MISCELLANEOUS CYBERSECURITY NEWS:

OIA - The FDIC's Security Controls Over Microsoft Windows Active Directory - The Federal Deposit Insurance Corporation (FDIC) relies heavily on information systems containing sensitive data to carry out its responsibilities.  Includes a Summary of the FDIC’s Corrective Actions.  https://www.fdicoig.gov/sites/default/files/reports/2023-03/AUD-23-002-Redacted.pdf

Researcher blasts Canada Revenue Agency’s questionable data policy - A security researcher is calling foul after discovering the Canada Revenue Agency appears to force users into accepting questionable terms and conditions that put their data at risk when visiting the government website. https://www.scmagazine.com/news/privacy/researcher-blasts-canada-revenue-agencys-questionable-data-policy

Blackbaud pays $3 million for misleading disclosures in 2020 ransomware attack - Blackbaud has agreed to pay the Securities and Exchange Commission $3 million to settle allegations that it made misleading disclosures about its massive 2020 ransomware attack, which impacted over 13,000 customers. https://www.scmagazine.com/news/ransomware/blackbaud-pays-3-million-misleading-disclosures-2020-ransomware-attack

Feds fine Florida children’s health insurance site for massive 2020 hack - Jelly Bean Communications Design reached a $293,771 settlement to resolve False Claims Act allegations that it knowingly provided deficient security controls to Florida Healthy Kids Corp., which caused the second largest reported healthcare data breach of 2021. https://www.scmagazine.com/news/compliance/feds-fine-florida-childrens-health-insurance-site-2020-hack

Research indicates humans are still better than ChatGPT at phishing - for now - Have we reached the point where it’s time to dial down all the fear, uncertainty, and doubt around ChatGPT? https://www.scmagazine.com/news/emerging-technology/research-indicates-humans-are-still-better-than-chatgpt-at-phishing-for-now

Lesson learned from the US Marshals Service cyber incident: we’re all targets – and the stakes are high - The cyber incident at the United States Marshals Service (USMS) last month made it abundantly clear that all organizations are at risk today. https://www.scmagazine.com/perspective/breach/lesson-learned-from-the-us-marshals-service-cyber-incident-were-all-targets-and-the-stakes-are-high

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

DC Health Link breach includes data of House members; FBI investigating - Hundreds of congressional leaders and staff had their data stolen by threat actors through DC Health Link, the health insurance marketplace for Washington. https://www.scmagazine.com/news/ransomware/dc-health-link-breach-house-members-fbi-investigating

Acer confirms server intrusion after miscreant offers 160GB cache of stolen files - Acer has confirmed someone broke into one of its servers after a miscreant put up for sale a 160GB database of what's claimed to be the Taiwanese PC maker's confidential information. https://www.theregister.com/2023/03/08/acer_confirms_server_breach/

Mental health provider Cerebral alerts 3.1M people of data breach - Healthcare platform Cerebral is sending data breach notices to 3.18 million people who have interacted with its websites, applications, and telehealth services. https://www.bleepingcomputer.com/news/security/mental-health-provider-cerebral-alerts-31m-people-of-data-breach/

LA housing authority discloses data breach after ransomware attack - The Housing Authority of the City of Los Angeles (HACLA) is warning of a "data security event" after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack. https://www.bleepingcomputer.com/news/security/la-housing-authority-discloses-data-breach-after-ransomware-attack/

Hospital in Brussels latest victim in spate of European healthcare cyberattacks - A university hospital in Brussels has become the latest institution targeted in a spate of cyberattacks against European hospitals. https://therecord.media/brussels-hospital-cyberattack-belgium-saint-pierre

Zoll Medical notifies 1M patients of data breach tied to LifeVest device - Just over 1 million patients who used or were considered for use of a Zoll product were recently notified that their data was potentially exposed after a hack of the medical device and technology solutions vendor’s internal network in early February. https://www.scmagazine.com/news/privacy/zoll-medical-notifies-1m-patients-data-breach-lifevest-device

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 6 of  6)
    
    President’s Identity Theft Task Force
    
    On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.
    
    Conclusion
    
    Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
   
   PART I. Risks Associated with Wireless Internal Networks
   
   Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11 Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.
   
   Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.
   
   The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:
   
   1)  Decrypting information based on statistical analysis;
   
   2)  Injecting new traffic from unauthorized mobile stations based on known plain text;
   
   3)  Decrypting traffic based on tricking the access point;
   
   4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and
   
   5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 2 - ELEMENTS OF COMPUTER SECURITY
  
  2.7 Computer Security Should Be Periodically Reassessed.
  
  Computers and the environments they operate in are dynamic. System technology and users, data and information in the systems, risks associated with the system and, therefore, security requirements are ever-changing. Many types of changes affect system security: technological developments (whether adopted by the system owner or available for use by others); connecting to external networks; a change in the value or use of information; or the emergence of a new threat.
  
  In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time. All of these issues make it necessary to reassess the security of computer systems.
  
  2.8 Computer Security is Constrained by Societal Factors.
  
  The ability of security to support the mission of the organization(s) may be limited by various factors, such as social issues. For example, security and workplace privacy can conflict. Commonly, security is implemented on a computer system by identifying users and tracking their actions. However, expectations of privacy vary and can be violated by some security measures. (In some cases, privacy may be mandated by law.)
  
  Although privacy is an extremely important societal issue, it is not the only one. The flow of information, especially between a government and its citizens, is another situation where security may need to be modified to support a societal goal. In addition, some authentication measures, such as retinal scanning, may be considered invasive in some environments and cultures.
  
  The underlying idea is that security measures should be selected and implemented with a recognition of the rights and legitimate interests of others. This many involve balancing the security needs of information owners and users with societal goals. However, rules and expectations change with regard to the appropriate use of security controls. These changes may either increase or decrease security.
  
  The relationship between security and societal norms is not necessarily antagonistic. Security can enhance the access and flow of data and information by providing more accurate and reliable information and greater availability of systems. Security can also increase the privacy afforded to an individual or help achieve other goals set by society.