MISCELLANEOUS CYBERSECURITY NEWS:

CISA Releases Malware Next-Gen Analysis System for Public Use - The US government’s cybersecurity agency CISA has released its threat hunting and internal malware analysis system for public use, promising capabilities for the automatic analysis of potentially malicious files or uniform resource locators (URLs). https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system-for-public-use/

Seven ways to prepare for the new CISA CIRCIA rules - Last Wednesday marked a significant milestone as the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its eagerly awaited draft rules on cybersecurity incident reporting. https://www.scmagazine.com/perspective/seven-ways-to-prepare-for-the-new-cisa-circia-rules

What security agencies, regulators, and businesses get wrong about cybersecurity - The Cybersecurity Infrastructure Security Agency (CISA) and the FBI recently released an advisory about Phobos ransomware, highlighting the attack methods threat actors use to target public sector entities. https://www.scmagazine.com/perspective/what-security-agencies-regulators-and-businesses-get-wrong-about-cybersecurity

UnitedHealth expects up to $1.6B hit from Change cyberattack this year - Investors got a clearer picture of the cyberattack’s financial fallout on the healthcare juggernaut. Some said it wasn’t as bad as they’d feared. https://www.cybersecuritydive.com/news/unitedhealth-group-losses-change-cyberattack/713363/

Multifactor authentication is not all it’s cracked up to be - Text message and email-based authentication aren’t just the weakest variants of MFA. Cybersecurity professionals say they are broken. https://www.cybersecuritydive.com/news/multifactor-authentication-weaknesses/633399/

What if we made ransomware payments illegal? - The September 2023 ransomware attacks against Las Vegas casinos are a great opportunity to examine the challenges enterprises face when they are attacked by ransomware. https://www.scmagazine.com/perspective/what-if-we-made-ransomware-payments-illegal

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

DOJ data on 340,000 individuals stolen in consulting firm hack - cyberattack on a consulting firm working for the U.S. Department of Justice resulted in the theft of personal and medical data belonging to more than 340,000 individuals. https://www.scmagazine.com/news/doj-data-on-340000-individuals-stolen-in-consulting-firm-hack

Sisense customers told to reset credentials amid supply chain attack fears - The Cybersecurity and Infrastructure Security Agency alerted Sisense customers to reset credentials and secrets that were potentially exposed in a recent breach of Sisense’s AI-based data analytics services. https://www.scmagazine.com/news/sisense-customers-told-to-reset-credentials-amid-supply-chain-attack-fears

Ransomware gang steals 534,000 records from Wisconsin healthcare provider - Hackers stole health records belonging to more than half a million individuals from a non-profit Wisconsin healthcare provider after their attempt to encrypt the organization’s systems failed. https://www.scmagazine.com/news/ransomware-gang-steals-534000-records-from-wisconsin-healthcare-provider

Federal agencies caught sharing credentials with Microsoft over email - The Russia-linked hackers behind the attack on Microsoft’s internal systems starting in late November stole credentials for federal agencies that could be used to compromise government departments, cyber authorities said Thursday. https://www.cybersecuritydive.com/news/federal-agencies-credentials-exposed/713064/

‘Large-scale cyberattack’ hits five French municipalities, impact may last ‘months’ - Five municipalities near the river Loire on the west coast of France have been hit by a “large-scale cyberattack” on their shared computer servers, leaving staff without the ability to access documents or get on with their work. https://therecord.media/france-cyberattack-loire-municipalities

Omni Hotels & Resorts hit by cyberattack - Omni Hotels & Resorts properties were affected by a cyberattack, which the hotel company has been responding to since March 29, Omni shared Wednesday. https://www.cybersecuritydive.com/news/omni-hotels-cyberattack/712452/

AT&T: Data breach affects 73 million or 51 million customers. No, we won’t explain. - AT&T is notifying millions of current or former customers that their account data has been compromised and published last month on the dark web. Just how many millions, the company isn't saying. https://arstechnica.com/security/2024/04/att-takes-2-years-to-confirm-leaked-data-belongs-to-millions-of-customers/

US think tank Heritage Foundation hit by cyberattack - Conservative think tank The Heritage Foundation said on Friday that it experienced a cyberattack earlier this week. https://techcrunch.com/2024/04/12/heritage-foundation-cyberattack/?utm_source=Sailthru&utm_medium=email&utm_campaign=Newsletter%20Weekly%20Roundup:%20Cybersecurity%20Dive:%20Daily%20Dive%2004-13-2024&utm_term=Cybersecurity%20Dive%20Weekender

Roku says more than 500,000 accounts impacted in cyberattack - Streaming service provider Roku (ROKU.O), opens new tab said on Friday it identified a second cyberattack that impacted about 576,000 additional accounts while investigating a breach that affected 15,000 user accounts earlier this year.
https://www.reuters.com/technology/cybersecurity/roku-says-more-than-500000-accounts-impacted-by-cyber-attack-2024-04-12/
https://www.scmagazine.com/news/roku-activates-2fa-for-80m-users-after-breach-of-576k-accounts

Apple alerts users in 92 nations to mercenary spyware attacks - Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that they may have been targeted by mercenary spyware attacks. https://techcrunch.com/2024/04/10/apple-warning-mercenary-spyware-attacks/

Cisco Duo warns third-party data breach exposed SMS MFA logs - Cisco Duo's security team warns that hackers stole some customers' VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/

Roku warns 576,000 accounts hacked in new credential stuffing attacks - The company said the attackers used login information stolen from other online platforms to breach as many active Roku accounts as possible in credential stuffing attacks. https://www.bleepingcomputer.com/news/security/roku-warns-576-000-accounts-hacked-in-new-credential-stuffing-attacks/

Chinese-owned semiconductor company Nexperia hit by ransomware attack - Nexperia, a Chinese-owned semiconductor company headquartered in the Netherlands, has announced being hacked after a ransomware group uploaded what it claimed were stolen confidential documents to a darknet extortion site. https://therecord.media/nexperia-semiconductor-company-ransomware-incident

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.
    
    To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.
    
    Examples of such information that a bank could provide on its own website include:
    
    1)  The name of the bank and the location of its head office (and local offices if applicable).
    
    2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.
    
    3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.
    
    4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.
    
    5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).
    
    6)  Other information that may be appropriate or required by specific jurisdictions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)
   
   The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.
   
   The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.
   
   PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.1 Accreditation and Assurance
 
 Accreditation is a management official's formal acceptance of the adequacy of a system's security. The best way to view computer security accreditation is as a form of quality control. It forces managers and technical staff to work together to find workable, cost-effective solutions given security needs, technical constraints, operational constraints, and mission or business requirements. The accreditation process obliges managers to make the critical decision regarding the adequacy of security safeguards and, therefore, to recognize and perform their role in securing their systems. In order for the decisions to be sound, they need to be based on reliable information about the implementation of both technical and nontechnical safeguards. These include:
 
 !  Technical features (Do they operate as intended?).
 
 !  Operational practices (Is the system operated according to stated procedures?).
 
 !  Overall security (Are there threats which the technical features and operational practices do not address?).
 
 !  Remaining risks (Are they acceptable?).
 
 A computer system should be accredited before the system becomes operational with periodic reaccreditation after major system changes or when significant time has elapsed.72 Even if a system was not initially accredited, the accreditation process can be initiated at any time. Chapter 8 further discusses accreditation.
 
 9.1.1 Accreditation and Assurance
 
 Assurance is an extremely important -- but not the only -- element in accreditation. As shown in the diagram, assurance addresses whether the technical measures and procedures operate either (1) according to a set of security requirements and specifications or (2) according to general quality principles. