MISCELLANEOUS CYBERSECURITY NEWS:

Lawsuit blasts GoodRx, Meta over ‘egregious’ privacy practices - A lawsuit claims GoodRx mislead users about its data sharing practices that allowed Meta's Facebook and Google to “intercept” personal and health data with no user consent. Named as defendants in suit are Meta, Google, Criteo and GoodRx. https://www.scmagazine.com/analysis/privacy/lawsuit-blasts-goodrx-meta-over-egregious-privacy-practices

Hackers are mass infecting servers worldwide by exploiting a patched hole - Servers running unpatched versions of ESXi are sitting ducks for ESXiArgs attacks.An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday. https://arstechnica.com/information-technology/2023/02/hackers-are-mass-infecting-servers-worldwide-by-exploiting-a-patched-hole/

Agencies Seek Public Input on Updates to Guiding Plan for Cyber R&D - Members of the public have the opportunity to provide their insight on the newest version of the federal government’s guiding document for cybersecurity research and development. https://www.nextgov.com/cybersecurity/2023/02/agencies-seek-public-input-updates-guiding-plan-cyber-rd/382617/

Inside Walmart Global Tech: Where cybersecurity isn’t discounted - Bookended by security personnel in front and back, we were warned in no uncertain terms before entering Walmart’s East Data Center facility: Any attempt to bring an electronic device into the building would result in our immediate expulsion. https://www.scmagazine.com/feature/network-security/inside-walmart-global-tech-where-cybersecurity-isnt-discounted

Walmart’s incessant drive for intel and innovation - Walmart co-founder Sam Walton believed in constant innovation — and the IT security pros working inside Walmart Global Tech’s Bentonville, Arkansas, headquarters appear to have taken that philosophy to heart, as indicated by the wide array of cyber initiatives the retail giant has pursued. https://www.scmagazine.com/feature/network-security/walmarts-incessant-drive-for-intel-and-innovation

Auto dealers are prime targets for hackers, warn researchers - Car dealerships are prime targets for hackers eager to exploit weak security and access a treasure trove of financial data and gain access to third-party vendor supply chains. https://www.scmagazine.com/news/compliance/auto-dealers-are-prime-targets-for-hackers-warn-researchers

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Financial software firm Ion Group battles LockBit ransomware attack - Ion Group, a Dublin-based software company that helps financial institutions automate their critical business processes, has been hit by a ransomware attack that forced several European and U.S. banks to revert to manual processes. https://techcrunch.com/2023/02/02/ion-group-lockbit-derivatives-ransomware

Cyberattacks on Energy's National Labs Draw Lawmaker Scrutiny - The attacks, allegedly conducted by Russian-based adversaries, occurred during August and September 2022, potentially exposing sensitive U.S. scientific research. https://www.nextgov.com/cybersecurity/2023/02/cyberattacks-energys-national-labs-draw-lawmaker-scrutiny/382503/

Maryland Hospital Suffers Ransomware Attack - February 01, 2023 - Atlantic General Hospital in Maryland is recovering from a ransomware attack that was discovered early this week, local news outlet WMDT47 first reported. The hospital experienced network outages and told local outlets that patient interruption was “limited.” https://healthitsecurity.com/news/maryland-hospital-suffers-ransomware-attack

Tallahassee Memorial Health diverting patients over security issue, downtime - All emergency medical services are being diverted from Tallahassee Memorial Healthcare (TMH) due to an “IT security issue” that prompted the health system to bring its systems offline. https://www.scmagazine.com/news/incident-response/tallahassee-memorial-health-diverting-patients-over-security-issue-downtime

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 1 of  6)
    
    Supervisory Policy on Identity Theft
    
    Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   MONITORING AND UPDATING
   
   A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section I. Introduction & Overview - Chapter 1

INTRODUCTION - 1.3 Organization

The first section of the handbook contains background and overview material, briefly discusses of threats, and explains the roles and responsibilities of individuals and organizations involved in computer security. It explains the executive principles of computer security that are used throughout the handbook. For example, one important principle that is repeatedly stressed is that only security measures that are cost-effective should be implemented. A familiarity with the principles is fundamental to understanding the handbook's philosophical approach to the issue of security.

The next three major sections deal with security controls: Management Controls⁵(II), Operational Controls (III), and Technical Controls (IV). Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control, some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls. Each chapter in this portion of the handbook also provides references that may be useful in actual implementation.

!  The Management Controls section addresses security topics that can be characterized as managerial. They are techniques and concerns that are normally addressed by management in the organization's computer security program. In general, they focus on the management of the computer security program and the management of risk within the organization.

!  The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise -- and often rely upon management activities as well as technical controls.

!  The Technical Controls section focuses on security controls that the computer system executes. These controls are dependent upon the proper functioning of the system for their effectiveness. The implementation of technical controls, however, always requires significant operational considerations -- and should be consistent with the management of security within the organization.

Finally, an example is presented to aid the reader in correlating some of the major topics discussed in the handbook. It describes a hypothetical system and discusses some of the controls that have been implemented to protect it. This section helps the reader better understand the decisions that must be made in securing a system, and illustrates the interrelationships among controls.

Definition of Sensitive Information

Many people think that sensitive information only requires protection from unauthorized disclosure. However, the Computer Security Act provides a much broader definition of the term "sensitive" information:

"any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy."

The above definition can be contrasted with the long-standing confidentiality-based information classification system for national security information (i.e., CONFIDENTIAL, SECRET, and TOP SECRET). This system is based only upon the need to protect classified information from unauthorized disclosure; the U.S. Government does not have a similar system for unclassified information. No government wide schemes (for either classified or unclassified information) exist which are based on the need to protect the integrity or availability of information.