MISCELLANEOUS CYBERSECURITY NEWS:

Should I pay a ransom? A 5-step decision-making process - It’s the kind of note that grabs you by the shirt and doesn’t let go: “All of your files are stolen and encrypted.” https://www.scmagazine.com/news/ransomware/should-i-pay-a-ransom-a-5-step-decision-making-process

HHS: HIPAA can ‘substantially mitigate’ most common healthcare cyberattacks - The bulk of cyberattacks against the healthcare sector could be “prevented or substantially mitigated” by following the Health Insurance Portability and Accountability Act Security Rule, according to the Department of Health and Human Services Office for Civil Rights. https://www.scmagazine.com/analysis/compliance/hhs-hipaa-can-substantially-mitigate-most-common-healthcare-cyberattacks

Seven ways U.S. businesses can protect themselves from Russian cyberattacks - Cyberattacks have become a part of modern warfare. These attacks on government agencies and businesses have increased because of the Russian invasion of Ukraine, with the risk of torrent cyberattacks against non-primary targets getting more widespread. https://www.scmagazine.com/perspective/cyberespionage/seven-ways-u-s-businesses-can-protect-themselves-from-russian-cyberattacks%EF%BF%BC

DOJ Settles First Case Under Civil Cyber-Fraud Initiative - In the DOJ’s first settlement under the Civil Cyber-Fraud Initiative, Comprehensive Health Services agreed to pay $930,000 to resolve False Claims Act allegations. https://healthitsecurity.com/news/doj-settles-first-case-under-civil-cyber-fraud-initiative

UK criminal defense lawyer hadn't patched when ransomware hit - Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020. https://www.theregister.com/2022/03/15/brit_solicitor_fined_for_failing/

Microsoft reminds of Internet Explorer's looming demise in June - Microsoft has reminded Windows customers today that they'll finally retire the Internet Explorer 11 web browser from some Windows 10 versions in June and replace it with the new Chromium-based Microsoft Edge. https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-internet-explorers-looming-demise-in-june/

HHS: Amid Russian threat, hospitals need 4-6 week business continuity plan - Echoing recent healthcare industry stakeholder groups, the Department of Health and Human Services is urging provider organizations to review and bolster defenses to guard against possible fallout from the Russian invasion of Ukraine. https://www.scmagazine.com/analysis/critical-infrastructure/hhs-amid-russian-threat-hospitals-need-4-6-week-business-continuity-plan

Proposal requires Veterans Affairs to hire outside contractor to assess cybersecurity needs - A new bill would require the Department of Veterans Affairs to hire an outside contractor to assess its cybersecurity operations. https://www.scmagazine.com/analysis/apt/proposal-requires-veterans-affairs-to-hire-outside-contractor-to-assess-cybersecurity-needs

‘TSA has screwed this up’: Pipeline cyber rules hitting major hurdles - The pipeline industry says a TSA staff shortage and inflexible requirements are undermining the Biden administration’s ability to protect U.S. pipelines from hackers. https://www.politico.com/news/2022/03/17/tsa-has-screwed-this-up-pipeline-cyber-rules-hitting-major-hurdles-00017893

FIDO Alliance says it has finally killed the password - Conceptually. It's OEMs who'll do the work, and you'll just have to trust them - There's a new proposal on eliminating passwords, but it relies on putting a lot of security eggs into OEM security baskets. https://www.theregister.com/2022/03/21/fido_password_killer/

OpenSSL vulnerability can ‘definitely be weaponized,’ NSA cyber director says - A cryptographic vulnerability in the Tonelli Shanks modular algorithm, which is used in popular cryptographic library OpenSSL, can lead to denial-of-service attacks and can “definitely be weaponized” in the current threat environment, according to an NSA official. https://www.scmagazine.com/analysis/application-security/openssl-vulnerability-can-definitely-be-weaponized-nsa-cyber-director-says

Italian public sector to replace Kaspersky products - Italy's public sector must replace antivirus software by Russian-based Kaspersky, the Reuters news service reported Friday. https://www.scmagazine.com/news/cyberespionage/italian-public-sector-to-replace-kaspersky-products

Ransomware is, on average, very fast - In speed tests of multiple binaries of multiple brands of ransomware, across different hardware and operating system configurations, a new report determined ransomware is very fast. https://www.scmagazine.com/analysis/ransomware/ransomware-is-on-average-very-fast

