MISCELLANEOUS CYBERSECURITY NEWS:

NIST publishes Cybersecurity Framework 2.0: 3 key takeaways - NIST released its Cybersecurity Framework 2.0 (CFS 2.0) on Monday, introducing a new core structure, resource catalog and overall scope of application to the already widely used resource. https://www.scmagazine.com/news/nist-publishes-cybersecurity-framework-2-0-3-key-takeaways

AT&T’s botched network update caused yesterday’s major wireless outage - AT&T said a botched update related to a network expansion caused the wireless outage that disrupted service for many mobile customers yesterday. https://arstechnica.com/tech-policy/2024/02/atts-botched-network-update-caused-yesterdays-major-wireless-outage/

HHS reaches second-ever ransomware settlement - The agency’s Office for Civil Rights reported a mental healthcare provider didn’t have sufficient protections in place before a ransomware attack. https://www.cybersecuritydive.com/news/hhs-ransomware-settlement/708236/

Executive Order on Port Cybersecurity Points to IT/OT Threat Posed by Chinese Cranes - The White House announced on Wednesday that the Biden-Harris administration is issuing an executive order to boost the cybersecurity of US ports, highlighting the risks posed by the use of cranes made by China. https://www.securityweek.com/executive-order-on-port-cybersecurity-points-to-it-ot-threat-posed-by-chinese-cranes/

US Government Issues Guidance on Securing Water Systems - The US government on Wednesday released new guidance on the actions that water and wastewater (WWS) sector entities should take to improve the resilience of their networks to cyberattacks. https://www.securityweek.com/us-government-issues-guidance-on-securing-water-systems/

How the FBI and CISA look to mature the government’s top ransomware task force - Nearly two years after its creation, a task force meant to streamline federal efforts to combat ransomware hopes to further cement how the government handles key aspects of such attacks and do a better job trumpeting its contributions to the broader fight. https://therecord.media/fbi-cisa-joint-ransomware-task-force-future

Cactus ransomware gang claims it stole 1.5TB of Schneider Electric data - On Sunday the Cactus ransomware gang claimed it stole 1.5 terabytes of data from Schneider Electric during an attack that occurred last month against the OT manufacturer. The ransomware group posted 25 megabytes of the data online as proof of its attack. https://www.scmagazine.com/news/cactus-ransomware-gang-claims-it-stole-1-5tb-of-schneider-electric-data

CFOs take backseat to CISOs on SEC cyber rules - Less than half of finance chiefs are involved in the SEC’s cybersecurity breach disclosure process, AuditBoard found. https://www.cybersecuritydive.com/news/cfo-ciso-sec-cyber-rules-cybersecurity/708611/

Communication is key in managing cyberattack: Optum CEO - UnitedHealth Group's (UNH) Change Healthcare subsidiary is expected to have a "material update" as early as Tuesday following a major ransomware attack that's now on its fifth straight day and stalling care around the country. https://finance.yahoo.com/news/communication-is-key-in-managing-cyberattack-optum-ceo-213348885.html

Okta, with a bruised reputation, rethinks security from the top down - CSO David Bradbury detailed to Cybersecurity Dive what the identity and access management company got wrong and the security pledges it’s making to customers. https://www.cybersecuritydive.com/news/okta-security-revival/708636/

Utility regulators take steps to raise sector’s cybersecurity ‘baselines’ - The voluntary cyber recommendations are intended to serve as a resource for state public utility commissions, utilities and distribution operators and aggregators. https://www.cybersecuritydive.com/news/doe-naruc-publish-cybersecurity-baselines-utilities-distributed-energy-resources-der/708902/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

US health tech giant Change Healthcare hit by cyberattack - U.S. healthcare technology giant Change Healthcare has confirmed a cyberattack on its systems. In a brief statement Wednesday, the company said it was “experiencing a network interruption related to a cyber security issue.” https://techcrunch.com/2024/02/21/change-healthcare-cyberattack/

ConnectWise ScreenConnect under active exploitation due to critical flaws - Security researchers are urging users to immediately patch their systems after the company warned of an authentication bypass vulnerability that is considered trivial to exploit. https://www.cybersecuritydive.com/news/connectwise-screenconnect-exploitation-critical-flaws/708232/

Change Healthcare hit by cyberattack - Change Healthcare was hit by a cyberattack that could cause network disruptions at the healthcare technology firm through at least the end of the day Thursday.
https://www.cybersecuritydive.com/news/change-healthcare-cyberattack-unitedhealth/708263/
https://www.infosecurity-magazine.com/news/change-healthcare-cyber/

MGM Resorts says regulators probing September cyberattack - MGM Resorts International (MGM.N), opens new tab disclosed that state and federal regulators were probing a cyberattack on its systems that took place in September and caused a $100 million hit to the company's third-quarter results. https://www.reuters.com/technology/cybersecurity/mgm-resorts-says-state-federal-regulators-probing-september-cyberattack-2024-02-23/

