|
MISCELLANEOUS CYBERSECURITY NEWS:
FDA to Refuse Medical Device Submissions For Cybersecurity Reasons
Beginning in October - Medical device manufacturers will now be
required to include cybersecurity details in device submissions, and
the FDA will soon be able to deny submissions over inadequate
security controls.
https://healthitsecurity.com/news/fda-to-refuse-medical-device-submissions-for-cybersecurity-reasons-beginning-in-october
CareFirst decision cites ‘actual harm’ requirement in data breach
lawsuits - Three ongoing data breach lawsuits against insurance
giant CareFirst will not be consolidated into a class action filing.
https://www.scmagazine.com/news/incident-response/carefirst-actual-harm-requirement-data-breach-lawsuits
North Dakota to require cybersecurity education in public schools -
North Dakota became the first state in the U.S. to require public
schools to teach cybersecurity and computer science. Republican Gov.
Doug Burgum signed the new law on March 24.
https://www.scmagazine.com/news/careers/north-dakota-require-cybersecurity-education-public-schools
JavaScript malware infects eFile.com tax-return service since
mid-March - Just a couple of weeks before the April 18 tax deadline,
news broke that the eFile.com service, an IRS-authorized e-file
provider, was observed executing JavaScript malware.
https://www.scmagazine.com/news/cybercrime/javascript-malware-infects-efile-tax-return-service
Genesis Market seized in ‘Operation Cookie Monster,’ DoJ confirms -
A coordinated effort has brought down the largest criminal
marketplace for stolen credentials, Genesis Market, the Department
of Justice confirmed.
https://www.scmagazine.com/news/identity-and-access/genesis-market-seized-operation-cookie-monster-doj
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Trojanized Windows and Mac apps rain down on 3CX users in massive
supply chain attack - Hackers working on behalf of the North Korean
government have pulled off a massive supply chain attack on Windows
and macOS users of 3CX, a widely used voice and video calling
desktop client, researchers from multiple security firms said.
https://arstechnica.com/information-technology/2023/03/massive-supply-chain-attack-with-ties-to-north-korea-hits-users-of-3cx-voice-app/
Healthcare vendor reports breach from 2021, at least 9 providers
impacted - At least eight new breach notices were issued this week
tied to a phishing attack deployed against Adelanto HealthCare
Ventures in November 2021. Houston-based St. Luke’s Health first
reported the same incident in October 2022.
https://www.scmagazine.com/news/breach/healthcare-vendor-reports-breach-from-2021-at-least-9-providers-impacted
High-cost lender TMX Finance data breach affects nearly 5 million
customers - High-cost lender TMX Finance and its affiliates TitleMax,
TitleBucks, and InstaLoan have collectively disclosed a data breach
affecting nearly five million customers, according to a data breach
notification publicized by the Maine State Attorney General.
https://www.scmagazine.com/news/breach/high-cost-lender-tmx-finance-data-breach-affects-nearly-5-million-customers
Western Digital discloses network breach, My Cloud service down -
Western Digital announced today that its network has been breached
and an unauthorized party gained access to multiple company systems.
https://www.bleepingcomputer.com/news/security/western-digital-discloses-network-breach-my-cloud-service-down/
Glitch in system upgrade identified as cause of delays at Singapore
immigration - Technical glitch during a scheduled upgrade affected
all automated immigration clearance systems and led to rare delays
at Singapore's Changi Airport, which recently was again named the
world's best airport.
https://www.zdnet.com/article/glitch-in-system-upgrade-identified-as-cause-of-delays-at-singapore-immigration/
DATA BREACHES 4.8 Million Impacted by Data Breach at TMX Finance -
Operating roughly 1,100 stores in 15 states, TMX offers loans under
three brands, namely TitleMax (title lending services), TitleBucks
(car title loans), and InstaLoan (fast-approval personal loan
services).
https://www.securityweek.com/4-8-million-impacted-by-data-breach-at-tmx-finance/
Lumen Technologies Hit by Two Cyberattacks - Communications and IT
solutions provider Lumen Technologies this week revealed that it
fell victim to two cyberattacks, including a ransomware attack that
crippled some of its systems.
