MISCELLANEOUS CYBERSECURITY NEWS:

US SEC Proposes 48-Hour Incident Reporting Requirement - The U.S. Securities and Exchange Commission on Wednesday voted 3-1 to advance new, mandatory cybersecurity rules for registered investment advisers, companies and funds. https://www.govinfosecurity.com/us-sec-proposes-48-hour-incident-reporting-requirement-a-18493

Senators want to require public companies to detail cyber expertise of their boards - Maine Sens. Susan Collins and Angus King have added their names to a letter this week calling on the Securities and Exchange Commission to introduce new cybersecurity reporting rules for publicly traded companies. https://www.scmagazine.com/analysis/leadership/senators-want-to-require-public-companies-to-detail-cyber-expertise-of-their-boards

HIPAA modernization: How to maintain patient privacy in an age of hyper-connectivity? - Last week, a proposed bipartisan bill hefted the congressional health data privacy discussion off of the back burner and reignited the potential for The Health Insurance Portability and Accountability Act (HIPAA) modernization, or the potential for a federal health data privacy law. https://www.scmagazine.com/feature/application-security/hippa-modernization-maintaining-patient-privacy-in-age-of-hyper-connectivity

US Postal Service emergency records system will expand to support ransomware, breach response - The U.S. Postal Service is expanding the use of its emergency records systems to cover ransomware attacks and other cybersecurity incidents. https://www.scmagazine.com/analysis/data-security/us-postal-service-emergency-records-system-to-cover-ransomware-data-breaches

CaptureRX faces bankruptcy if $4.75M settlement in healthcare breach lawsuit is not approved - NEC Networks, d/b/a CaptureRX, has reached a settlement with the 2.42 million patients whose data was stolen prior to a ransomware attack on the healthcare business associate in early 2021. CaptureRX provides health IT services to a range of provider organizations. https://www.scmagazine.com/analysis/incident-response/capturerx-faces-bankruptcy-if-4-75m-settlement-in-healthcare-breach-lawsuit-is-not-approved

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

University Project Cataloged 1,100 Ransomware Attacks on Critical Infrastructure - A Temple University research project that tracks ransomware attacks on critical infrastructure has documented more than 1,100 incidents to date. https://www.securityweek.com/university-project-cataloged-1100-ransomware-attacks-critical-infrastructure

$1.13M settlement proposed in Inmediata Health in lawsuit over 2019 data breach - Inmediata Health Group has reached a $1.13 million settlement in its class action lawsuit with the 1.6 million patients affected by a 2019 cyber incident that resulted in a data breach and subsequent mailing error. https://www.scmagazine.com/analysis/incident-response/1-13m-settlement-proposed-in-inmediata-health-in-lawsuit-over-2019-data-breach

Security awareness training is always ongoing, experts say. The financial industry is no exception - Arguably, financial institutions are doing well with security awareness training, especially when compared with other industries, owing to the industry’s compliance demands and the extreme threat faced by these organizations. https://www.scmagazine.com/analysis/training/security-awareness-training-is-always-ongoing-experts-say-the-financial-industry-is-no-exception

South Shore Hospital network hack impacts data of 116K patients - South Shore Hospital in Chicago recently notified 115,670 current and former patients and employees that their data was affected after a hack of the non profit’s network in early December. https://www.scmagazine.com/analysis/breach/south-shore-hospital-network-hack-impacts-data-of-116k-patients

Philippine bank customers offered $200 Valentine’s Day gift via SMS phishing scam - Researchers reported on Monday that customers of UnionBank of the Philippines were the target of SMS phishing attacks offering a gift of $200 (10,000 Philippine pesos) as a Valentine’s Day treat for being a “loyal customer” of the bank. https://www.scmagazine.com/news/mobile/philippine-bank-customers-offered-200-valentines-day-gift-via-sms-phishing-scam

49ers targeted in ransomware attack one day ahead of Super Bowl, with all eyes on football - A ransomware gang targeted the San Francisco 49ers the weekend of the Super Bowl, when all eyes are on football, perhaps reinforcing the allure among cybercriminals of high profile events. https://www.scmagazine.com/news/ransomware/49ers-targeted-in-ransomware-attack-when-all-eyes-are-on-football

IT technician jailed for revenge cyber-attacks - An IT technician has been jailed for revenge cyber-attacks on a school and IT firm after both of the employers sacked him. https://www.bbc.com/news/uk-england-leicestershire-60349121

Red Cross reveals actors exploited unpatched Zoho security flaw in January breach - The Red Cross released new insights into the cyberattack that led to the compromise of data tied to more than 515,000 people last month. https://www.scmagazine.com/analysis/incident-response/red-cross-reveals-actors-exploited-unpatched-zoho-security-flaw-in-january-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Authorization Practices for E-Banking Applications
  
  1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.
  
  2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.
  
  3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.
  
  4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.
  
  5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.
  
  6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.
  
  7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Firewall Policy (Part 2 of 3)
  
  Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:
  
  ! Spoofing trusted IP addresses;
  ! Denial of service by overloading the firewall with excessive requests or malformed packets;
  ! Sniffing of data that is being transmitted outside the network;
  ! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
  ! Attacks on unpatched vulnerabilities in the firewall hardware or software;
  ! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
  ! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 8.1 Benefits and Objectives
 
 Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem analysis.
 
 An event is any action that happens on a computer system. Examples include logging into a system, executing a program, and opening a file.
 
 18.1.1 Individual Accountability
 
 Audit trails are a technical mechanism that help managers maintain individual accountability. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log.
 
 For example, audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database). An audit trail may record "before" and "after" versions of records. (Depending upon the size of the file and the capabilities of the audit logging tools, this may be very resource-intensive.) Comparisons can then be made between the actual changes made to records and what was expected. This can help management determine if errors were made by the user, by the system or application software, or by some other source.
 
 Audit trails work in concert with logical access controls, which restrict use of system resources. Granting users access to particular resources usually means that they need that access to accomplish their job. Authorized access, of course, can be misused, which is where audit trail analysis is useful. While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. For example, consider a personnel office in which users have access to those personnel records for which they are responsible.
 
 Audit trails can reveal that an individual is printing far more records than the average user, which could indicate the selling of personal data. Another example may be an engineer who is using a computer for the design of a new product. Audit trail analysis could reveal that an outgoing modem was used extensively by the engineer the week before quitting. This could be used to investigate whether proprietary data files were sent to an unauthorized party.