MISCELLANEOUS CYBERSECURITY NEWS:

FCC gets tough: Telcos must now tell you when your personal info is stolen - The FCC's updated reporting requirements mean telcos in America will have just seven days to officially disclose that a criminal has broken into their systems. https://www.theregister.com/2024/02/12/fcc_gets_tough_on_telcos/

Ransomware payments breached $1 billion in 2023, a first - Ransomware attacks netted payments exceeding $1 billion globally for the first time in 2023, according to data published Wednesday. 137 mining facilities in the US account for 2.3 percent of electricity demand. https://www.scmagazine.com/news/ransomware-payments-breached-1-billion-in-2023-a-first

Large cryptocurrency miners in US now have to report energy use to government - The Biden administration is now requiring some cryptocurrency producers to report their energy use following rising concerns that the growing industry could pose a threat to the nation’s electricity grids and exacerbate climate change. https://arstechnica.com/tech-policy/2024/02/large-cryptocurrency-miners-in-us-now-have-to-report-energy-use-to-government/

Critical Bugs in Canon Small Office Printers Allow Code Execution, DDoS - Canon has patched seven critical buffer-overflow bugs affecting its small office multifunction printers and laser printers. https://www.darkreading.com/endpoint-security/critical-bugs-canon-small-office-printers-code-execution-ddos

Suspected Warzone RAT hackers arrested - Two men accused of operating the Warzone remote access trojan (RAT) were arrested, and servers across six countries hosting the popular malware seized, in an FBI-led operation. https://www.scmagazine.com/news/suspected-warzone-rat-hackers-arrested

How the Colonial Pipeline attack instilled urgency in cybersecurity - The federal government and private sector are still coming to terms with how to protect operational technology in an increasingly volatile threat environment. https://www.cybersecuritydive.com/news/post-colonial-pipeline-attack/623859/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Cyberattacks on Clorox, Johnson Controls cost companies $76M combined - Cybersecurity incidents in 2023 cost Clorox and Johnson Controls nearly $76 million combined, according to reports filed with the Securities and Exchange Commission (SEC). The incidents underscore the painful reality that such attacks cost real money. https://www.scmagazine.com/news/cyberattacks-on-clorox-johnson-controls-cost-companies-76m-combined

Hack of PJ&A tops 2023 US healthcare data breaches as tally jumps by 4M - An attack on medical transcription firm Perry Johnson & Associates (PJ&A) belatedly picked up the unwanted distinction of being 2023’s largest U.S. health sector data breach. https://www.scmagazine.com/news/hack-of-pja-tops-2023-us-healthcare-data-breaches-as-tally-jumps-by-4m

Chinese hackers infect Dutch military network with malware - A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands. https://www.bleepingcomputer.com/news/security/chinese-hackers-infect-dutch-military-network-with-malware/

Planet Home Lending notifies customers of LockBit ransomware incident - News that Planet Home Lending experienced a cyberattack by the LockBit ransomware group leveraging the Citrix Bleed flaw has come out in dribs and drabs. https://www.scmagazine.com/news/planet-home-lending-notifies-customers-of-lockbit-ransomware-incident

Ransomware attack forces 100 Romanian hospitals to go offline - 100 hospitals across Romania have taken their systems offline after a ransomware attack hit their healthcare management system. https://www.bleepingcomputer.com/news/security/ransomware-attack-forces-100-romanian-hospitals-to-go-offline/

Cyberattack shuts down Colorado public defender’s office - A cyberattack on the Office of the Colorado State Public Defender forced the agency to shut down its computer network, locking public defenders across the state out of critical work systems and prompting attorneys to seek delays in their court cases. https://www.denverpost.com/2024/02/12/colorado-public-defenders-office-cyberattack-ransomware-malware/

33M French Citizens Impacted in Country's Largest-Ever Breach - The French data protection agency, the CNIL, has opened an investigation into a pair of data breaches at payment processors that together affect nearly half of the country's population. https://www.darkreading.com/cloud-security/33m-french-citizens-countrys-largest-ever-breach

Bank of America warns customers of data breach after vendor hack - Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year. https://www.bleepingcomputer.com/news/security/bank-of-america-warns-customers-of-data-breach-after-vendor-hack/

AlphV claims hit on Canada’s Trans-Northern Pipelines - The pipeline operator confirmed its internal systems, including communications, were impacted by a November cyberattack. However, the pipelines and fuel delivery were never disrupted. https://www.cybersecuritydive.com/news/trans-northern-pipeline-ransomware/707522/

US military notifies 20,000 of data breach after cloud email leak - The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. https://techcrunch.com/2024/02/14/department-defense-data-breach-microsoft-cloud-email/

Prudential Financial reports Feb. 4 cyberattack in SEC filing - The unending attacks on large financial companies continues as Prudential Financial reported Feb. 13 that an unspecified threat actor accessed company administrative and user data, as well as a small percentage of user accounts associated with employees and contractors. https://www.scmagazine.com/news/prudential-financial-reports-feb-4-cyberattack-in-sec-filing

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.
    
    Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.
    
    Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.
    
    Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:
    
    1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.
    
    2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.
    
    3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.
    
    4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.
    
    5)  Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
    
    This is the last of three principles regarding Board and Management Oversight.  Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   Access Rights Administration (3 of 5)
   
   The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.
   
   During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.
   
   Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include
   
   ! Identifying each privilege associated with each system component,
   
   ! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,
   
   ! Finding alternate ways of achieving the business objectives,
   
   ! Assigning privileges to a unique user ID apart from the one used for normal business use,
   
   ! Logging and auditing the use of privileged access,
   
   ! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
   
   ! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.2.2 Incorporating Security Requirements Into Specifications
 
 Determining security features, assurances, and operational practices can yield significant security information and often voluminous requirements. This information needs to be validated, updated, and organized into the detailed security protection requirements and specifications used by systems designers or purchasers. Specifications can take on quite different forms, depending on the methodology used for to develop the system, or whether the system, or parts of the system, are being purchased off the shelf.
 
 As specifications are developed, it may be necessary to update initial risk assessments. A safeguard recommended by the risk assessment could be incompatible with other requirements or a control may be difficult to implement. For example, a security requirement that prohibits dial-in access could prevent employees from checking their e-mail while away from the office.
 
 Besides the technical and operational controls of a system, assurance also should be addressed. The degree to which assurance (that the security features and practices can and do work correctly and effectively) is needed should be determined early. Once the desired level of assurance is determined, it is necessary to figure out how the system will be tested or reviewed to determine whether the specifications have been satisfied (to obtain the desired assurance). This applies to both system developments and acquisitions. For example, if rigorous assurance is needed, the ability to test the system or to provide another form of initial and ongoing assurance needs to be designed into the system or otherwise provided for.
 
 Developing testing specifications early can be critical to being able to cost-effectively test security features.