Plant production still on hold for German battery manufacturer after cyberattack - Nearly two weeks after detecting a cyberattack on its systems, German battery manufacturer Varta AG still has not restarted production at its plants. https://therecord.media/varta-battery-plant-production-on-hold-after-cyberattack

AT&T Says Cause of Outage Wasn't a Cyberattack - The cause of Thursday's AT&T network outage has been revealed. In a statement posted Thursday evening to the company's website and shared with CNET, the carrier said the issue was the result of software and not a cyberattack. https://www.cnet.com/tech/mobile/at-t-says-cause-of-outage-wasnt-a-cyber-attack/

Critical infrastructure vendor PSI Software hit by ransomware - The Germany-based company shut down systems after it detected the intrusion, and it remains offline. https://www.cybersecuritydive.com/news/psi-software-ransomware/707940/

Cyberattack on Change Healthcare was an exploit of the ConnectWise flaw - Security experts have warned for the past couple of days that the two flaws recently uncovered in ConnectWise’s ScreenConnect app could become the major cybersecurity story of 2024 - and that the healthcare and critical infrastructure sectors were especially vulnerable. https://www.scmagazine.com/news/exclusive-cyberattack-on-change-healthcare-was-an-exploit-of-the-connectwise-flaw

LoanDepot confirms SSNs leaked in breach claimed by ALPHV/BlackCat - Major U.S. mortgage lender loanDepot notified nearly 17 million customers that their data, including Social Security numbers, may have been stolen in a cyberattack in January. https://www.scmagazine.com/news/loandepot-confirms-ssns-leaked-in-breach-claimed-by-alphv-blackcat

Malawi Immigration Dept. Halts Passport Services Amid Cyberattack - The Malawi government reportedly has suspended issuing passports for the past two weeks due to what appears to be a ransomware attack on the immigration service's computer network. https://www.darkreading.com/cyberattacks-data-breaches/malawi-immigration-department-halts-services-amid-cyberattack

Steel giant ThyssenKrupp confirms cyberattack on automotive division - Steel giant ThyssenKrupp confirms that hackers breached systems in its Automotive division last week, forcing them to shut down IT systems as part of its response and containment effort. https://www.bleepingcomputer.com/news/security/steel-giant-thyssenkrupp-confirms-cyberattack-on-automotive-division/

RCMP investigating cyber attack as its website remains down - The Royal Canadian Mounted Police (RCMP), Canada's national police force has disclosed that it recently faced a cyber attack targeting its networks. https://www.bleepingcomputer.com/news/security/rcmp-investigating-cyber-attack-as-its-website-remains-down/

U-Haul Informs Customers of Major Data Breach - U-Haul has been forced to notify tens of thousands of customers that their personal data was compromised in a breach last year. https://www.infosecurity-magazine.com/news/uhaul-informs-customers-major-data

Pharmaceutical giant Cencora reports cyberattack - Global pharmaceutical corporation Cencora reported on Tuesday that it recently discovered that intruders had stolen data from its networks. https://therecord.media/cencora-pharmaceutical-giant-reports-cyber-incident

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
   Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)
    
    The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.
    
    Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.
    
    As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:
    
    1)  Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.
    
    2)  Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.
    
    3)  Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.
    
    4)  Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   Access Rights Administration (5 of 5)
   
   The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:
   
   ! The specific access devices that can be used to access the network;
   
   ! Hardware and software changes the user can make to their access device;
   
   ! The purpose and scope of network activity;
   
   ! Network services that can be used, and those that cannot be used;
   
   ! Information that is allowable and not allowable for transmission using each allowable service;
   
   ! Bans on attempting to break into accounts, crack passwords, or disrupt service;
   
   ! Responsibilities for secure operation; and
   
   ! Consequences of noncompliance.
   
   Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.
   
   Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.
   
   Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.3 Implementation
 
 A separate implementation phase is not always specified in some life cycle planning efforts. (It is often incorporated into the end of development and acquisition or the beginning of operation and maintenance.) However, from a security point of view, a critical security activity, accreditation, occurs between development and the start of system operation. The other activities described in this section, turning on the controls and testing, are often incorporated at the end of the development/acquisition phase.
 
 8.4.3.1 Install/Turn-On Controls
 
 While obvious, this activity is often overlooked. When acquired, a system often comes with security features disabled. These need to be enabled and configured. For many systems this is a complex task requiring significant skills. Custom-developed systems may also require similar work.
 
 8.4.3.2 Security Testing
 
 System security testing includes both the testing of the particular parts of the system that have been developed or acquired and the testing of the entire system. Security management, physical facilities, personnel, procedures, the use of commercial or in-house services (such as networking services), and contingency planning are examples of areas that affect the security of the entire system, but may be specified outside of the development or acquisition cycle. Since only items within the development of acquisition cycle will have been tested during system acceptance testing, separate tests or reviews may need to be performed for these additional security elements.
 
 Security certification is a formal testing of the security safeguards implemented in the computer system to determine whether they meet applicable requirements and specifications. To provide more reliable technical information, certification is often performed by an independent reviewer, rather than by the people who designed the system.  (This is the type of independent testing we perform.  For more information visit http://www.internetbankingaudits.com/)