MISCELLANEOUS CYBERSECURITY NEWS:

Ten essential elements of a successful incident response tabletop exercise - Incident response (IR) tabletop exercises are a powerful tool in cybersecurity strategies. They help companies prepare for a cyber incident by testing how well relevant stakeholders know and understand documented IR plans. https://www.scmagazine.com/perspective/incident-response/ten-essential-elements-of-a-successful-incident-response-tabletop-exercise

Officials Failed to Identify Security Risks When Authorizing Cloud Services - An audit conducted by the Defense Department’s inspector general found agency components “may be unaware of known vulnerabilities and cybersecurity risks associated with operating their systems or storing their data.” https://www.nextgov.com/cybersecurity/2023/02/dod-ig-officials-failed-identify-security-risks-when-authorizing-cloud-services/383167/

NSA shares guidance on how to secure your home network - The U.S. National Security Agency (NSA) has issued guidance to help remote workers secure their home networks and defend their devices from attacks. https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-on-how-to-secure-your-home-network/

Tech makers must take more responsibility for safety, design choices - companies, consumers and government must collectively shift their expectations to make major software and hardware manufacturers - not users - responsible for insecure products. https://www.scmagazine.com/news/devops/easterly-tech-makers-safety-design

Centric Health fined €460,000 over 2019 ransomware attack - Centric Healthcare has been fined €460,000 by the Data Protection Commissioner over a ransomware attack in 2019 that saw patient data encrypted by hackers. https://www.irishtimes.com/business/2023/02/24/centric-health-fined-460000-over-2019-ransomware-attack/

Feds have 30 days to remove TikTok from devices as US ban debated - Federal agencies have 30 days to remove TikTok from government devices and systems, as well as block all internet traffic from the Chinese-owned company, according to an Office of Management and Budget guidance memorandum first reported by Reuters. https://www.scmagazine.com/news/device-security/feds-remove-tiktok-us-ban-debated

New HHS cyber, enforcement arms to tackle 69% rise in HIPAA complaints - The Department of Health and Human Services Office for Civil Rights announced the launch of three new divisions late Monday that aim to address the funding and staffing constraints that have limited the agency’s investigatory efforts. https://www.scmagazine.com/news/compliance/new-hhs-cyber-enforcement-arms-tackle-hipaa-complaints

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Sensitive DoD emails exposed by unsecured Azure server - A hole in a US military email server operated by Microsoft left more than a terabyte of sensitive data exposed to the internet less than a month after Office 365 was awarded a higher level of government security accreditation. https://www.theregister.com/2023/02/23/azure_dod_emails_exposed/

GoodRx ordered to issue breach notices to consumers in FTC settlement - The Department of Justice finalized the FTC settlement levied against GoodRx and ordered the digital health company to take corrective actions in order to rectify the privacy violations, including sending consumer breach notices outlining the unauthorized data sharing. https://www.scmagazine.com/news/privacy/goodrx-breach-notices-ftc-settlement

Dish Network suffers massive outage, mum on cyberattack - Swaths of Dish Network’s internal network have been offline since Thursday as the company struggles to recover from a massive outage. https://www.scmagazine.com/news/incident-response/dish-network-outage-cyberattack

Danish hospitals latest target of DDoS attacks on NATO-backed countries - A relatively new hacking group known as Anonymous Sudan targeted nine Region H hospitals in Denmark with DDoS attacks late on Feb. 26, bringing down their website for several hours. https://www.scmagazine.com/news/threats/danish-hospitals-latest-target-of-ddos-attacks-on-nato-backed-countries

Hackers sat on News Corp network for two years - Publishing giant News Corp revealed that attackers behind a breach disclosed in January 2022 had persistent access to part of its internal system for over two years. https://www.scmagazine.com/news/breach/hackers-news-corp-two-years

LastPass Says DevOps Engineer Home Computer Hacked - LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. https://www.securityweek.com/lastpass-says-devops-engineer-home-computer-hacked/