All eyes are on ransomware, while business email compromise remains king of cybercrime - Much like in 2020, the FBI's newly released cybercrime statistics for 2021 show that business email compromise is far and away the largest digital crime. https://www.scmagazine.com/analysis/email-security/all-eyes-are-on-ransomware-and-yet-business-email-compromise-remains-king-of-cybercrime

Financial sector employees less likely to pose insider threat, but concerns remain - Financial firms have long prided themselves on vetting their employees and taking steps to prevent against cyber threats that their own employees might pose, intentional or otherwise. https://www.scmagazine.com/analysis/identity-and-access/financial-sector-employees-less-likely-to-pose-insider-threat-but-concerns-remain

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Huge DDoS attack temporarily kicks Israeli government sites offline - A massive distributed denial-of-service (DDoS) attack forced Israeli officials Monday to temporarily take down several government websites and to declare a state of online emergency to assess the damage and begin investigating who was behind the incident. https://www.theregister.com/2022/03/15/ddos-attack-israel-government-iran/

South Denver Cardiology cyberattack, data access impacts 287K patients - South Denver Cardiology Associates recently notified 287,652 patients that their protected health information was accessed ahead of a cyberattack deployed in January this year. https://www.scmagazine.com/analysis/incident-response/south-denver-cardiology-cyberattack-data-access-impacts-287k-patients

Arkansas AG sues hospital for leaving patient files unsecured after closing shop - The Arkansas Attorney General filed a lawsuit against the Eastern Ozarks Regional Health System in Cherokee Village, alleging it failed to protect the personal and health information of its patients after closing its business operations. https://www.scmagazine.com/analysis/data-security/arkansas-ag-sues-hospital-for-leaving-patient-files-unsecured-after-closing-shop

Ransomware Attack Led Bridgestone to Halt US Tire Production for a Week - The Japan-based company said its Bridgestone Americas subsidiary network was infiltrated on Feb. 27, leading the company to shut down network and production in its manufacturing facilities in North America and Middle America for around one week. https://www.darkreading.com/attacks-breaches/ransomware-attack-shut-down-some-bridgestone-tire-operations-for-a-week

Amid recovery, Kentucky hospital details cyberattack discovered in January - Amid its continued recovery efforts, Taylor Regional Hospital (TRH) in Kentucky notified patients this week that the cyberattack began with a systems hack, which led to the access of their protected health information. https://www.scmagazine.com/analysis/breach/amid-recovery-kentucky-hospital-details-cyberattack-discovered-in-january

Half of security pros say their public clouds were breached during the pandemic - Research released on Tuesday by Laminar found that 50% of security pros say their public cloud environments experienced a breach in 2020 or 2021. https://www.scmagazine.com/news/cloud-security/half-of-security-pros-say-their-public-clouds-were-breached-during-the-pandemic

Scripps Health sued over ongoing payroll disruption claims, as Kronos fallout continues - Scripps Health is facing a class-action lawsuit filed by employees impacted by the Kronos outages and subsequent payroll disruptions. https://www.scmagazine.com/analysis/business-contunuity/scripps-health-sued-over-ongoing-payroll-disruption-claims-as-kronos-fallout-continues

Lapsus$ group claims Okta supply chain attacks - The Lapsus$ extortion group posted screenshots to its Telegram channel Monday night they say prove they breached identity management vendor Okta.
https://www.scmagazine.com/analysis/breach/lapsu-group-claims-okta-supply-chain-attacks
https://www.scmagazine.com/news/breach/okta-lapsus-offer-dueling-narratives-on-breach-claim

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2 of 12)
  
  The Importance of an Incident Response Program
  
  A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.
  
  First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.
  
  Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.
  
  Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)
  
  Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:
  
  ! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
  ! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
  ! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
  ! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
  ! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
  ! Logging access and events.
  ! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.2 Audit Trails and Logs
 
 18.2.2.2 Application-Level Audit Trails
 
 System-level audit trails may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager. In general, application-level audit trails monitor and log user activities, including data files opened and closed, specific actions, such as reading, editing, and deleting records or fields, and printing reports. Some applications may be sensitive enough from a data availability, confidentiality, and/or integrity perspective that a "before" and "after" picture of each modified record (or the data element(s) changed within a record) should be captured by the audit trail.
 
 18.2.2.3 User Audit Trails
 
 User audit trails can usually log:
 
 1) all commands directly initiated by the user;
 2) all identification and authentication attempts; and
 3) files and resources accessed.
 
 It is most useful if options and parameters are also recorded from commands. It is much more useful to know that a user tried to delete a log file (e.g., to hide unauthorized actions) than to know the user merely issued the delete command, possibly for a personal data file.