MISCELLANEOUS CYBERSECURITY NEWS:

Microsoft will not offer extended support for Exchange Server 2013, sets April 11 end date - Microsoft confirmed on Thursday that it will not offer extended support for Exchange Server 2013 after April 11. https://www.scmagazine.com/news/application-security/microsoft-will-not-offer-extended-support-for-exchange-server-2013-sets-april-11-end-date

DNA Diagnostics to pay $400K after breach affected 2.1 million patients - DNA Diagnostics Center has agreed to pay the states of Pennsylvania and Ohio $400,000 and improve its security practices to resolve claims it failed to use reasonable security measures to protect patient data, following a 2021 breach that impacted 2.1 million people. https://www.scmagazine.com/news/data-security/dna-diagnostics-to-pay-400k-after-breach-affected-2-1-million-patients

Open-source package with millions of downloads vulnerable to account takeover - Researchers found a popular npm software package with nearly 4 million weekly downloads that is vulnerable to account takeover attacks and could affect over 1,000 organizations. https://www.scmagazine.com/analysis/devops/open-source-package-with-millions-of-downloads-vulnerable-to-account-takeover

Computer Crime: Britain Plans to Overhaul 32-Year-Old Law - The British government is proposing to give itself more law enforcement powers against hackers in a public consultation critics say is marred by a lack of concrete proposals to shield security researchers acting in good faith. https://www.govinfosecurity.com/computer-crime-britain-plans-to-overhaul-32-year-old-law-a-21229

HHS: Healthcare continues to struggle with HIPAA compliance, IT security - Healthcare entities are continuing to struggle with meeting compliance requirements of the Health Insurance Portability and Accountability Act, particularly with securing network servers from hacking and IT risks, according to the Office for Civil Rights annual congressional report. https://www.scmagazine.com/news/compliance/hhs-healthcare-continues-to-struggle-with-hipaa-compliance-it-security

What is SASE? - Secure access service edge, or SASE for short, is a modern model of secure networking that discards the older perimeter- and data-center-based models and applies cloud- and software-based principles to move the security "center" closer to the edge user, no matter where that user may be. https://www.scmagazine.com/resource/cloud-security/what-is-sase

How to optimize for best performance - Now that you’ve configured and deployed MDR, it won’t take long to see the pay-off. With a pool of dedicated threat hunters and infosec warriors vigilantly attending to your network, your organization can expect to see dramatic improvement when it comes to discovering and eliminating potential threats. https://www.scmagazine.com/resource/ransomware/mdr-how-to-optimize-for-best-performance

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Atlassian confirms employee data stolen, leaked via third-party Envoy account - Australian software company Atlassian confirmed that employee data has been leaked on the web through an account they use on a third-party application. https://www.scmagazine.com/news/breach/atlassian-confirms-breach-of-third-party-app-resulted-in-leak-of-employee-data

Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack - Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths. https://www.theregister.com/2023/02/15/hyundai_kia_software_upgrades/

Health info for 1 million patients stolen using critical GoAnywhere vulnerability - One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere. https://arstechnica.com/information-technology/2023/02/goanywhere-vulnerability-exploit-used-to-steal-health-info-of-1-million-patients/

CommonSpirit Health cyberattack, month-long network outage cost $150M - The ransomware attack and subsequent month-long network outage at CommonSpirit Health in October cost the major health system at least $150 million to date, according to its unaudited quarterly financial report. https://www.scmagazine.com/news/ransomware/commonspirit-health-cyberattack-network-outage-cost-150m

GoDaddy: Hackers stole source code, installed malware in multi-year breach - Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.
https://www.bleepingcomputer.com/news/security/godaddy-hackers-stole-source-code-installed-malware-in-multi-year-breach/
https://www.scmagazine.com/news/breach/godaddy-blasted-breach

Intruder alert: FBI tackles 'isolated' IT security breach - The FBI claims it has dealt with a cybersecurity "incident" that reportedly involved computer systems being used to investigate. https://www.theregister.com/2023/02/17/fbi_security_incident/

Two data centers used by major tech firms hacked - Two Asia-based data centers used by major global corporations were targeted in a series of cyberattack first identified in 2021 and as recently as January 2023. https://www.scmagazine.com/news/cloud-security/datacenters-major-firms-hacked

NPM repository flooded with 15,000 phishing packages - The battle against threat actors targeting the open-source ecosystem continues, with researchers observing a sudden surge of over 15,000 phishing packages flooding NPM, the world's largest free software registry. https://www.scmagazine.com/analysis/devops/npm-repository-15000-phishing-packages

Patient data stolen ahead of CentraState cyberattack, impacting 617K - CentraState has confirmed that threat actors stole a copy of an archived database containing patient data ahead of its reported cyberattack and subsequent network outage in December and January. https://www.scmagazine.com/news/ransomware/patient-data-stolen-centrastate-cyberattack-impacting-617k

Clop ransomware hack of Fortra GoAnywhere MFT hits 1M CHS patients - The Clop ransomware group’s compromise of a zero-day vulnerability found in the Fortra GoAnywhere MFT has compromised more than 130 organizations. https://www.scmagazine.com/news/ransomware/clop-ransomware-hack-of-fortra-goanywhere-mft-hits-1m-chs-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 3 of  6)
    
    FDIC Response to Identity Theft
    
    The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter

FFIEC IT SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 
   
   MONITORING AND UPDATING - UPDATING
   
   Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).
   
   Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 2 - ELEMENTS OF COMPUTER SECURITY
  
  2.1 Computer Security Supports the Mission of the Organization.
  
  The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Unfortunately, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. On the contrary, well-chosen security rules and procedures do not exist for their own sake -- they are put in place to protect important assets and thereby support the overall organizational mission.
  
  Security, therefore, is a means to an end and not an end in itself. For example, in a private- sector business, having good security is usually secondary to the need to make a profit. Security, then, ought to increase the firm's ability to make a profit. In a public-sector agency, security is usually secondary to the agency's service provided to citizens. Security, then, ought to help improve the service provided to the citizen.
  
  To act on this, managers need to understand both their organizational mission and how each information system supports that mission. After a system's role has been defined, the security requirements implicit in that role can be defined. Security can then be explicitly stated in terms of the organization's mission.
  
  The roles and functions of a system may not be constrained to a single organization. In an interorganizational system, each organization benefits from securing the system. For example, for electronic commerce to be successful, each of the participants requires security controls to protect their resources. However, good security on the buyer's system also benefits the seller; the buyer's system is less likely to be used for fraud or to be unavailable or otherwise negatively affect the seller. (The reverse is also true.)