U.S. Marshals Service investigating ransomware attack, data theft - The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack that has impacted what it describes as "a stand-alone USMS system." https://www.bleepingcomputer.com/news/security/us-marshals-service-investigating-ransomware-attack-data-theft/

Telus source code, staff info for sale on dark web forum - Canadian communications giant Telus is investigating whether crooks have stolen employee data and its source code, all of which is being offered for sale on a criminal forum. https://www.theregister.com/2023/02/25/telus_source_code_github_repos/

Two data centers used by major tech firms hacked - Two Asia-based data centers used by major global corporations were targeted in a series of cyberattack first identified in 2021 and as recently as January 2023. https://www.scmagazine.com/news/cloud-security/datacenters-major-firms-hacked

Dish Network confirms cyberattack - Dish Network confirmed it was hit by a massive cyberattack tied to a multiday outage that downed internal billing systems, broke consumer apps and shut down several consumer-facing websites. https://www.scmagazine.com/news/ransomware/dish-network-confirms-cyberattack

Patient data stolen ahead of CentraState cyberattack, impacting 617K - CentraState has confirmed that threat actors stole a copy of an archived database containing patient data ahead of its reported cyberattack and subsequent network outage in December and January. https://www.scmagazine.com/news/ransomware/patient-data-stolen-centrastate-cyberattack-impacting-617k

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)
    
    Supervisory Action
    
    As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.
    
    Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.
    
    The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.
    
    The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
   
   Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
   
   Wireless Technology and the Risks of Implementation
   
   Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.
   
   Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.
   
   Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:
   
   1)  Compromise of customer information and transactions over the wireless network;
   
   2)  Disruption of wireless service from radio transmissions of other wireless devices;
   
   3)  Intrusion into the institution's network through wireless network connections; and
   
   4)  Obsolescence of current systems due to rapidly changing standards.
   
   These risks could ultimately compromise the bank's computer system, potentially causing:
   
   1)  Financial loss due to the execution of unauthorized transactions;
   
   2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);
   
   3)  Negative media attention, resulting in harm to the institution's reputation; and
   
   4)  Loss of customer confidence.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 2 - ELEMENTS OF COMPUTER SECURITY
  
  2.2 Computer Security is an Integral Element of Sound Management.
  
  Information and computer systems are often critical assets that support the mission of an organization. Protecting them can be as critical as protecting other organizational resources, such as money, physical assets, or employees.
  
  However, including security considerations in the management of information and computers does not completely eliminate the possibility that these assets will be harmed. Ultimately, organization managers have to decide what the level of risk they are willing to accept, taking into account the cost of security controls.
  
  As with many other resources, the management of information and computers may transcend organizational boundaries. When an organization's information and computer systems are linked with external systems, management's responsibilities also extend beyond the organization. This may require that management (1) know what general level or type of security is employed on the external system(s) or (2) seek assurance that the external system provides adequate security for the using organization's needs.
  
  2.3 Computer Security Should Be Cost-Effective.
  
  The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity, probability and extent of potential harm. Requirements for security vary, depending upon the particular computer system.
  
  In general, security is a smart business practice. By investing in security measures, an organization can reduce the frequency and severity of computer security-related losses. For example, an organization may estimate that it is experiencing significant losses per year in inventory through fraudulent manipulation of its computer system. Security measures, such as an improved access control system, may significantly reduce the loss.
  
  Moreover, a sound security program can thwart hackers and can reduce the frequency of viruses. Elimination of these kinds of threats can reduce unfavorable publicity as well as increase morale and productivity.
  
  Security benefits, however, do have both direct and indirect costs. Direct costs include purchasing, installing, and administering security measures, such as access control software or fire-suppression systems. Additionally, security measures can sometimes affect system performance, employee morale, or retraining requirements. All of these have to be considered in addition to the basic cost of the control itself. In many cases, these additional costs may well exceed the initial cost of the control (as is often seen, for example, in the costs of administering an access control package). Solutions to security problems should not be chosen if they cost more, directly or indirectly, than simply tolerating the problem.