MISCELLANEOUS CYBERSECURITY NEWS:

The high cost of mishandling data breaches, security reporting for financial services - When it comes to the financial damage that breaches can wreck on financial institutions, it is not just the outright theft of account funds, rectifying the loss of customer data or even just rebuilding network damage after an attack that can be costly - there are also the regulatory penalties and fines associated with not properly shoring up systems or giving timely notice to impacted customers. https://www.scmagazine.com/analysis/breach/the-high-cost-of-mishandling-data-breaches-security-reporting-for-financial-services

Phishing scam uses Zoom invite to steal Microsoft Outlook credentials - Researchers on Thursday disclosed a phishing scam on a major North American online brokerage company in which a victim starts off on a legitimate Zoom session only to wind up getting their Microsoft credentials stolen after landing on a fake Microsoft Outlook log-in screen. https://www.scmagazine.com/news/phishing/phishing-scam-uses-zoom-invite-to-steal-microsoft-outlook-credentials

Water sector added to Biden administration's initiative on ICS security - The Biden administration announced Thursday it is extending a voluntary cybersecurity initiative for essential control systems in the electricity sector and pipelines to facilities that supply water across the U.S. https://www.cyberscoop.com/industrial-control-system-ics-biden-initiative-vewater/

DeFi thefts beget DeFi for money laundering - The amount of cryptocurrency transferred from illicit wallets to decentralized finance (DeFi) services spiked 1,964% between 2020 and 2021, with 2021 becoming the first year since 2018 where cryptocurrency exchanges were not the destination for more than half of transactions from cybercriminals. https://www.scmagazine.com/analysis/cryptocurrency/defi-thefts-beget-defi-for-money-laundering

DHS establishes review board for cyber incidents affecting the federal government - The Department of Homeland Security has formally established a review board that would be charged with investigating the cause of and fallout from major hacks that touch the federal civilian government. https://www.scmagazine.com/analysis/cyberespionage/dhs-establishes-review-board-for-cyber-incidents-affecting-the-federal-government

The Great Resignation has increased security risks, 71% of IT leaders say - A survey released Tuesday found that 71% of IT decision makers in the United States and United Kingdom said the Great Resignation has increased security risks at their companies. https://www.scmagazine.com/news/insider-threat/the-great-resignation-has-increased-security-risks-71-of-it-leaders-say

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Kentucky hospital reports network outage, care delays amid cyberattack - A cyberattack struck Taylor Regional Hospital (TRH) earlier this week, which has led to electronic health record downtime procedures and network outages, according to a notice posted on the Kentucky hospital’s website. https://www.scmagazine.com/analysis/cybercrime/kentucky-hospital-reports-network-outage-care-delays-amid-cyberattack

Taiwanese Apple and Tesla contractor hit by Conti ransomware - Delta Electronics, a Taiwanese electronics company and a provider for Apple, Tesla, HP, and Dell, disclosed that it was the victim of a cyberattack discovered on Friday morning. https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/

68K affected by data theft, ‘sophisticated’ network hack of health nonprofit Advocates - Approximately 68,000 individuals who’ve received services from Advocates are being notified that their personal and protected health information was stolen during a four-day hack in September 2021. https://www.scmagazine.com/analysis/breach/68k-affected-by-data-theft-sophisticated-network-hack-of-nonprofit-advocates

Breaches exposed 45.67M patient records in 2021, largest annual total since 2015 - Hacking and IT incidents were the leading culprits of healthcare data breaches in 2021, increasing by 10% from the previous year, according to a new Critical Insight report. In total, there were 500 incidents tied to hacking last year, compared with 455 in 2020. https://www.scmagazine.com/analysis/breach/breaches-exposed-45-67m-patient-records-in-2021-largest-annual-total-since-2015

Finance organizations targeted by ransomware may be ‘left chasing shadows’ - Threat against the financial industry amplified in recent months, with adversaries evolving tactics to potentially expose gaps in risk management efforts. https://www.scmagazine.com/analysis/apt/finance-organizations-targeted-by-ransomware-may-be-left-chasing-shadows

Smart-chain financial site Qubit hacked for $80 million - Decentralized finance (DeFi) is defying security hopes as Qubit Finance, a major decentralized digital finance platform, was taken for $80 million in cryptocurrency by cyber-thieves on Thursday. https://www.scmagazine.com/analysis/cryptocurrency/smart-chain-financial-site-qubit-hacked-for-80-million

42 Gears’ SureMDM platform was potentially open to supply chain attack - Researchers on Friday disclosed a number of vulnerabilities on the SureMDM device management platform marketed by India-based company 42 Gears that, when combined, could allow attackers to launch a supply chain attack on the platform. https://www.scmagazine.com/news/cloud-security/vulnerabilities-in-42-gears-suremdm-platform-was-potentially-open-to-supply-chain-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)
   
   3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:
   
   a)  The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.
   
   b)   Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.
   
   c)   Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.
   
   d)   Performance expectations, under both normal and contingency circumstances, are defined. 
   
   e)  Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies. 
   
   f)   Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.
   
   g)   For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.
   
   h)  The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
  Board and Management Oversight - Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.
   
   Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.
   
   To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that: 
   
   1)  E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
   2)  All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
   3)  Financial transaction data are protected from alteration and any alteration is detectable.
   
  Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI).  A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.4 Administration of Access Controls
 
 17.7 Cost Considerations
 
 Incorporating logical access controls into a computer system involves the purchase or use of access control mechanisms, their implementation, and changes in user behavior.
 
 Direct Costs. Among the direct costs associated with the use of logical access controls are the purchase and
 support of hardware, operating systems, and applications that provide the controls, and any add-on security packages. The most significant personnel cost in relation to logical access control is usually for administration (e.g., initially determining, assigning, and keeping access rights up to date). Label-based access control is available in a limited number of commercial products, but at greater cost and with less variety of selection. Role-based systems are becoming more available, but there are significant costs involved in customizing these systems for a particular organization. Training users to understand and use an access control system is another necessary cost.
 
 Indirect Costs. The primary indirect cost associated with introducing logical access controls into a computer system is the effect on user productivity. There may be additional overhead involved in having individual users properly determine (when under their control) the protection attributes of information. Another indirect cost that may arise results from users not being able to immediately access information necessary to accomplish their jobs because the permissions were incorrectly assigned (or have changed). This situation is familiar to most organizations that put strong emphasis on logical access controls.