MISCELLANEOUS CYBERSECURITY NEWS:
FBI: Ransomware hit 649 critical infrastructure orgs in 2021 - The Federal Bureau of Investigation (FBI) says ransomware gangs have breached the networks of at least 649 organizations from multiple US critical infrastructure sectors last year, according to the Internet Crime Complaint Center (IC3) 2021 Internet Crime Report. https://www.bleepingcomputer.com/news/security/fbi-ransomware-hit-649-critical-infrastructure-orgs-in-2021/

‘Open banking’ opens the door to application security concerns - Open banking is proving to be more than just a flash-in-the-pan for financial institutions hoping to be more tech-savvy and widen their appeal to digital customers. https://www.scmagazine.com/analysis/application-security/open-banking-opens-the-door-to-application-security-concerns

Health-ISAC calls for ‘intelligence-led’ security, as actors continue to target healthcare - Healthcare security leaders must adopt better communication tactics for obtaining financial investments and building cyber resilience through an “intelligence-led information security program,” using threat intel to impart risks to the board, such as the new cyber threat report from Health-ISAC. https://www.scmagazine.com/analysis/ransomware/h-isac-calls-for-intelligence-led-security-as-actors-continue-to-target-healthcare

Sens. Hassan, Cornyn Want Planning for Fed ‘Legacy’ IT Replacement - Sens. Maggie Hassan, D-N.H. and John Cornyn, R-Texas, introduced a bill on March 23 that aims to reduce the Federal government’s reliance on outdated and obsolete information technologies (IT) by requiring agency officials to inventory their “legacy” IT systems and come up with plans to modernize systems. https://www.meritalk.com/articles/sens-hassan-cornyn-want-planning-for-fed-legacy-it-replacement/

FBI asks Congress for more money, people and authorities to match cyber threats - A top FBI cyber official asked Congress for a raft of new money and enhanced statutory powers to pursue criminal and nation-state hackers who target American businesses and data. https://www.scmagazine.com/analysis/cybercrime/fbi-asks-congress-for-more-money-people-and-authorities-to-match-cyber-threats

FDA, OIG HHS budget requests focus on improving medical device security, infrastructure - The budget proposal announced by the Biden administration on Monday would support the Department of Health and Human Services, including the Food and Drug Administration, with a number of cybersecurity and modernization initiatives. https://www.scmagazine.com/analysis/critical-infrastructure/fda-oig-hhs-budget-requests-focus-on-improving-medical-device-security-infrastructure

Senators want federal cyber pros to detail how they’re going to modernize their agencies - The Senate Homeland Security and Governmental Affairs committee moved legislation Wednesday that would kickstart IT and cybersecurity modernization efforts at many federal agencies. https://www.scmagazine.com/analysis/asset-management/senators-want-federal-cyber-pros-to-detail-how-theyre-going-to-modernize-their-agencies

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

The Third-Party Okta Hack Leaves Customers Scrambling - THE DIGITAL EXTORTION group Lapsus$ threw the security world into disarray on Monday with claims that it had gained access to a “super user” administrative account for the identity management platform Okta. https://www.wired.com/story/okta-hack-customers-lapsus-breach/

A Mysterious Satellite Hack Has Victims Far Beyond Ukraine - MORE THAN 22,000 miles above Earth, the KA-SAT is locked in orbit. Traveling at 7,000 miles per hour, in sync with the planet’s rotation, the satellite beams high-speed internet down to people across Europe. Since 2011, it has helped homeowners, businesses, and militaries get online. https://www.wired.com/story/viasat-internet-hack-ukraine-russia/

Dentist’s response to negative review among four HIPAA enforcement actions by OCR - The Department of Health and Human Services Office for Civil Rights announced its first enforcement actions of 2022 with four separate provider officers over potential violations of The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, including right of access. https://www.scmagazine.com/analysis/breach/dental-practices-response-to-negative-review-among-four-hipaa-enforcement-actions-by-ocr

Morgan Stanley Wealth Management accounts breached in ‘vishing’ attacks - Earlier this week, Morgan Stanley Wealth Management said cybercriminals broke into accounts using social engineering attacks, according to reports. https://www.scmagazine.com/analysis/social-engineering/morgan-stanley-wealth-management-accounts-breached-in-vishing-attacks

