MISCELLANEOUS CYBERSECURITY NEWS:

Software’s ‘intangible’ nature raises insurance concerns in court ruling - A case quietly settled in the Ohio Supreme Court earlier this month contains language that could signal further trouble amid ongoing shifts in cyber insurance, particularly for healthcare providers relying on alternative insurance policies to protect the enterprise in the event of a network outage. https://www.scmagazine.com/feature/ransomware/lack-of-physical-loss-in-ransomware-attack-raises-insurance-concerns-after-court-ruling

US, Europol seize Hive ransomware servers and leak sites: ‘We hacked the hackers’ - U.S. and international law enforcement authorities have taken action against the Hive ransomware group, including the seizure of U.S.-based servers and the shutdown of at least two of the group's dark net sites. https://www.scmagazine.com/analysis/ransomware/notice-on-hive-ransomware-site-claims-seizure-by-fbi-europol

US data breaches in 2022 just shy of all-time high set in 2021- A national nonprofit organization that supports victims of identity crime reported that the number of data compromises in the U.S. in 2022 fell just 60 events short of the all-time high set in 2021. https://www.scmagazine.com/news/data-security/us-data-breaches-in-2022-just-shy-of-all-time-high-set-in-2021

NIST Debuts Long-Anticipated AI Risk Management Framework - With the launch of the AI RMF 1.0, federal researchers focused on four core functions to structure how all organizations evaluate and introduce more trustworthy AI systems.
https://www.nextgov.com/emerging-tech/2023/01/nist-debuts-long-anticipated-ai-risk-management-framework/382251/
https://www.nist.gov/news-events/news/2023/01/nist-risk-management-framework-aims-improve-trustworthiness-artificial

Third-party risks: How to reduce them - Supply chain complexity and third-party risks are growing. Fortunately, there are ways that organizations can mitigate the risk. Even if you do everything by the book, third-party risks remain a considerable threat to an organization’s security. https://www.scmagazine.com/resource/cloud-security/third-party-risks-how-to-reduce-them

FTC slaps GoodRx with a $1.5M fine for sharing health data with Facebook, others - The Federal Trade Commission slapped GoodRx with a $1.5 million civil penalty for questionable privacy practices tied to sharing personal consumer health data with Facebook, Google and Twilio. https://www.scmagazine.com/analysis/breach/ftc-slaps-goodrx-with-1-5m-fine-for-sharing-health-data-with-facebook-others

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

City IT department working to recover missing Lubbock police videos - The City of Lubbock's information technology staff is working to recover police video files that disappeared as a result of a problem with the city's servers was discovered in December. https://www.yahoo.com/entertainment/city-department-working-recover-missing-163323633.html

CISA: Federal agencies hacked using legitimate remote desktop tools - CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.
https://www.bleepingcomputer.com/news/security/cisa-federal-agencies-hacked-using-legitimate-remote-desktop-tools/
https://www.securityweek.com/us-government-agencies-warn-of-malicious-use-of-remote-management-software/

Contractor error led to Baltimore schools ransomware attack - A security contractor for Baltimore County Public Schools mistakenly opened a suspicious phishing email attachment in an unsecure environment, leading to the ransomware attack. https://www.techtarget.com/searchsecurity/news/252529592/Contractor-error-led-to-Baltimore-schools-ransomware-attack

Oracle Cerner EHR system at VA, DOD and Coast Guard hit with network issues - The degraded service affected all locations using the EHR on Monday and Tuesday, according to a VA spokesperson. https://fedscoop.com/oracle-cerner-ehr-system-at-va-dod-and-coast-guard-hit-with-network-issues/

Maryland hospital facing outages after ‘significant’ ransomware attack - Atlantic General Hospital in Maryland is experiencing network disruptions and outages after a significant ransomware attack deployed this weekend, according to local news outlet WMDT47. https://www.scmagazine.com/analysis/breach/maryland-hospital-facing-outages-after-significant-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  
    
    B. RISK MANAGEMENT TECHNIQUES
    
    Managing Service Providers
    
    Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.
    
    When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.
    
    Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   SECURITY TESTING - OUTSOURCED SYSTEMS
   
   Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We begin the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section I. Introduction & Overview
  Chapter 1
  
  INTRODUCTION
  
  1.1 Purpose
  
  This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
  
  The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
  
  The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems are noted in the text. This document provides advice and guidance; no penalties are stipulated.
  
  1.2 Intended Audience
  
  The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques. Within the federal government, this includes those who have computer security responsibilities for sensitive systems.
  
  For the most part, the concepts presented in the handbook are also applicable to the private sector. While there are differences between federal and private-sector computing, especially in terms of priorities and legal constraints, the underlying principles of computer security and the available safeguards -- managerial, operational, and technical -- are the same. The handbook is therefore useful to anyone who needs to learn the basics of computer security or wants a broad overview of the subject. However, it is probably too detailed to be employed as a user awareness guide, and is not intended to be used as an audit guide.