MISCELLANEOUS CYBERSECURITY NEWS:

US Defense Department Launches ‘Hack the Pentagon’ Website - The US Department of Defense (DoD) has launched a new website to help organizations within the department to launch bug bounty programs and recruit security researchers. https://www.securityweek.com/us-defense-department-launches-hack-the-pentagon-website/

Vimeo to pay $2.25M in AI-related biometric privacy lawsuit - Vimeo agreed to pay $2.25 million to certain users of its AI-based video creation and editing platform called Magisto to resolve claims it collected and stored their biometric data. https://www.scmagazine.com/news/identity-and-access/vimeo-ai-biometric-privacy-lawsuit

All Dutch govt networks to use RPKI to prevent BGP hijacking - The Dutch government will upgrade the security of its internet routing by adopting before the end of 2024 the Resource Public Key Infrastructure (RPKI) standard. https://www.bleepingcomputer.com/news/security/all-dutch-govt-networks-to-use-rpki-to-prevent-bgp-hijacking/

"Juice jacking:" FBI warns against using public charging stations - You might want to think twice about plugging your devices into public charging stations, according to the FBI. https://www.axios.com/2023/04/10/fbi-warning-charging-stations-juice-jacking

Ex-employee password abuse: 10% log back in to ‘disrupt’ business, report - Nearly half of 1,000 U.S. workers surveyed admitted to abusing credentials tied to a former employer after leaving the company. Deeply concerning is 10 percent did so with the intent to disrupt company activities. https://www.scmagazine.com/news/insider-threat/ex-employee-password-abuse

Dish Network lawsuits pile up after crippling ransomware attack - Dish Network faces multiple class action lawsuits for allegedly making "materially false and misleading statements" tied to a crippling February ransomware attack. https://www.scmagazine.com/news/ransomware/dish-network-lawsuits-pile-up-ransomware

The rise of hospitality fraud and how hotels can mitigate it - Hotels are in a unique category when it comes to fraudulent activity. They are not the typical targets of fraud since there’s generally not much one can do based on an individual reservation. https://www.scmagazine.com/perspective/cybercrime/the-rise-of-hospitality-fraud-and-how-hotels-can-mitigate-it

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Pirated Software Compromised Ukrainian Utility Company - An employee of a Ukrainian utility company downloaded and installed an unlicensed version of Microsoft Office from a torrent website resulting in two remote access Trojans infecting the company's systems for two months. https://www.govinfosecurity.com/pirated-software-compromised-ukrainian-utility-company-a-21618

UK criminal records office confirms cyber incident behind portal issues - The UK's Criminal Records Office (ACRO) has finally confirmed, after weeks of delaying issuing a statement, that online portal issues experienced since January 17 resulted from what it described as a "cyber security incident." https://www.bleepingcomputer.com/news/security/uk-criminal-records-office-confirms-cyber-incident-behind-portal-issues/

Dish Network lawsuits pile up after crippling ransomware attack - Dish Network faces multiple class action lawsuits for allegedly making "materially false and misleading statements" tied to a crippling February ransomware attack. https://www.scmagazine.com/news/ransomware/dish-network-lawsuits-pile-up-ransomware

Illinois hospital forced into EHR downtime after cyberattack - Sarah D. Culbertson Memorial Hospital in Illinois is the latest hospital to be forced into electronic health record downtime procedures after a cyberattack. https://www.scmagazine.com/news/ransomware/illinois-hospital-forced-health-records-downtime-cyberattack

MSI confirms security breach following ransomware attack claims - Following reports of a ransomware attack, Taiwanese PC vendor MSI (short for Micro-Star International) confirmed today that its network was breached in a cyberattack. https://www.bleepingcomputer.com/news/security/msi-confirms-security-breach-following-ransomware-attack-claims/

No school in Rochester on Monday as district deals with potential cyberattack - /There will be no school on Monday for students at the Rochester Public Schools, as district staff and teachers figure out how to operate with limited technology after a possible cyberattack last week. https://www.startribune.com/no-school-in-rochester-on-monday-as-district-deals-with-potential-cyberattack/600265738/