Oklahoma City Indian Clinic reports network disruptions impacting pharmacy - “Technical issues” at the Oklahoma City Indian Clinic have caused network disruptions that have left clinicians and providers unable to access certain computer systems, including the pharmacy department. The incident began one week ago, and the clinic is still experiencing disruptions. https://www.scmagazine.com/analysis/incident-response/oklahoma-city-indian-clinic-reports-network-disruptions-impacting-pharmacy

Triton Malware Still Targeting Energy Firms - The global energy sector needs to stay alert for Triton malware, the Federal Bureau of Investigation said in a recent warning. https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting-energy-firms

'Massive cyberattack' against Ukrainian ISP has been neutralized, Ukraine says - The attack on core IT infrastructure led to the most severe internet disruption registered in Ukraine since the invasion by Russia, according to NetBlocks. https://www.zdnet.com/article/massive-cyberattack-against-ukrainian-isp-has-been-neutralized-ukraine-says/

Man linked to multi-million dollar ransomware attacks gets 66 months in prison for online fraud - "Ransomware thieves are not safe in any dark corner of the internet," says US Secret Service. https://www.zdnet.com/article/man-linked-to-multi-million-dollar-ransomware-attacks-gets-66-months-in-prison-for-online-fraud/

Ubiquiti seeks $425 million in damages against industry blogger Brian Krebs - Ubiquiti on Tuesday filed a lawsuit against industry blogger Brian Krebs for $425 million in damages for allegedly falsely accusing the company of “covering up” a cyberattack. https://www.scmagazine.com/news/breach/ubiquiti-seeks-425-million-in-damaged-against-industry-blogger-brian-krebs%EF%BF%BC

Oklahoma City Indian Clinic reports network disruptions impacting pharmacy - “Technical issues” at the Oklahoma City Indian Clinic have caused network disruptions that have left clinicians and providers unable to access certain computer systems, including the pharmacy department. https://www.scmagazine.com/analysis/incident-response/oklahoma-city-indian-clinic-reports-network-disruptions-impacting-pharmacy

Horizon Actuarial Services data theft impacts MLB Players Benefit Plan members - Threat actors exploited the networks of Horizon Actuarial Services in November, stealing the data belonging to the consulting services vendors and two client groups: Major League Baseball Players Benefit Plan and Local 295 IBT Employer Group Welfare Fund. https://www.scmagazine.com/analysis/breach/horizon-actuarial-services-data-theft-impacts-mlb-players-benefit-plan-members

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)
  
  Elements of an Incident Response Program
  
  Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.
  
  Minimum Requirements
  
  The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.
  
  Develop reaction procedures for:
  
  1) assessing security incidents that have occurred;
  2) identifying the customer information and information systems that have been accessed or misused; and
  3)containing and controlling the security incident.
  
  Establish notification procedures for:
  
  1) the institution's primary Federal regulator;
  2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
  3) affected customers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - REMOTE ACCESS
  
  Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.
  
  Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:
  
  ! Disallow remote access by policy and practice unless a compelling business justification exists.
  ! Disable remote access at the operating system level if a business need for such access does not exist.
  ! Require management approval for remote access.
  ! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
  ! Configure modems not to answer inbound calls, if modems are for outbound use only.
  ! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
  ! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
  ! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
  ! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
  ! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
  ! Appropriately patch and maintain all remote access software.
  ! Use trusted, secure access devices.
  ! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 18 - AUDIT TRAILS

18.2 Audit Trails and Logs

Audit Logs for Physical Access

Physical access control systems (e.g., a card/key entry system or an alarm system) use software and audit trails similar to general-purpose computers. The following are examples of criteria that may be used in selecting which events to log:

The date and time the access was attempted or made should be logged, as should the gate or door through which the access was attempted or made, and the individual (or user ID) making the attempt to access the gate or door.

Invalid attempts should be monitored and logged by noncomputer audit trails just as they are for computer-system audit trails. Management should be made aware if someone attempts to gain access during unauthorized hours.

Logged information should also include attempts to add, modify, or delete physical access privileges (e.g., granting a new employee access to the building or granting transferred employees access to their new office [and, of course, deleting their old access, as applicable]).

As with system and application audit trails, auditing of noncomputer functions can be implemented to send messages to security personnel indicating valid or invalid attempts to gain access to controlled spaces. In order not to desensitize a guard or monitor, all access should not result in messages being sent to a screen. Only exceptions, such as failed access attempts, should be highlighted to those monitoring access.