MISCELLANEOUS CYBERSECURITY NEWS:

GAO - Challenges in Protecting Privacy and Sensitive Data - Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. https://www.gao.gov/products/gao-23-106443

Four ways cyber leaders can take a page from football playbooks - The myth of the solo hacker and cybersecurity professional has been thoroughly debunked. So why do organizations still manage the people side of cybersecurity as if it’s a collection of individuals? Cybersecurity runs as a team sport and we have much to learn from the people who do that best. https://www.scmagazine.com/perspective/strategy/four-ways-cyber-leaders-can-take-a-page-from-football-playbooks

Among the thousands of ESXiArgs ransomware victims? FBI and CISA to the rescue - The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak. https://www.theregister.com/2023/02/08/esxiargs_ransomware_recovery_script/

BEC attacks surged 81% in 2022, 98% employees failed to report threat - Business email compromise (BEC) attacks have increased by 81% in 2022 and 175% over the past two years, while 98% of employees failed to report the threat, according to Abnormal Security. https://www.scmagazine.com/news/email-security/bec-attacks-surged-81-in-2022-98-employees-failed-to-report-threat

Layoffs underscore the importance of rethinking access controls - With recession fears mounting, companies have kicked off 2023 by shedding employees in a wave of layoffs affecting major corporations such as Amazon, Goldman Sachs, and Salesforce, as well as many other companies. https://www.scmagazine.com/perspective/strategy/layoffs-underscore-the-importance-of-rethinking-access-controls

Third-party risks: How to reduce them - Even if you do everything by the book, third-party risks remain a considerable threat to an organization’s security. However, there are strategies organizations can employ to minimize the impact of third-party vulnerabilities and prevent successful exploits. https://www.scmagazine.com/resource/cloud-security/third-party-risks-how-to-reduce-them

Lack of consumer privacy protections allows data brokers to sell mental health info - The lack of clear consumer privacy protections in the U.S. has empowered the data broker industry, according to a report from a former researcher at Duke University’s Technology Policy Lab. https://www.scmagazine.com/news/privacy/consumer-privacy-protections-data-brokers-sell-mental-health-info

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

SonicWall warns web content filtering is broken on Windows 11 22H2 - Wall warned customers today of what it describes as a "limitation" of the web content filtering (WCF) feature on Windows 11, version 22H2 systems. https://www.bleepingcomputer.com/news/security/sonicwall-warns-web-content-filtering-is-broken-on-windows-11-22h2/

Over 12% of online stores accidentally leak data during private backups - A common practice among online store platforms to make backups during maintenance may leak sensitive information that cybercriminals could then use to their advantage, according to a new report. https://www.scmagazine.com/news/data-security/over-12-of-online-stores-accidentally-leak-data-during-private-backups

Cloudflare blocked largest reported DDoS attack at 71M requests per second - Cloudflare reported a record number of hyper-volumetric DDoS attacks over the Feb. 11 weekend, detecting and mitigating more than a dozen attacks with an average of 50 million to 70 million requests per second. https://www.scmagazine.com/news/application-security/cloudflare-blocked-largest-reported-ddos-attack-at-71m-requests-per-second

America’s top cyber diplomat says his Twitter account was hacked - America’s top cybersecurity diplomat Nate Fick said his personal Twitter account was hacked, calling it part of the “perils of the job.” https://www.cnn.com/2023/02/05/politics/nate-fick-twitter-hack-cybersecurity/index.html

California medical group data breach impacts 3.3 million patients - Multiple medical groups in the Heritage Provider Network in California have suffered a ransomware attack, exposing sensitive patient information to cybercriminals. https://www.bleepingcomputer.com/news/security/california-medical-group-data-breach-impacts-33-million-patients/

City of Oakland Hit by Ransomware Attack - The cyberattack, the city’s administration says in an incident notification, started on Wednesday night and led to network outages as a result of systems being disconnected from the internet. https://www.securityweek.com/city-of-oakland-hit-by-ransomware-attack/

Philadelphia Orchestra, Kimmel Center ticketing systems remain hampered after cyber attack - Arts center leaders continue to be tight-lipped about the exact nature of the attack. Tickets tor a limited number of events can be purchased through a temporary ticketing portal. https://www.inquirer.com/news/kimmel-center-philadelphia-cyber-attack-20230213.html

CommonSpirit Health cyberattack, month-long network outage cost $150M - The ransomware attack and subsequent month-long network outage at CommonSpirit Health in October cost the major health system at least $150 million to date, according to its unaudited quarterly financial report. https://www.scmagazine.com/news/ransomware/commonspirit-health-cyberattack-network-outage-cost-150m

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 2 of  6)
    
    Characteristics of Identity Theft
    
    At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.
    
    Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   MONITORING AND UPDATING - MONITORING
   
   Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:
   
   ! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.
   
   ! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.
   
   ! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:
   
    -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,
   
    -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and
   
    -  Providing effective oversight of service providers and vendors to identify and react to new security issues.
   
   ! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.
   
   ! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section I. Introduction & Overview
  Chapter 1
  
  INTRODUCTION - 1.4 Important Terminology
  
  To understand the rest of the handbook, the reader must be familiar with the following key terms and definitions as used in this handbook. In the handbook, the terms computers and computer systems are used to refer to the entire spectrum of information technology, including application and support systems. Other key terms include:
  
  Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
  
  Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets: data integrity and system integrity. "Data integrity is a requirement that information and programs are changed only in a specified and authorized manner."6 System integrity is a requirement that a system "performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system." The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.
  
  Availability: A "requirement intended to assure that systems work promptly and service is not denied to authorized users."
  
  Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.
  
  1.5 Legal Foundation for Federal Computer Security Programs
  
  The executive principles discussed in the next chapter explain the need for computer security. In addition, within the federal government, a number of laws and regulations mandate that agencies protect their computers, the information they process, and related technology resources (e.g., telecommunications).9The most important are listed below.
  
  ! The Computer Security Act of 1987 requires agencies to identify sensitive systems, conduct computer security training, and develop computer security plans.
  
  ! The Federal Information Resources Management Regulation (FIRMR) is the primary regulation for the use, management, and acquisition of computer resources in the federal government.
  
  ! OMB Circular A-130 (specifically Appendix III) requires that federal agencies establish security programs containing specified elements.
  
  Note that many more specific requirements, many of which are agency specific, also exist.
  
  Federal managers are responsible for familiarity and compliance with applicable legal requirements. However, laws and regulations do not normally provide detailed instructions for protecting computer-related assets. Instead, they specify requirements -- such as restricting the availability of personal data to authorized users. This handbook aids the reader in developing an effective, overall security approach and in selecting cost-effective controls to meet such requirements.