MISCELLANEOUS CYBERSECURITY NEWS:

House Homeland leaders don’t want CISA’s reach to exceed its grasp - As the Cybersecurity and Infrastructure Security Agency’s mission and portfolio have grown in recent years to meet the bold agendas of Congress and the White House, leaders on the House Homeland Security Committee want to ensure that as the young agency is given new powers and increased funding, it is adequately staffed and resourced to handle existing responsibilities. https://www.scmagazine.com/analysis/critical-infrastructure/house-homeland-leaders-cisas-reach

Health apps on notice: FTC signals more privacy enforcement actions ahead - The Federal Trade Commission’s recent enforcement actions against GoodRx and BetterHelp sent ripples across the digital health app industry. https://www.scmagazine.com/analysis/application-security/health-apps-ftc-signals-privacy-enforcement

CISA, NSA Issue Guidance for IAM Administrators - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week announced new guidance for identity and access management (IAM) administrators. https://www.securityweek.com/cisa-nsa-issue-guidance-for-iam-administrators/

CISA Expands Cybersecurity Committee, Updates Baseline Security Goals - The US Cybersecurity and Infrastructure Security Agency (CISA) this week announced adding more experts to its Cybersecurity Advisory Committee (CSAC) and updating the baseline cybersecurity goals introduced last year. https://www.securityweek.com/cisa-adds-experts-to-cybersecurity-committee-updates-baseline-security-goals/

North Dakota to require cybersecurity education in public schools - North Dakota became the first state in the U.S. to require public schools to teach cybersecurity and computer science. Republican Gov. Doug Burgum signed the new law on March 24. https://www.scmagazine.com/news/careers/north-dakota-require-cybersecurity-education-public-schools

FDA will refuse new medical devices for cybersecurity reasons on Oct. 1 - The Food and Drug Administration announced March 29 that it will begin to “refuse to accept” medical devices and related systems over cybersecurity reasons beginning Oct. 1. All new device submissions must include detailed cybersecurity plans beginning March 2. https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1
 

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Dole now says February attack spilled employee data - Data tied to a crippling cyberattack against Dole Food Company, which resulted in a reported temporary shutdown of its North American production facilities, included employee personal identifiable information. https://www.scmagazine.com/news/ransomware/dole-attack-employee-data

Cyberattack hits Spanish pharmaceutical company Alliance Healthcare - A cyberattack deployed against one of Spain’s leading pharmaceutical companies, Alliance Healthcare, is causing delays in the drug disruption supply chain, according to local news outlet El Pais. https://www.scmagazine.com/news/incident-response/cyberattack-hits-spanish-pharmaceutical-company-alliance-healthcare

Dish customers struggle with service disruptions weeks after ransomware attack - Dish Network customers continue to grapple with service disruptions and technical issues a month after the satellite TV giant was hit by a ransomware attack. https://www.scmagazine.com/analysis/ransomware/dish-customers-struggle-with-service-disruptions-weeks-after-ransomware-attack

Punjab hit by internet blackout as authorities hunt for Sikh preacher - Shutdown imposed as part of search for Amritpal Singh Sandhu, accused of disrupting communal harmony - Economic life in the north Indian state of Punjab has been paralysed by an internet shutdown, affecting 30 million people, imposed as part of a huge manhunt for a Sikh preacher fighting for a separate Sikh state. https://www.theguardian.com/world/2023/mar/21/punjab-internet-blackout-hunt-sikh-preacher-amritpal-singh-sandhu

Law firm pays $200,000 over ‘poor data security’ that led to Microsoft Exchange attack - A New York-based medical malpractice law firm has agreed to pay $200,000 to the New York Attorney General over inadequate data security practices that led to the now-infamous Microsoft Exchange attacks in 2021. https://www.scmagazine.com/analysis/breach/law-firm-pays-200000-over-poor-data-security-that-led-to-microsoft-exchange-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)
    
    The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
    
    Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.
    
    Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
    
    Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
   
   Part II. Risks Associated with Wireless Internet Devices
   
   As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.
   
   The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.
   
   A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.
   
   The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.
   
   WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  3.2 Computer Security Management
  
  The Computer Security Program Manager (and support staff) directs the organization's day-to-day management of its computer security program. This individual is also responsible for coordinating all security-related interactions among organizational elements involved in the computer security program -- as well as those external to the organization.
  
  3.3 Program and Functional Managers/Application Owners
  
  Program or Functional Managers/Application Owners are responsible for a program or function (e.g., procurement or payroll) including the supporting computer system.16 Their responsibilities include providing for appropriate security, including management, operational, and technical controls. These officials are usually assisted by a technical staff that oversees the actual workings of the system. This kind of support is no different for other staff members who work on other program implementation issues.
  
  Also, the program or functional manager/application owner is often aided by a Security Officer (frequently dedicated to that system, particularly if it is large or critical to the organization) in developing and implementing security requirements.
  
  What is a Program/Functional Manager?
  
  The term program/functional manager or application owner may not be familiar or immediately apparent to all readers. The examples provided below should help the reader better understand this important concept. In reviewing these examples, note that computer systems often serve more than one group or function.
  
  Example 1. A personnel system serves an entire organization. However, the Personnel Manager would normally be the application owner. This applies even if the application is distributed so that supervisors and clerks throughout the organization use and update the system.
  
  Example 2. A federal benefits system provides monthly benefit checks to 500,000 citizens. The processing is done on a mainframe data center. The Benefits Program Manager is the application owner.
  
  Example 3. A mainframe data processing organization supports several large applications. The mainframe director is not the Functional Manager for any of the applications.
  
  Example 4. A 100-person division has a diverse collection of personal computers, work stations, and minicomputers used for general office support, Internet connectivity, and computer-oriented research. The division director would normally be the Functional Manager responsible for the system.