MISCELLANEOUS CYBERSECURITY NEWS:

Healthcare Leaders Call for Cybersecurity Standards - Healthcare industry representatives called on Congress to ensure minimum cybersecurity standards for their industry, saying that a wholly voluntary approach is failing clinics and hospitals. https://www.govinfosecurity.com/healthcare-leaders-call-for-cybersecurity-standards-a-21458

Cancer patient sues hospital after ransomware gang leaks her medical photos - A cancer patient whose medical photos and records were posted online after they were stolen by a ransomware gang, has sued her healthcare provider for allowing the "preventable" and "seriously damaging" leak. https://www.theregister.com/2023/03/15/cancer_lvhn_sues_hospital/

SEC proposes slew of new cyber rules to secure financial entities - The Securities and Exchange Commission announced multiple new proposed regulations this week that would require broker-dealers to notify customers within 30 days of a data breach, immediately inform the government, and expand the type of customer information protected by data privacy regulations. https://www.scmagazine.com/analysis/breach/sec-proposes-slew-of-new-cyber-rules-for-secure-financial-entities

Publicly traded companies aren’t moving to add cyber experts to their boards - The Securities and Exchange Commission is in the process of finalizing new rules that would push publicly traded companies to detail the cyber expertise on their boards, signaling such experience will be an important metric tracked by regulators. https://www.scmagazine.com/analysis/compliance/publicly-traded-companies-arent-moving-to-add-cyber-experts-to-their-boards

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Latitude cyberattack leads to data theft at two service providers - Latitude Financial Services (Latitude) has disclosed a data breach after suffering a cyberattack, causing the company to shut down internal and customer-facing systems. https://www.bleepingcomputer.com/news/security/latitude-cyberattack-leads-to-data-theft-at-two-service-providers/

Data Breach at Independent Living Systems Impacts 4 Million Individuals - Florida-based health services company Independent Living Systems (ILS) has started sending out notification letters to more than 4 million individuals to inform them of a data breach impacting their personal and medical information. https://www.securityweek.com/data-breach-at-independent-living-systems-impacts-4-million-individuals/

Rubrik confirms data theft in GoAnywhere zero-day attack - Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. https://www.bleepingcomputer.com/news/security/rubrik-confirms-data-theft-in-goanywhere-zero-day-attack/

UC San Diego Health latest provider to report pixel-tracking incident - University of California San Diego Health notified an undisclosed number of patients that their data was inadvertently shared with third parties due to its vendor placing analytics tools on its patient-facing websites without UCSD Health’s authorization. https://www.scmagazine.com/news/breach/uc-san-diego-health-pixel-tracking-incident

Ferrari confirms extortion attempt, but car maker refuses to pay ransom - Italian sports car maker Ferrari confirmed Monday that it was hit with a ransomware extortion attempt by an unknown threat actor in which customer names, addresses, email addresses, and telephone numbers were exposed. https://www.scmagazine.com/news/ransomware/ferrari-confirms-extortion-attempt-refuses-to-pay-ransom

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.
    
    Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)
    
    Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
    
    Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
    
    Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
   
   Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.
   
   Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.
   
   Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.
   
   Risk Mitigation Components -- Wireless Internal Networks
   
   A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.
   
   For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.
   
   Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.
   
   The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 3 - Roles and Responsibilities
  
  One fundamental issue that arises in discussions of computer security is: "Whose responsibility is it?" Of course, on a basic level the answer is simple: computer security is the responsibility of everyone who can affect the security of a computer system. However, the specific duties and responsibilities of various individuals and organizational entities vary considerably.
  
  This chapter presents a brief overview of roles and responsibilities of the various officials and organizational offices typically involved with computer security. They include the following groups:
  
  1)  senior management,
  
  2)  program/functional managers/application owners,
  
  3)  computer security management,
  
  4)  technology providers,
  
  5)  supporting organizations, and
  
  6)  users.
  
  This chapter is intended to give the reader a basic familiarity with the major organizational elements that play a role in computer security. It does not describe all responsibilities of each in detail, nor will this chapter apply uniformly to all organizations. Organizations, like individuals, have unique characteristics, and no single template can apply to all. Smaller organizations, in particular, are not likely to have separate individuals performing many of the functions described in this chapter. Even at some larger organizations, some of the duties described in this chapter may not be staffed with full-time personnel. What is important is that these functions be handled in a manner appropriate for the organization.  As with the rest of the handbook, this chapter is not intended to be used as an audit guide.
  
  3.1 Senior Management - Senior management has ultimate responsibility for the security of an organization's computer systems.
  
  Ultimately, responsibility for the success of an organization lies with its senior managers. They establish the organization's computer security program and its overall program goals, objectives, and priorities in order to support the mission of the organization. Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and that it is successful. Senior managers are also responsible for setting a good example for their employees by following all applicable security practices.