MISCELLANEOUS CYBERSECURITY NEWS:

Judge issues restraining order keeping DOE from tracking bitcoin miners - Earlier this month, the US Department of Energy (DOE) announced its intention to gather basic information about the energy consumed by bitcoin mining. https://arstechnica.com/tech-policy/2024/02/department-of-energys-plan-to-track-bitcoin-mining-put-on-hold-by-judge/

A government watchdog hacked a US federal agency to stress-test its cloud security - A U.S. government watchdog stole more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. https://techcrunch.com/2024/02/29/department-interior-watchdog-hack-cloud-data/

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks - Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/

Energy to fund 16 infrastructure cybersecurity projects - The Department of Energy announced a $45 million investment into 16 projects dedicated to shoring up cybersecurity across the electric grid and other energy infrastructure, the agency announced Monday afternoon. https://www.nextgov.com/cybersecurity/2024/02/energy-fund-16-infrastructure-cybersecurity-projects/394491/

AlphV’s hit on Change Healthcare strikes a sour note for defenders - The ransomware group didn’t just regroup quickly after a law enforcement takedown. It carried out the worst attack on U.S. infrastructure to date, according to experts. https://www.cybersecuritydive.com/news/alphv-hits-change-healthcare/709190/

CrowdStrike dodges pricing war with Palo Alto Networks - CEO George Kurtz called out CrowdStrike’s largest competitor, dismissing Palo Alto Network’s strategy of free incentives. “Free is never free,” he said. https://www.cybersecuritydive.com/news/crowdstrike-dodges-price-war/709492/

Calls grow for federal funding after Change Healthcare cyberattack - The Change Healthcare ransomware attack story has evolved to the point where the industry and leading political leaders are calling for the federal government to step in and help providers with an impending cash flow crisis so insurance claims can get paid and patients can get the drugs they need. https://www.scmagazine.com/news/calls-grow-for-federal-funding-after-change-healthcare-cyberattack

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Ivanti attacks linked to espionage group targeting defense contractors - The China-linked threat group responsible for a concerted attack on Ivanti network devices has developed “significant knowledge” of the appliances, researchers believe. https://www.scmagazine.com/news/ivanti-attacks-linked-to-espionage-group-targeting-defense-contractors

‘CryptoChameleon’ campaign targets employees of cryptocurrencies, FCC - A phishing campaign dubbed "CryptoChameleon" that started targeting cryptocurrency customers has evolved to focusing on employees at Binance, Coinbase and the Federal Communications Commission (FCC). https://www.scmagazine.com/news/cryptochameleon-campaign-targets-employees-of-cryptocurrencies-fcc

Hackers Steal Personal Information From Pharma Giant Cencora - The data breach was identified on February 21, Cencora said in a filing with the Securities and Exchange Commission (SEC). It’s unclear exactly what type of data has been exfiltrated and who it belongs to, whether it’s employees or customers. https://www.securityweek.com/hackers-steal-personal-information-from-pharma-giant-cencora/

German applied sciences university announces being hit by criminal cyberattack - Hochschule Kempten, a university of applied sciences in the city of Kempten in Germany, has announced being targeted by a criminal cyberattack that forced the institution to take down its IT infrastructure. https://therecord.media/hochschule-kempten-cyberattack-german-university

Law firm reports data breach affecting more than 325,000 people - Houser LLP, a U.S. law firm that specializes in serving high-profile financial institutions, said a system breach discovered in May 2023 exposed the personal data - possibly including sensitive information such as credit card numbers - of more than 325,000 people. https://therecord.media/houser-law-firm-reports-data-breach

Georgia’s Largest County Is Still Repairing Damage From January Cyberattack - Georgia’s largest county is still repairing damage inflicted on its government a month ago by hackers who shut down office phone lines, left clerks unable to issue vehicle registrations or marriage licenses and threatened to publicly release sensitive data they claimed to have stolen unless officials paid ransom. https://www.securityweek.com/georgias-largest-county-is-still-repairing-damage-from-january-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
   Board and Management Oversight - Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.
    
    Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.
    
    To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that: 
    
    1)  E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
    2)  All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
    3)  Financial transaction data are protected from alteration and any alteration is detectable.
    
   Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI).  A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION
 
 Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include
 
 1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
 2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
 3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).
 
 Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.
 
 Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.3.3 Accreditation
 
 System security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls. This review may include a detailed technical evaluation (such as a Federal Information Processing Standard 102 certification, particularly for complex, critical, or high-risk systems), security evaluation, risk assessment, audit, or other such review. If the life cycle process is being used to manage a project (such as a system upgrade), it is important to recognize that the accreditation is for the entire system, not just for the new addition.
 
 The best way to view computer security accreditation is as a form of quality control. It forces managers and technical staff to work together to find the best fit for security, given technical constraints, operational constraints, and mission requirements. The accreditation process obliges managers to make critical decisions regarding the adequacy of security safeguards. A decision based on reliable information about the effectiveness of technical and non-technical safeguards and the residual risk is more likely to be a sound decision.
 
 After deciding on the acceptability of security safeguards and residual risks, the accrediting official should issue a formal accreditation statement. While most flaws in system security are not severe enough to remove an operational system from service or to prevent a new system from becoming operational, the flaws may require some restrictions on operation (e.g., limitations on dial-in access or electronic connections to other organizations). In some cases, an interim accreditation may be granted, allowing the system to operate requiring review at the end of the interim period, presumably after security upgrades have been made.
 
 Sample Accreditation Statement
 In accordance with (Organization Directive), I hereby issue an accreditation for (name of system). This accreditation is my formal declaration that a satisfactory level of operational security is present and that the system can operate under reasonable risk. This accreditation is valid for three years. The system will be re-evaluated annually to determine if changes have occurred affecting its security.