MISCELLANEOUS CYBERSECURITY NEWS:

NIST Unveils New Consortium to Operate its National Vulnerability Database - It’s now official: the US National Institute of Standards and Technology (NIST) will hand over some aspects of the management of the world’s most widely used software vulnerability repository to an industry consortium. https://www.infosecurity-magazine.com/news/nist-unveils-new-nvd-consortium/

How CISO salaries are faring as businesses ask more of security - As CISOs become more welcomed as full members of the C-suite, they are enjoying the compensation and perks that come with the status. https://www.cybersecuritydive.com/news/ciso-salary-payment/711643/

US House forbids staff members from using AI chatbot Microsoft Copilot - Microsoft's planned release April 1 of Copilot for Security hit some speed bumps when the House of Representatives on March 29 banned the use of the software maker’s alternative chatbot to OpenAI’s ChatGPT by House staffers. https://www.scmagazine.com/news/us-house-forbids-staff-members-from-using-ai-chatbot-microsoft-copilot

Standards and Technology (NIST) blamed increases in the volume of software and “a change in interagency support” for the recent backlog of vulnerabilities analyzed in the organization’s National Vulnerability Database (NVD). https://therecord.media/vulnerability-database-backlog-nist-support

How to bridge the gap between the IT and legal staffs to better combat insider risk - IT security leaders and legal professionals might not always have much in common in terms of their daily responsibilities, yet they are increasingly united in one essential aspect: defending their organization’s sensitive data and IP against a spectrum of threats, both from external parties and increasingly, from trusted insiders. https://www.scmagazine.com/perspective/how-to-bridge-the-gap-between-the-it-and-legal-around-insider-risk

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb - The German Federal Office for Information Security (BIS) has issued an urgent alert about the poor state of Microsoft Exchange Server patching in the country. https://www.theregister.com/2024/03/28/germany_microsoft_exchange_patch/

The Day Africa Lost Internet: Undersea Cable Disruptions and the State of Global Connectivity - Africa experienced a widespread internet outage on March 14, 2024, due to under-ocean fiber optic cable failures, affecting millions across countries including South Africa, Nigeria, and Ivory Coast. https://www.techopedia.com/news/when-africa-lost-internet-experts-talk-an-undersea-cable-snafu

What is ‘AI washing?’ Companies pay $400K to SEC for inflated claims - The United States Securities and Exchange Commission (SEC) charged two companies for falsely exaggerating the use of artificial intelligence in their products, marking one of the first-ever enforcement actions against “AI washing.” https://www.scmagazine.com/news/what-is-ai-washing-companies-pay-400k-to-sec-for-inflated-claims

AT&T confirms theft of 73M records, 7.6M current customers affected - AT&T confirmed the leak of 73 million records for the first time on Saturday, while resetting the stolen passcodes of 7.6 million current affected customers. https://www.scmagazine.com/news/att-confirms-theft-of-73m-records-7-6m-current-customers-affected

CISA asserts no data stolen during Ivanti-linked attack on the agency - A cyberattack targeting the Cybersecurity and Infrastructure Security Agency in late January impacted a pair of the agency’s systems, a CISA spokesperson said Monday. https://www.cybersecuritydive.com/news/cisa-ivanti-linked-attack/712006/

Missouri county latest local government ransomware victim, 18th of 2024 - An April 2 ransomware attack confirmed by Jackson County officials in Missouri demonstrates how state and local governments are still ripe targets for cybercriminals. https://www.scmagazine.com/news/missouri-county-government-confirms-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.
    
    Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.
    
    A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:
    
    1)  The opening, modification or closing of a customer's account.
    
    2)  Any transaction with financial consequences.
    
    3)  Any authorization granted to a customer to exceed a limit.
    
    4)  Any granting, modification or revocation of systems access rights or privileges.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Token Systems (2 of 2)
   
   Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.
   
   Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.5 Interdependencies
 
 Like many management controls, life cycle planning relies upon other controls. Three closely linked control areas are policy, assurance, and risk management.
 
 Policy. The development of system-specific policy is an integral part of determining the security requirements.
 
 Assurance. Good life cycle management provides assurance that security is appropriately considered in system design and operation.
 
 Risk Management. The maintenance of security throughout the operational phase of a system is a process of risk management: analyzing risk, reducing risk, and monitoring safeguards. Risk assessment is a critical element in designing the security of systems and in reaccreditations.
 
 8.6 Cost Considerations
 
 Security is a factor throughout the life cycle of a system. Sometimes security choices are made by default, without anyone analyzing why choices are made; sometimes security choices are made carefully, based on analysis. The first case is likely to result in a system with poor security that is susceptible to many types of loss. In the second case, the cost of life cycle management should be much smaller than the losses avoided. The major cost considerations for life cycle management are personnel costs and some delays as the system progresses through the life cycle for completing analyses and reviews and obtaining management approvals.
 
 It is possible to overmanage a system: to spend more time planning, designing, and analyzing risk than is necessary. Planning, by itself, does not further the mission or business of an organization. Therefore, while security life cycle management can yield significant benefits, the effort should be commensurate with the system's size, complexity, and sensitivity and the risks associated with the system. In general, the higher the value of the system, the newer the system's architecture, technologies, and practices, and the worse the impact if the system security fails, the more effort should be spent on life cycle management.