https://www.securityweek.com/lumen-technologies-hit-by-two-cyberattacks/
Uber data targeted in breach of third-party law firm - Uber data has
become the target of yet another breach, this time via a New
Jersey-based law firm the ride-sharing service has used for legal
representation.
https://www.scmagazine.com/news/data-security/uber-data-targeted-breach-third-party-law-firm
Dish customers struggle with service disruptions weeks after
ransomware attack - Dish Network customers continue to grapple with
service disruptions and technical issues a month after the satellite
TV giant was hit by a ransomware attack.
https://www.scmagazine.com/analysis/ransomware/dish-customers-struggle-with-service-disruptions-weeks-after-ransomware-attack
Dole now says February attack spilled employee data - Data tied to a
crippling cyberattack against Dole Food Company, which resulted in a
reported temporary shutdown of its North American production
facilities, included employee personal identifiable information. In
a Wednesday Dole Securities and Exchange Commission (SEC) filing,
the food giant disclosed the ransomware attack involved the
unauthorized access to employee information.
https://www.scmagazine.com/news/ransomware/dole-attack-employee-data
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of
credit applications by specifying that application information
entered directly into and retained by a computerized system
qualifies as a written application under this section. If an
institution makes credit application forms available through its
on-line system, it must ensure that the forms satisfy the
requirements.
The regulations also clarify the regulatory requirements that
apply when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
mail.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of the
FDIC's "Guidance on Managing Risks Associated With Wireless Networks
and Wireless Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution
should institute policies and standards requiring that information
and transactions be encrypted throughout the link between the
customer and the institution. Financial institutions should
carefully consider the impact of implementing technologies requiring
that a third party have control over unencrypted customer
information and transactions.
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular
independent security testing performed on its wireless customer
access application. Specific testing goals would include the
verification of appropriate security settings, the effectiveness of
the wireless application security implementation and conformity to
the institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
behavior.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
3.4 Technology Providers
System Management/System Administrators. These personnel are the
managers and technicians who design and operate computer systems.
They are responsible for implementing technical security on computer
systems and for being familiar with security technology that relates
to their system. They also need to ensure the continuity of their
services to meet the needs of functional managers as well as
analyzing technical vulnerabilities in their systems (and their
security implications). They are often a part of a larger
Information Resources Management (IRM) organization.
Communications / Telecommunications Staff. This office is normally
responsible for providing communications services, including voice,
data, video, and fax service. Their responsibilities for
communication systems are similar to those that systems management
officials have for their systems. The staff may not be separate from
other technology service providers or the IRM office.
System Security Manager/Officers. Often assisting system
management officials in this effort is a system security
manager/officer responsible for day-to-day security implementation /
administration duties. Although not normally part of the computer
security program management office, this officer is responsible for
coordinating the security efforts of a particular system(s). This
person works closely with system management personnel, the computer
security program manager, and the program or functional manager's
security officer. In fact, depending upon the organization, this may
be the same individual as the program or functional manager's
security officer. This person may or may not be a part of the
organization's overall security office.
Help Desk. Whether or not a Help Desk is tasked with incident
handling, it needs to be able to recognize security incidents and
refer the caller to the appropriate person or organization for a
response.
Who Should Be the Accrediting Official? (Note that
accreditation is a formality unique to the government.)
The Accrediting Officials are agency officials who have authority
to accept an application's security safeguards and approve a system
for operation. The Accrediting Officials must also be authorized to
allocate resources to achieve acceptable security and to remedy
security deficiencies. Without this authority, they cannot
realistically take responsibility for the accreditation decision. In
general, Accreditors are senior officials, who may be the Program or
Function Manager/Application Owner. For some very sensitive
applications, the Senior Executive Officer is appropriate as an
Accrediting Official. In general, the more sensitive the
application, the higher the Accrediting Officials are in the
organization.
Where privacy is a concern, federal managers can be held
personally liable for security inadequacies. The issuing of the
accreditation statement fixes security responsibility, thus making
explicit a responsibility that might otherwise be implicit.
Accreditors should consult the agency general counsel to determine
their personal security liabilities. |
