MISCELLANEOUS CYBERSECURITY NEWS:

HHS opens investigation into Change Healthcare cyberattack - The Office for Civil Rights will focus on whether protected health information was breached and if UnitedHealth complied with privacy and security requirements. https://www.cybersecuritydive.com/news/hhs-investigates-change-healthcare/710286/

Calls grow for federal funding after Change Healthcare cyberattack - The Change Healthcare ransomware attack story has evolved to the point where the industry and leading political leaders are calling for the federal government to step in and help providers with an impending cash flow crisis so insurance claims can get paid and patients can get the drugs they need. https://www.scmagazine.com/news/calls-grow-for-federal-funding-after-change-healthcare-cyberattack

FCC approves voluntary cyber labeling program for smart home IoT devices - The Biden administration wants the U.S. Cyber Trust Mark program to incentivize higher security standards in future IoT development. https://www.cybersecuritydive.com/news/fcc-cyber-labeling-smart-home-iot/710426/

Stronger FCC data breach reporting rules for telecom go live - The updated rules expand the scope of breach disclosure requirements to cover all PII and carriers have to notify customers within 30 days of determining a breach occurred. https://www.cybersecuritydive.com/news/fcc-data-breach-reporting-rules/710444/

Experts Say CISA's Software Attestation Form Lacks Key Parts - The U.S. federal government's secure software development self-attestation form for manufacturers takes bold steps towards securing the supply chain but lacks key components that should be incorporated into iterative versions of the document, experts told Information Security Media Group. https://www.govinfosecurity.com/experts-say-cisas-software-attestation-form-lacks-key-parts-a-24595

Infosec teams must be allowed to fail, argues Gartner - Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xu. https://www.theregister.com/2024/03/18/gartner_infosec_failure_advice/

UK Government Releases Cloud SCADA Security Guidance - The UK’s National Cyber Security Centre (NCSC) released security guidance on Monday to help organizations that use operational technology (OT) determine whether they should migrate their supervisory control and data acquisition (SCADA) systems to the cloud. https://www.securityweek.com/uk-government-releases-cloud-scada-security-guidance/

What is ‘AI washing?’ Companies pay $400K to SEC for inflated claims - The United States Securities and Exchange Commission (SEC) charged two companies for falsely exaggerating the use of artificial intelligence in their products, marking one of the first-ever enforcement actions against “AI washing.” https://www.scmagazine.com/news/what-is-ai-washing-companies-pay-400k-to-sec-for-inflated-claims

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

CISA breached by hackers exploiting Ivanti bugs - Systems run by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) were breached last month by hackers exploiting bugs in Ivanti products. https://www.scmagazine.com/news/cisa-breached-by-hackers-exploiting-ivanti-bugs

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack - Over the next few weeks, Nissan Oceania will make contact with around 100,000 people in Australia and New Zealand whose data was pilfered in a December 2023 attack on its systems - perhaps by the Akira ransomware gang. https://www.theregister.com/2024/03/14/nissan_oceania_100k_affected

Stanford University failed to detect ransomware intruders for 4 months - Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. https://www.theregister.com/2024/03/13/stanford_university_ransomware/

French unemployment agency data breach impacts 43 million people - France Travail, formerly known as Pôle Emploi, is warning that hackers breached its systems and may leak or exploit personal details of an estimated 43 million individuals. https://www.bleepingcomputer.com/news/security/french-unemployment-agency-data-breach-impacts-43-million-people/

Cut submarine cables cause web outages across Africa; 6 countries still affected - Thirteen countries across Africa experienced Internet outages on Thursday due to damage to submarine fiber optic cables. Some countries, including Ghana and Nigeria, are still suffering from nationwide outages. https://arstechnica.com/information-technology/2024/03/internet-outages-hit-13-countries-in-africa-due-to-undersea-cable-damage/

Malawi Passport System Back Online After Debilitating Cyberattack - Malawi's passport issuance system is back online several weeks after being hit with what appears to be a ransomware attack. https://www.darkreading.com/cyberattacks-data-breaches/malawi-passport-system-back-online-after-cyberattack

