MISCELLANEOUS CYBERSECURITY NEWS:

A third of employees admit finding work arounds to security policies - Employers are having a hard time keeping up with their distributed workforce - and keeping the devices theys use secure - as one new study shows. https://www.scmagazine.com/news/device-security/a-third-of-employees-admit-finding-work-arounds-to-security-policies

Healthcare sector saw largest increase in IoT malware attacks in 2021 - The healthcare sector saw the largest increase in target IoT malware attacks in 2021, according to the latest annual SonicWall Cyber Threat Report. https://www.scmagazine.com/analysis/iot/healthcare-sector-saw-largest-increase-in-iot-malware-attacks-in-2021-report-confirms

More than 100 tech companies, cyber organizations rally around 5 baseline security standards for IoT devices - More than 100 tech and cybersecurity entities are calling for governments and industry to move towards universal standards for baseline security when it comes to Internet of Things devices. https://www.scmagazine.com/analysis/iot/more-than-100-tech-companies-cyber-organizations-rally-around-5-baseline-security-standards-for-iot-devices

Businessman admits to working as spyware broker in US and Mexico - A businessman has pleaded guilty to charges laid against him for selling and using surveillance tools and malware in Mexico and the United States. https://www.zdnet.com/article/businessman-admits-to-working-as-spyware-broker-in-us-and-mexico/

Former OCR Director on access rights, HIPAA enforcement: ‘It’s not about gotcha’ - Under Director Roger Severino, the Department of Health and Human Services Office for Civil Rights issued a record number of enforcement actions for potential and sometimes egregious violations of the Health Insurance Portability and Accountability Act, particularly around a patient’s right to access their health information. https://www.scmagazine.com/feature/compliance/former-ocr-director-on-access-rights-hipaa-enforcement-its-not-about-gotcha

Banking customers are overwhelmed by fraud, but trust their financial institutions - An over abundance of confidence among customers can pose significant risk for the financial firms that seek to mitigate fraud. https://www.scmagazine.com/analysis/identity-and-access/banking-customers-are-overwhelmed-by-fraud-but-trust-their-financial-institutions

NIST wants public input on updates to Cybersecurity Framework, supply chain security - The National Institute for Standards and Technology (NIST) is asking for help from the public to update one of its flagship cybersecurity guidelines and inform a new initiative on supply chain security. https://www.scmagazine.com/analysis/policy/nist-wants-public-input-on-updates-to-cybersecurity-framework-supply-chain-security

CISA publishes guide with free cybersecurity tools, resources for incident response - The resources can provide a foundation for dealing with the aftermath of cyberattacks.
https://www.zdnet.com/article/cisa-publishes-guide-with-free-cybersecurity-tools-resources-for-incident-response/
https://www.cisa.gov/free-cybersecurity-services-and-tools

Nearly 80% of organizations saw an email-based ransomware attack in 2021 - Proofpoint on Tuesday released research that said 78% of organizations saw an email-based ransomware attack in 2021, while 77% faced business email compromise (BEC) attacks. https://www.scmagazine.com/news/phishing/nearly-80-of-organizations-saw-an-email-based-ransomware-attack-in-2021

More lawsuits filed against QRS, Sea Mar, TTEC after separate data theft incidents - Two healthcare business associates and one covered entity are facing multiple class-action lawsuits, centered around the theft of patient data and alleged security failings. QRS, TTEC, and Sea Mar Community Health Centers were hit with separate lawsuits in the last week. https://www.scmagazine.com/analysis/breach/more-lawsuits-filed-against-qrs-sea-mar-ttec-after-separate-data-theft-incidents

As costs tied to ransomware attacks pile, financial firms lack confidence in backup strategy - Financial institutions lack confidence in their security controls, especially since they are spending $170,000 per incident on staffing issues alone related to ransomware attacks, with employees spending an average of 190 hours to handle “containment and remediation activities.” https://www.scmagazine.com/analysis/ransomware/as-ransoms-on-malware-attacks-grow-financial-firms-lack-confidence

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Red Cross: State hackers breached our network using Zoho bug - The International Committee of the Red Cross (ICRC) said today that the hack disclosed last month against its servers was a targeted attack likely coordinated by a state-backed hacking group. https://www.bleepingcomputer.com/news/security/red-cross-state-hackers-breached-our-network-using-zoho-bug/

US Agencies Say Russian Hackers Compromised Defense Contractors - Kremlin-backed cyber actors lurked in the networks for months, obtaining sensitive documents related to weapons and infrastructure development. https://www.wired.com/story/us-says-russian-hackers-compromised-defense-contractors/

Ukraine crisis: Russian cyberattacks could affect organisations around the world, so take action now - Mandiant warns that the history of Russian cyber aggression could lead to attacks that spread far beyond Ukraine - but if organisations have a robust cybersecurity strategy in place, there's no need to panic. https://www.zdnet.com/article/ukraine-crisis-russian-cyberattacks-could-affect-organisations-around-the-world-so-take-action-now/

Third-party vendor Morley reports data theft impacting 521K individuals - Morley recently reported a security incident from August 2021 that led to the theft of data tied to 521,046 clients and former and current employees. The third-party vendor provides a range of services in the U.S., including those for the healthcare sector. The incident is the second-largest healthcare data breach reported in 2022, so far. https://www.scmagazine.com/analysis/breach/third-party-vendor-morley-reports-data-theft-impacting-521k-individuals

Ukraine organizations hit by new wiper malware - After Russia announced it would send troops into Ukraine under the guise of a peacekeeping mission, new wiper malware has started targeting Ukrainian enterprises Wednesday. The wiper malware follows DDoS and SMS spam attacks on Ukraine earlier in the day. Sample has also been seen in Lithuania and Latvia. https://www.scmagazine.com/analysis/apt/ukraine-organizations-hit-by-new-wiper-malware

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Audit Trail Practices for E-Banking Systems
  
  1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.
  
  2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.
  
  3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:
  
  a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.
  
  b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Firewall Policy (Part 3 of 3)
  
  Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.
  
  Given the importance of firewalls as a means of access control, good practices include:
  
  ! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
  ! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
  ! Using a ruleset that disallows all traffic that is not specifically allowed;
  ! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
  ! Using proxy connections for outbound HTTP connections;
  ! Filtering malicious code;
  ! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
  ! Logging activity, with daily administrator review;
  ! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
  ! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
  ! Limiting administrative access to few individuals; and
  ! Making changes only through well - administered change control procedures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.1 Benefits and Objectives
 
 18.1.2 Reconstruction of Events
 
 Audit trails can also be used to reconstruct events after a problem has occurred. Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly tested piece of replacement code). If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application. Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages. Additionally, if a technical problem occurs (e.g., the corruption of a data file) audit trails can aid in the recovery process (e.g., by using the record of changes made to reconstruct the file).
 
 18.1.3 Intrusion Detection
 
 Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access.
 
 If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Although normally thought of as a real-time effort, intrusions can be detected in real time, by examining audit records as they are created (or through the use of other kinds of warning flags/notices), or after the fact (e.g., by examining audit records in a batch process).
 
 Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system. It may also be used to detect changes in the system's performance indicative of, for example, a virus or worm attack. There may be difficulties in implementing real-time auditing, including unacceptable system performance.
 
 After-the-fact identification may indicate that unauthorized access was attempted (or was successful). Attention can then be given to damage assessment or reviewing controls that were attacked.