations in the next couple of days.
https://www.cybersecuritydive.com/news/schneider-electric-ransomware-sustainability/706006/
Keenan warns 1.5 million people of data breach after summer
cyberattack - Keenan & Associates is sending notices of a data
breach to 1.5 million customers, warning that hackers accessed their
personal information in a recent cyberattack.
https://www.bleepingcomputer.com/news/security/keenan-warns-15-million-people-of-data-breach-after-summer-cyberattack/
Johnson Controls reports $27M hit from ransomware attack - The
industrial controls conglomerate said a threat actor stole data and
deployed ransomware on its internal IT infrastructure.
https://www.cybersecuritydive.com/news/johnson-controls-ransomware-costs/706149/
New Jersey School District Shut Down by Cyberattack - Sunday night,
Freehold Township district officials notified its staff and parents
that school would not be in session Monday due to technical
difficulties caused by a cyber incident.
https://www.darkreading.com/vulnerabilities-threats/freehold-township-district-closes-due-to-cyber-incident
Kansas City public transportation authority hit by ransomware - The
Kansas City Area Transportation Authority (KCATA) announced it was
targeted by a ransomware attack on Tuesday, January 23.
https://www.bleepingcomputer.com/news/security/kansas-city-public-transportation-authority-hit-by-ransomware/
Timex breach leaks employee Social Security numbers - Timex Group
experienced a data breach that leaked the names and Social Security
numbers of more than 3,000 people, the watchmaking company disclosed
Monday.
https://www.scmagazine.com/news/timex-breach-leaks-employee-social-security-numbers
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
Routing (Part
2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network
interface card (NIC) for each network to which they connect.
Internal computers would typically have one NIC card for the
corporate network or a subnet. Firewalls, proxy servers, and gateway
servers are typically dual-homed with two NIC cards that allow them
to communicate securely both internally and externally while
limiting access to the internal network.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL
AND ADMINISTRATIVE ACCESS CONTROL
The goal of logical and administrative access control is to
restrict access to system resources. Access should be provided only
to authorized individuals whose identity is established, and their
activities should be limited to the minimum required for business
purposes. Authorized individuals (users) may be employees, TSP
employees, vendors, contractors, customers, or visitors.
An effective control mechanism includes numerous controls to
safeguard and limit access to key information system assets. This
section addresses logical and administrative controls, including
access rights administration and authentication through network,
operating system, application, and remote access. A subsequent
section addresses physical security controls.
ACCESS
RIGHTS ADMINISTRATION (1
of 5)
Action Summary - Financial institutions should have an effective
process to administer access rights. The process should include the
following controls:
1) Assign users and system resources only the access required to
perform their required functions,
2) Update access rights based on personnel or system changes,
3) Periodically review users' access rights at an appropriate
frequency based on the risk to the application or system, and
4) Design appropriate acceptable-use policies and require users
to sign them.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
CYCLE
8.4 Security
Activities in the Computer System Life Cycle
This section reviews the security activities that arise in each
stage of the computer system life cycle.
8.4.1 Initiation
The conceptual and early design process of a system involves the
discovery of a need for a new system or enhancements to an existing
system; early ideas as to system characteristics and proposed
functionality; brainstorming sessions on architectural, performance,
or functional system aspects; and environmental, financial,
political, or other constraints. At the same time, the basic security aspects
of a system should be developed along with the early system design.
This can be done through a sensitivity assessment.
8.4.1.1 Conducting a Sensitivity Assessment
A sensitivity assessment looks at
the sensitivity of both the information to be processed and the
system itself. The assessment should consider legal implications,
organization policy (including federal and agency policy if a
federal system), and the functional needs of the system. Sensitivity
is normally expressed in terms of integrity, availability, and
confidentiality. Such factors as the importance of the system to the
organization's mission and the consequences of unauthorized
modification, unauthorized disclosure, or unavailability of the
system or data need to be examined when assessing sensitivity. To
address these types of issues, the people who use or own the system
or information should participate in the assessment.
A sensitivity assessment
should answer the following questions:
1) What information is
handled by the system?
2) What kind of potential damage could occur through
error, unauthorized disclosure or modification, or
unavailability of data or the system?
3) What laws or regulations affect security (e.g., the
Privacy Act or the Fair Trade Practices Act)?
4) To what threats is the system or information
particularly vulnerable?
5) Are there significant environmental considerations
(e.g., hazardous location of system)?
6) What are the security-relevant characteristics of the
user community (e.g., level of technical sophistication and
training or security clearances)?
7) What internal security standards, regulations, or
guidelines apply to this system?
The sensitivity assessment starts an
analysis of security that continues throughout the life cycle. The
assessment helps determine if the project needs special security
oversight, if further analysis is needed before committing to begin
system development (to ensure feasibility at a reasonable cost), or
in rare instances, whether the security requirements are so
strenuous and costly that system development or acquisition will not
be pursued. The sensitivity assessment can be included with the
system initiation documentation either a separate document or as a
section of another planning document. The development of security
features, procedures, and assurances, described in the next section,
builds on the sensitivity assessment.
A sensitivity assessment can also be performed during the planning
stagers of system upgrades (for either upgrades being procured or
developed in house). In this case, the assessment focuses on
the affected areas. If the upgrade significantly affects the
original assessment, steps can be taken to analyze the impact on the
rest of the system. For example, are new controls needed? Will some
controls become necessary?
The definition of sensitive is
often misconstrued. Sensitive is
synonymous with important or valuable.
Some data is sensitive because it must be kept confidential. Much
more data, however, is sensitive because its integrity or
availability must be assured. The Computer Security Act and OMB
Circular A-130 clearly state that information is sensitive if its
unauthorized disclosure, modification (i.e., loss of integrity), or
unavailability would harm the agency. In general, the more important
a system is to the mission of the agency, the more sensitive it is.
|
