MISCELLANEOUS CYBERSECURITY NEWS:

A majority of companies hacked in 2021 did not improve MFA controls following attack - A report released Tuesday by HYPR and Cybersecurity Insiders found that even with ongoing industry efforts to embrace zero-trust, many organizations are still highly exposed to credential attacks because of insufficient multi-factor authentication (MFA) and overall lack of urgency about the seriousness of the threat landscape. https://www.scmagazine.com/news/identity-and-access/a-majority-of-companies-hacked-in-2021-did-not-improve-mfa-controls-following-attack

OpenSSF’s Alpha-Omega Project to target vulnerabilities from beginning to end - The Open Source Security Foundation (OpenSSF) announced Tuesday a new two-track initiative to find vulnerabilities in open-source software. https://www.scmagazine.com/analysis/application-security/openssfs-alpha-omega-project-to-target-vulnerabilities-from-beginning-to-end

Judge moves to dismiss Practicefirst breach lawsuit over lack of ‘actual harm’- A federal judge of the U.S. New York Western District has recommended to support a motion to dismiss a potential class-action lawsuit against Practicefirst, as the breach victims who filed the case did not provide evidence of actual harm, as required by a June Supreme Court decision. https://www.scmagazine.com/analysis/policy/judge-moves-to-dismiss-practicefirst-breach-lawsuit-over-lack-of-actual-harm

HHS to providers: Learn from mistakes made in cyberattack that shut down Ireland health system - The Department of Health and Human Services urges healthcare provider organizations to review key mistakes made by the Ireland Health Service Executive prior to, during, and in response to its months-long network outage brought on by systems hack in mid-2021. https://www.scmagazine.com/analysis/incident-response/hhs-to-providers-learn-from-mistakes-made-in-cyberattack-that-shut-down-ireland-health-system

Microsoft plans to kill malware delivery via Office macros - Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware. https://www.bleepingcomputer.com/news/microsoft/microsoft-plans-to-kill-malware-delivery-via-office-macros/

CISA Orders Federal Agencies to Fix Actively Exploited Windows Bug - Feb. 18 is the deadline to patch a bug that affects all unpatched versions of Windows 10 and requires zero user interaction to exploit. https://threatpost.com/cisa-orders-federal-agencies-to-fix-actively-exploited-windows-bug/178270/

Government seizes $3.6 billion in stolen cryptocurrency tied to 2016 hack - The Justice Department announced Tuesday the government seized $3.6 billion in stolen cryptocurrency and the arrest of a Manhattan couple for an alleged conspiracy to launder bitcoin stolen during a 2016 hack of virtual currency exchange Bitfinex. https://www.scmagazine.com/news/cryptocurrency/government-seizes-3-6-billion-in-stolen-cryptocurrency-tied-to-2016-hack

GAO - Critical Infrastructure Protection: Agencies Need to Assess Adoption of Cybersecurity Guidance. https://www.gao.gov/products/gao-22-105103

US banks warned of possible cyberattacks amid Russia-Ukraine tensions - In the wake of widespread reports Wednesday that the European Central Bank (ECB) raised its threat level for cybercrime for banks in Europe, U.S. financial firms may soon be feeling the heat from increasingly more sophisticated nation-state hackers. https://www.scmagazine.com/analysis/cybercrime/us-banks-warned-of-possible-cyberattacks-amid-russia-ukraine-tensions

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Wormhole blockchain bridge taken for more than $300 million - Wormhole, a popular bridge to move cryptocurrency from one blockchain to another, saw 120,000 Ether - approximately $325 million - stolen by hackers in a move that could destabilize the bridge. https://www.scmagazine.com/analysis/cryptocurrency/wormhole-blockchain-bridge-taken-for-more-than-300-million

Cyberattacker hits German service station petrol terminal provider - The company this afternoon confirmed to The Register that Oiltanking GmbH's terminals – which provide Shell service stations, among others – are "operating with limited capacity" and that Mabanaft GmbH had "declared force majeure for the majority of its inland supply activities in Germany." https://www.theregister.com/2022/02/01/oiltrading/

State Department sounds alarm over Red Cross breach - The U.S. State Department said the hack of the International Committee of the Red Cross last month was a “dangerous development” that has harmed the organization’s family re-unification mission. https://www.cyberscoop.com/state-department-red-cross-cybarattack-breach-humanitarian/

UnitedHealthcare tied to RIPTA data theft incident as breach tally rises to 22K - New information has come to light in the ongoing investigation into the Rhode Island Public Transportation Authority (RIPTA), after it was revealed that the data of 5,015 health plan beneficiaries was stolen during an August hack. https://www.scmagazine.com/analysis/breach/unitedhealthcare-tied-to-ripta-data-theft-incident-as-breach-tally-rises-to-22k

More than $4 million stolen in latest bridge cryptocurrency hack - Yet another bridge cryptocurrency has been hacked, making it at least the third such hack in recent weeks. https://www.scmagazine.com/news/cryptocurrency/more-than-4-million-stolen-in-latest-bridge-cryptocurrency-hack

Ireland HSE Cyberattack is a Cautionary Tale For US Healthcare Orgs - The Health Sector Cybersecurity Coordination Center (HC3) encouraged US healthcare organizations to learn from the large-scale May 2021 cyberattack against the Ireland Health Service Executive (HSE) that immobilized the country’s health IT systems and cost hundreds of millions of dollars in recovery efforts. https://healthitsecurity.com/news/ireland-hse-cyberattack-is-a-cautionary-tale-for-us-healthcare-orgs

Dallas ISD cyber breach. And it’s not who you think. - A year and a half before the breach, consultants told DISD its systems were vulnerable, but then COVID hit and it’s unclear if fixes were made. https://www.wfaa.com/article/news/local/investigates/wfaa-reveals-masterminds-behind-dallas-isd-cyber-breach/287-15b22b82-b226-424d-9b27-a7d5b5120ac3 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)
   
   4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
   
   a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.
   
   5. Banks should develop appropriate contingency plans for outsourced e-banking activities.
   
   a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.
   
   b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.
   
   c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.
   
   6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.
   
   a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Firewall Policy (Part 1 of 3)
 
 A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:
 
 ! Firewall topology and architecture,
 ! Type of firewall(s) being utilized,
 ! Physical placement of the firewall components,
 ! Monitoring firewall traffic,
 ! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
 ! Firewall updating,
 ! Coordination with intrusion detection and response mechanisms,
 ! Responsibility for monitoring and enforcing the firewall policy,
 ! Protocols and applications permitted,
 ! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
 ! Contingency planning.
 
 Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.
 
 Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these. As insurance, audit trails are maintained but are not used unless needed, such as after a system outage. As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.
 
 This chapter focuses on audit trails as a technical control, rather than the process of security auditing, which is a review and analysis of the security of a system. This chapter discusses the benefits and objectives of audit trails, the types of audit trails, and some common implementation issues.
 
 The Difference Between Audit Trails and Auditing
 
 An audit trail is a series of records of computer events, about an operating system, an application, or user activities. A computer system may have several audit trails, each devoted to a particular type of activity.
 
 Auditing is the review and analysis of management, operational, and technical controls. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the auditability of the computer system. Auditing is discussed in the assurance chapter.