MISCELLANEOUS CYBERSECURITY NEWS:

Court denies SolarWinds bid to throw out breach lawsuit - A Texas judge has dismissed claims that former SolarWinds CEO Kevin Thompson was personally liable for deceiving investors about the company’s cybersecurity, but otherwise will allow a class-action lawsuit filed against the company, its executives and investors in the wake of the 2020 Orion breach to proceed. https://www.scmagazine.com/analysis/breach/solarwinds-lawsuits-can-proceed-texas-judge-rules

FBI warns of ransomware straining local governments, services - In a private industry notification (PIN) dated Wednesday but released to the public Thursday, the FBI warned local governments and government services that ransomware would likely "strain" their capabilities if not prevented. https://www.scmagazine.com/news/ransomware/fbi-warns-of-ransomware-straining-local-governments-services

Council updates data security standards for payments industry - Stakeholders in the payments industry on Thursday released updates for data security standards to address emerging threats and technologies. https://www.scmagazine.com/news/compliance/council-updates-data-security-standards-for-payments-industry

State Department kicks off new cyber bureau - For the first time in years, the State Department has a dedicated bureau focused on cyberspace. https://www.scmagazine.com/analysis/emerging-technology/state-department-kicks-off-new-cyber-bureau

New security requirements introduced for medical device manufacturers - Sens. Tammy Baldwin, D-Wisconsin, and Bill Cassidy, MD, R-Louisiana, introduced legislation on Apr. 1 that would tackle medical device security and infrastructure by adding manufacturer requirements, as well as ensuring healthcare users are provided with software bills of materials. https://www.scmagazine.com/analysis/device-security/new-security-requirements-introduced-for-medical-medical-device-manufacturers

Qualys leverages cloud platform to help security teams reduce alert fatigue - Qualys on Monday announced Multi-Vector EDR 2.0, a new capability that combines threat hunting and risk mitigation to reduce alert fatigue and threat response times for security teams. https://www.scmagazine.com/news/cloud-security/qualys-leverages-cloud-platform-to-help-security-teams-reduce-alert-fatigue

Crisis communications: What organizations should do before a breach - Understanding the technical environment and relationships with stakeholders are the two most important things organizations should have in place during a breach incident, said the CEO of a communications firm specializing in security, privacy and risk organizations. https://www.scmagazine.com/podcast/breach/crisis-communications-what-organizations-should-do-before-a-breach

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Viasat: Feb. cyber attack impacted tens of thousands of customers in Ukraine, Europe - Satellite communications giant Viasat on Wednesday shared new information from its investigation into the February cyberattack that took down service for broadband customers in Ukraine and across Europe. https://www.zdnet.com/article/viasat-feb-cyber-attack-impacted-tens-of-thousands-of-customers-in-ukraine-europe/

IT and sofGlobant confirms hack after Lapsus$ leaks 70GB of stolen data - tware consultancy firm Globant has confirmed that they were breached by the Lapsus$ data extortion group, where data consisting of administrator credentials and source code was leaked by the threat actors. https://www.bleepingcomputer.com/news/security/globant-confirms-hack-after-lapsus-leaks-70gb-of-stolen-data/

California health plan facing network disruptions after alleged Hive ransomware attack - Partnership HealthPlan of California (PHC) is currently experiencing computer system disruptions and working to recover its network with support from third-party forensic specialists. https://www.scmagazine.com/analysis/breach/california-health-plan-facing-network-disruptions-after-alleged-hive-ransomware-attack

UK charges two teenagers linked to the Lapsus$ hacking group - Two teenagers from the UK charged with helping the Lapsus$ extortion gang have been released on bail after appearing in the Highbury Corner Magistrates Court court on Friday morning. https://www.bleepingcomputer.com/news/security/uk-charges-two-teenagers-linked-to-the-lapsus-hacking-group/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (4 of 12)
  
  Reaction Procedures
  
  Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.
  
  Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY
  
  The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.
  
  The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:
  
  ! Aircraft crashes
  ! Chemical effects
  ! Dust
  ! Electrical supply interference
  ! Electromagnetic radiation
  ! Explosives
  ! Fire
  ! Smoke
  ! Theft/Destruction
  ! Vibration/Earthquake
  ! Water
  ! Wireless emissions
  ! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.3 Implementation Issues
 
 Audit trail data requires protection, since the data should be available for use when needed and is not useful if it is not accurate. Also, the best planned and implemented audit trail is of limited value without timely review of the logged data. Audit trails may be reviewed periodically, as needed (often triggered by occurrence of a security event), automatically in realtime, or in some combination of these. System managers and administrators, with guidance from computer security personnel, should determine how long audit trail data will be maintained -- either on the system or in archive files.
 Following are examples of implementation issues that may have to be addressed when using audit trails.
 
 18.3.1 Protecting Audit Trail Data
 
 Access to on-line audit logs should be strictly controlled. Computer security managers and system administrators or managers should have access for review purposes; however, security and/or administration personnel who maintain logical access functions may have no need for access to audit logs.
 
 It is particularly important to ensure the integrity of audit trail data against modification. One way to do this is to use digital signatures. Another way is to use write-once devices. The audit trail files needs to be protected since, for example, intruders may try to "cover their tracks" by modifying audit trail records. Audit trail records should be protected by strong access controls to help prevent unauthorized access. The integrity of audit trail information may be particularly important when legal issues arise, such as when audit trails are used as legal evidence. (This may, for example, require daily printing and signing of the logs.) Questions of such legal issues should be directed to the cognizant legal counsel.
 
 The confidentiality of audit trail information may also be protected, for example, if the audit trail is recording information about users that may be disclosure-sensitive such as transaction data containing personal information (e.g., "before" and "after" records of modification to income tax data). Strong access controls and encryption can be particularly effective in preserving confidentiality.