MISCELLANEOUS CYBERSECURITY NEWS:

Crisis communications: What organizations should do before a breach - Understanding the technical environment and relationships with stakeholders are the two most important things organizations should have in place during a breach incident, said the CEO of a communications firm specializing in security, privacy and risk organizations. https://www.scmagazine.com/podcast/breach/crisis-communications-what-organizations-should-do-before-a-breach

HHS wants healthcare industry feedback on security practices, penalties - The Department of Health and Human Services is seeking industry feedback on the security practices currently being employed by healthcare-covered entities and business associates, as detailed in the Health Information Technology for Economic and Clinical Health (HITECH) Act. https://www.scmagazine.com/analysis/compliance/hhs-wants-healthcare-industry-feedback-on-security-practices-penalties

Financial fraud shot up 233% last year, account takeover on the rise - It’s no secret that financial fraud has sharply risen during the pandemic over the past couple of years, but a recent report paints an even more disturbing picture. https://www.scmagazine.com/analysis/cybercrime/financial-fraud-shot-up-233-last-year-account-takeover-on-the-rise

U.S. government and energy firms close ranks, fearing Russian cyberattacks - In February, as Russian troops massed on Ukraine’s border, executives with a major energy firm here worked with U.S. energy and homeland security officials to draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia. https://www.washingtonpost.com/national-security/2022/04/06/russia-cyber-attack-threat-energy/

With consumer data privacy in focus, making the case for NIST in healthcare - As states continue to enact their own privacy laws and Congress forges ahead with discussions of a federal privacy law, healthcare entities must prioritize coordination between privacy and security offices and look to NIST rather than The Health Insurance Portability and Accountability Act (HIPAA) requirements to strengthen their cyber posture and ensure compliance. https://www.scmagazine.com/feature/privacy/with-consumer-data-privacy-in-focus-making-the-case-for-nist-in-healthcare

Account takeover poised to surpass malware as the No. 1 security concern - As most researchers and financial executives can attest, virtually all types of fraud have dramatically risen over the past two years. However, attackers taking over legitimate financial accounts have become even more of a favorite with cybercriminals than most fraud schemes. https://www.scmagazine.com/analysis/cybercrime/account-takeover-poised-to-surpass-malware-as-the-no-1-security-concern

How bank customers can reduce the risk from account takeover fraud - Account takeover has become an increasingly popular and accessible way for fraudsters to steal money from real bank customers, and also to commit other forms of cyber-malfeasance. However, experts have pointed out steps that financial institutions and their customers can take to reduce that risk. https://www.scmagazine.com/analysis/cybercrime/how-bank-customers-can-reduce-the-risk-from-account-takeover-fraud

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

First malware targeting AWS Lambda serverless cloud environment discovered - Researchers on Wednesday reported on the first publicly known case of malware specifically designed to execute in an AWS Lambda environment. https://www.scmagazine.com/news/cloud-security/first-malware-targeting-aws-lambda-serverless-cloud-environment-discovered%EF%BF%BC

California health plan facing network disruptions after alleged Hive ransomware attack - Partnership HealthPlan of California (PHC) is currently experiencing computer system disruptions and working to recover its network with support from third-party forensic specialists. Multiple reports allege the Hive ransomware group is behind the attack. https://www.scmagazine.com/analysis/breach/california-health-plan-facing-network-disruptions-after-alleged-hive-ransomware-attack

WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers - Security vendor WatchGuard quietly fixed a critical vulnerability in a line of its firewall devices and didn’t explicitly disclose the flaw for at least seven months, following revelations hackers from Russia’s military apparatus exploited the flaw en masse to assemble a giant botnet. https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/

Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug - American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago. https://www.bleepingcomputer.com/news/security/palo-alto-networks-firewalls-vpns-vulnerable-to-openssl-bug/

Lapsus$ breach of Okta prompts HHS alert for healthcare organizations - The Department of Health and Human Services to warn the sector of the ongoing, potential threat the extortion group poses to the sector. https://www.scmagazine.com/analysis/risk-management/lapsus-breach-of-okta-prompts-hhs-alert-for-healthcare-organizations

Patient data stolen ahead of East Tennessee Children’s Hospital attack, outage - Several weeks after a cyberattack spurred network disruptions at East Tennessee Children's Hospital, ETCH is notifying an undisclosed number of patients and parents that the threat actors stole sensitive health information during the incident. https://www.scmagazine.com/analysis/breach/patient-data-stolen-ahead-of-east-tennessee-childrens-hospital-attack-outage

Health insurance exchange didn’t report 44 data breaches, but were hit with no security mandates - The health insurance exchange for Connecticut, Access Health, faced a whopping 44 data breaches over the course of three and a half years. https://www.scmagazine.com/analysis/breach/health-insurance-exchange-didnt-report-44-data-breaches-but-were-hit-with-no-mandate-to-improve-security

Denial-of-service disrupts Finnish government sites during Zelenskyy speech - A denial-of-service attack knocked the websites for Finland’s defense and foreign ministries offline Friday, the government there said, just as Ukrainian President Volodymyr Zelenskyy spoke to the Finnish parliament. https://www.cyberscoop.com/finland-denial-of-service-zelenskyy/

Atlassian blames script maintenance for week-long cloud outage - Atlassian is blaming a recent maintenance script for accidentally disabling several of its cloud services, which have been down now for nearly a week. https://www.zdnet.com/article/atlassian-blames-script-maintenance-for-week-long-cloud-outage/

Patient data stolen ahead of East Tennessee Children’s Hospital attack, outage - Several weeks after a cyberattack spurred network disruptions at East Tennessee Children's Hospital, ETCH is notifying an undisclosed number of patients and parents that the threat actors stole sensitive health information during the incident. https://www.scmagazine.com/analysis/breach/patient-data-stolen-ahead-of-east-tennessee-childrens-hospital-attack-outage

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (5 of 12)
  
  Notification Procedures
  
  An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.
  
  Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.
  
  Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY
  
  When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.
  
  Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:
  
  ! Switches that activate an alarm when an electrical circuit is broken;
  ! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
  ! Closed-circuit television that allows visual observation and recording of actions.
  
  Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.
  
  Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.
  
  Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.
  
  The following security zones should have access restricted to a need basis:
  
  ! Operations center
  ! Uninterrupted power supply
  ! Telecommunications equipment
  ! Media library

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.3.2 Review of Audit Trails
 
 Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like. Audit trail review can be easier if the audit trail function can be queried by user ID, terminal ID, application name, date and time, or some other set of parameters to run reports of selected information.
 
 Audit Trail Review After an Event. Following a known system or application software problem, a known violation of existing requirements by a user, or some unexplained system or user problem, the appropriate system-level or application-level administrator should review the audit trails. Review by the application/data owner would normally involve a separate report, based upon audit trail data, to determine if their resources are being misused.
 
 Periodic Review of Audit Trail Data. Application owners, data owners, system administrators, data processing function managers, and computer security managers should determine how much review of audit trail records is necessary, based on the importance of identifying unauthorized activities. This determination should have a direct correlation to the frequency of periodic reviews of audit trail data.
 
 Real-Time Audit Analysis. Traditionally, audit trails are analyzed in a batch mode at regular intervals (e.g., daily). Audit records are archived during that interval for later analysis. Audit analysis tools can also be used in a real-time, or near real-time fashion. Such intrusion detection tools are based on audit reduction, attack signature, and variance techniques. Manual review of audit records in real time is almost never feasible on large multiuser systems due to the volume of records generated. However, it might be possible to view all records associated with a particular user or application, and view them in real time.