Illinois hospital forced into EHR downtime after cyberattack - Sarah D. Culbertson Memorial Hospital in Illinois is the latest hospital to be forced into electronic health record downtime procedures after a cyberattack. https://www.scmagazine.com/news/ransomware/illinois-hospital-forced-health-records-downtime-cyberattack

Cyberattack on Rochester Public Schools spurs class cancellations - A cyberattack deployed against Rochester Public Schools in Minnesota on April 6 has spurred class cancellations, downed phone systems and caused network disruptions. The school district is made up of approximately three dozen schools. https://www.scmagazine.com/news/breach/cyberattack-ochester-public-schools-class-cancellations

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership
    
    The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  
  Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices
  
  Evolution and Obsolescence
  
  As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.
  
  Controlling the Impact of Obsolescence
  
  Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:
  
  1)  What is the upgrade path to the next class of network?
  2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
  3)  How does the vendor distribute security information and patches?
  
  The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.
  
  The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  3.5 Supporting Functions
  
  The security responsibilities of managers, technology providers and security officers are supported by functions normally assigned to others. Some of the more important of these are described below.
  
  Audit. Auditors are responsible for examining systems to see whether the system is meeting stated security requirements, including system and organization policies, and whether security controls are appropriate. Informal audits can be performed by those operating the system under review or, if impartiality is important, by outside auditors.
  
  Physical Security. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances.
  
  Disaster Recovery/Contingency Planning Staff. Some organizations have a separate disaster recovery/contingency planning staff. In this case, they are normally responsible for contingency planning for the organization as a whole, and normally work with program and functional mangers/application owners, the computer security staff, and others to obtain additional contingency planning support, as needed.
  
  Quality Assurance. Many organizations have established a quality assurance program to improve the products and services they provide to their customers. The quality officer should have a working knowledge of computer security and how it can be used to improve the quality of the program, for example, by improving the integrity of computer-based information, the availability of services, and the confidentiality of customer information, as appropriate.
  
  Procurement. The procurement office is responsible for ensuring that organizational procurements have been reviewed by appropriate officials. The procurement office cannot be responsible for ensuring that goods and services meet computer security expectations, because it lacks the technical expertise. Nevertheless, this office should be knowledgeable about computer security standards and should bring them to the attention of those requesting such technology.
  
  Training Office. An organization has to decide whether the primary responsibility for training users, operators, and managers in computer security rests with the training office or the computer security program office. In either case, the two organizations should work together to develop an effective training program.
  
  Personnel. The personnel office is normally the first point of contact in helping managers determine if a security background investigation is necessary for a particular position. The personnel and security offices normally work closely on issues involving background investigations. The personnel office may also be responsible for providing security-related exit procedures when employees leave an organization.
  
  Risk Management/Planning Staff. Some organizations have a full-time staff devoted to studying all types of risks to which the organization may be exposed. This function should include computer security-related risks, although this office normally focuses on "macro" issues. Specific risk analyses for specific computer systems is normally not performed by this office.
  
  Physical Plant. This office is responsible for ensuring the provision of such services as electrical power and environmental controls, necessary for the safe and secure operation of an organization's systems. Often they are augmented by separate medical, fire, hazardous waste, or life safety personnel.
  
  3.6 Users
  
  Users also have responsibilities for computer security. Two kinds of users, and their associated responsibilities, are described below.
  
  Users of Information. Individuals who use information provided by the computer can be considered the "consumers" of the applications. Sometimes they directly interact with the system (e.g., to generate a report on screen) -- in which case they are also users of the system (as discussed below). Other times, they may only read computer-prepared reports or only be briefed on such material. Some users of information may be very far removed from the computer system. Users of information are responsible for letting the functional mangers/application owners (or their representatives) know what their needs are for the protection of information, especially for its integrity and availability.
  
  Users of Systems. Individuals who directly use computer systems (typically via a keyboard) are responsible for following security procedures, for reporting security problems, and for attending required computer security and functional training.