MISCELLANEOUS CYBERSECURITY NEWS:

CISA resource looks to help high-risk groups thwart cyberattacks - The DHS’s Cybersecurity and Infrastructure Security Agency released guidance on Tuesday to assist activists, journalists, human rights workers, academics and others affiliated with civil society groups that may face cyberthreats. https://www.nextgov.com/cybersecurity/2024/04/cisa-resource-looks-help-high-risk-groups-thwart-cyberattacks/395409/

Are ransomware attacks declining in 2024? Depends who you ask - There’s no question ransomware remains a top threat for businesses and organizations around the world and across many sectors – but with recent shakeups including the government takedown of LockBit and apparent exit of ALPHV/BlackCat, are ransomware attacks actually declining in 2024? https://www.scmagazine.com/news/are-ransomware-attacks-declining-in-2024-depends-who-you-ask

Microsoft’s Security Chickens Have Come Home to Roost - There were dark patterns everywhere. For years, we collectively groaned and rolled our eyes as Microsoft shipped faulty and incomplete patches, gutted its Patch Tuesday bulletins into irrelevance, fought with hackers reporting security problems, and made baffling trade-offs around cybersecurity transparency. https://www.securityweek.com/microsofts-security-chickens-have-come-home-to-roost/

Health sector help desks duped by social engineering scams, HHS warns - Healthcare and public health organizations have been warned that hackers are attempting to breach their systems using a sophisticated social-engineering scam targeting IT help desk staff. https://www.scmagazine.com/news/health-sector-help-desks-duped-by-social-engineering-scams-hhs-warns

CISO role shows significant gains amid corporate recognition of cyber risk - A report from Moody’s Ratings shows CISOs and other senior-level cyber executives have become key decision makers within the C-suite. https://www.cybersecuritydive.com/news/ciso-gains-corporate-cyber-risk/712684/

Sweeping bipartisan comprehensive data privacy bill to be introduced by congressional leaders - A comprehensive data privacy bill unveiled Sunday would offer historic privacy protections and appears to have momentum on both sides of the aisle. https://therecord.media/sweeping-bipartisan-privacy-bill-to-be-introduced-congress

German state ditches Microsoft for Linux and LibreOffice - Why? Schleswig-Holstein cites cost, security, and digital sovereignty - though not necessarily in that order. Thanks to hardware vendors working hand-in-glove with Microsoft, many people never realize there are alternatives to Windows and Office. https://www.zdnet.com/article/german-state-ditches-microsoft-for-linux-and-libreoffice/

Healthcare IT Help Desk Employees Targeted in Payment-Hijacking Attack - Threat actors are targeting IT help desk employees at healthcare and public health (HPH) organizations to gain access to corporate networks and divert payments, the US Department of Health warns. https://www.securityweek.com/healthcare-it-help-desk-employees-targeted-in-payment-hijacking-attacks/

What’s going on with the National Vulnerability Database? - CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape. https://www.cybersecuritydive.com/news/nist-national-vulnerability-database/712826/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Ivanti promises to address its bug problem after security failures - After spending months grappling with a string of gateway appliance security failures, Ivanti has vowed to reengineer its processes to harden its products against increasingly persistent attackers. https://www.scmagazine.com/news/ivanti-promises-to-address-its-bug-problem-after-security-failures

Omni Hotels confirms cyberattack behind ongoing IT outage - Omni Hotels & Resorts has confirmed a cyberattack caused a nationwide IT outage that is still affecting its locations. https://www.bleepingcomputer.com/news/security/omni-hotels-confirms-cyberattack-behind-ongoing-it-outage/

Jackson County in state of emergency after ransomware attack - Jackson County, Missouri, is in a state of emergency after a ransomware attack took down some county services on Tuesday. https://www.bleepingcomputer.com/news/security/jackson-county-in-state-of-emergency-after-ransomware-attack/

US Cancer Center Data Breach Impacting 800,000 - Cancer treatment and research center City of Hope this week started notifying over 800,000 individuals that their personal and health information was compromised in a data breach. https://www.securityweek.com/us-cancer-center-data-breach-impacting-800000/