NHS Dumfries and Galloway Warns of “Significant” Data Theft - An NHS Scotland trust has warned of disrupted services and possible data compromise after being breached by threat actors. https://www.infosecurity-magazine.com/news/nhs-dumfries-galloway-significant/

McDonald's: Global outage was caused by "configuration change" - McDonald's has blamed a third-party service provider's configuration change, not a cyberattack, for the global outage that forced many of its fast-food restaurants to close. https://www.bleepingcomputer.com/news/technology/mcdonalds-global-outage-was-caused-by-configuration-change/

Fujitsu reveals malware installed on internal systems, risk of customer data spill - Fujitsu has confirmed that miscreants have compromised some of its internal computers, deployed malware, and may have stolen some customer information. https://www.theregister.com/2024/03/18/fujitsu_malware_data_breach/

IMF Emails Hacked - The International Monetary Fund (IMF) detects a cybersecurity incident that involved nearly a dozen email accounts getting hacked. In a statement issued last week, the United Nations financial institution said it detected the security breach on February 16, 2024. https://www.securityweek.com/imf-emails-hacked/

Google Firebase may have exposed 125M records from misconfigurations - More than 900 misconfigured Google Firebase websites could have leaked nearly 125 million user records, according to a recent post by a trio of security researchers who go by the online handles "mrbuh," "xyzeva" and "logykk." https://www.scmagazine.com/news/google-firebase-may-have-exposed-125m-records-from-misconfigurations

Open-source ransomware, RATs deployed on compromised TeamCity servers - A JetBrains TeamCity authentication bypass vulnerability is being leveraged to deploy open-source ransomware, remote access tools (RATs), cryptominers and Cobalt Strike beacons. https://www.scmagazine.com/news/open-source-ransomware-rats-deployed-on-compromised-teamcity-servers

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.
    
    In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.
    
    In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Shared Secret Systems (Part 2 of 2)
   
   Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.
   
   ! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.
   
   Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.
   
   ! An additional attack method targets a specific account and submits passwords until the correct password is discovered.
   
   Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.
   
   ! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.
   
   Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.
   
   ! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.
   
   Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.
   
   ! Some attacks depend on patience, waiting until the logged - in workstation is unattended.
   
   Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.
   
   ! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.
   
   Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.
   
   ! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.
   
   Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.
   
   ! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.4.3 Managing Change
 
 Computer systems and the environments in which they operate change continually. In response to various events such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, system managers and users modify the system and incorporate new features, new procedures, and software updates.
 
 The environment in which the system operates also changes. Networking and interconnections tend to increase. A new user group may be added, possibly external groups or anonymous groups. New threats may emerge, such as increases in network intrusions or the spread of personal computer viruses. If the system has a configuration control board or other structure to manage technical system changes, a security specialist can be assigned to the board to make determinations about whether (and if so, how) changes will affect security.
 
 Security should also be considered during system upgrades (and other planned changes) and in determining the impact of unplanned changes. When a change occurs or is planned, a determination is made whether the change is major or minor. A major change, such as reengineering the structure of the system, significantly affects the system. Major changes often involve the purchase of new hardware, software, or services or the development of new software modules.
 
 An organization does not need to have a specific cutoff for major-minor change decisions. A sliding scale between the two can be implemented by using a combination of the following methods:
 
 !  Major change. A major change requires analysis to determine security requirements. The process described above can be used, although the analysis may focus only on the area(s) in which the change has occurred or will occur. If the original analysis and system changes have been documented throughout the life cycle, the analysis will normally be much easier. Since these changes result in significant system acquisitions, development work, or changes in policy, the system should be reaccredited to ensure that the residual risk is still acceptable.
 
 !  Minor change. Many of the changes made to a system do not require the extensive analysis performed for major changes, but do require some analysis. Each change can involve a limited risk assessment that weighs the pros (benefits) and cons (costs) and that can even be performed on-the-fly at meetings. Even if the analysis is conducted informally, decisions should still be appropriately documented. This process recognizes that even "small" decisions should be risk-based.