Red Hat warns of backoor in widely used Linux utility - With a CVSS of 10, CISA urged users and developers to downgrade to an uncompromised version, search for any malicious activity and report findings back to the agency. https://www.cybersecuritydive.com/news/red-hat-warning-malicious-backdoor/711875/

Omni Hotels blames cyberattack for widespread tech outages - Omni Hotels & Resorts said a cyberattack was responsible for disruptions to systems that caused chaos across its 50 upmarket properties over the busy Easter period. https://www.scmagazine.com/news/omni-hotels-blames-cyberattack-for-widespread-tech-outages

Home Depot confirms data breach via third-party vendor - Home Depot on April 8 confirmed to SC Media that a third-party software-as-a-service (SaaS) vendor had made public some employee data and that they had, in effect, been breached. https://www.scmagazine.com/news/home-depot-confirms-data-breach-via-third-party-vendor

Prudential Financial: February incident exposed data of nearly 37K customers - Prudential Financial disclosed that 36,545 individuals had personal information stolen in an early February breach that was claimed by ALPHV/BlackCat, the group also responsible for the Change Healthcare ransomware attack. https://www.scmagazine.com/news/prudential-financial-february-incident-exposed-data-of-nearly-37k-customers

Acuity confirms hackers stole non-sensitive govt data from GitHub repos - Acuity, a federal contractor that works with U.S. government agencies, has confirmed that hackers breached its GitHub repositories and stole documents containing old and non-sensitive data. https://www.bleepingcomputer.com/news/security/acuity-confirms-hackers-stole-non-sensitive-govt-data-from-github-repos/

World's second-largest eyeglass lens-maker blinded by infosec incident - If ever there was an incident that brings the need for good infosec into sharp focus, this is the one: Japan's Hoya – a maker of eyeglass and contact lenses, plus kit used to make semiconductor manufacturing, flat panel displays, and hard disk drives – has halted some production and sales activity after experiencing an attack on its IT systems. https://www.theregister.com/2024/04/05/hoya_infosec_incident/

Home Depot confirms third-party data breach exposed employee info - Home Depot has confirmed that it suffered a data breach after one of its SaaS vendors mistakenly exposed a small sample of limited employee data, which could potentially be used in targeted phishing attacks. https://www.bleepingcomputer.com/news/security/home-depot-confirms-third-party-data-breach-exposed-employee-info/

DOJ data on 341,000 people leaked in cyberattack on consulting firm - Medicare and other information belonging to 341,000 people was leaked after a consulting firm working with the Department of Justice was hacked. https://therecord.media/doj-data-leaked-in-attack-on-consulting-firm

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.
    
    Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
    
    To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
    
    1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
    
    2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
    
    3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
    
    4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)
   
   Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.
   
   The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 Computer security assurance is the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. Assurance is not, however, an absolute guarantee that the measures work as intended. Like the closely related areas of reliability and quality, assurance can be difficult to analyze; however, it is something people expect and obtain (though often without realizing it).  For example, people may routinely get product recommendations from colleagues but may not consider such recommendations as providing assurance.
 
 Assurance is a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases virtually impossible -- to know exactly how secure a system is.
 
 Assurance is a challenging subject because it is difficult to describe and even more difficult to quantify. Because of this, many people refer to assurance as a "warm fuzzy feeling" that controls work as intended. However, it is possible to apply a more rigorous approach by knowing two things: (1) who needs to be assured and (2) what types of assurance can be obtained. The person who needs to be assured is the management official who is ultimately responsible for the security of the system. Within the federal government, this person is the authorizing or accrediting official.
 
 There are many methods and tools for obtaining assurance. For discussion purposes, this chapter categorizes assurance in terms of a general system life cycle. The chapter first discusses planning for assurance and then presents the two categories of assurance methods and tools: (1) design and implementation assurance and (2) operational assurance. Operational assurance is further categorized into audits and monitoring.
 
 The division between design and implementation assurance and operational assurance can be fuzzy. While such issues as configuration management or audits are discussed under operational assurance, they may also be vital during a system's development. The discussion tends to focus more on technical issues during design and implementation assurance and to be a mixture of management, operational, and technical issues under operational assurance. The reader should keep in mind that the division is somewhat artificial and that there is substantial overlap.
 
 Security assurance is the degree of confidence one has that the security controls operate correctly and protect the system as intended.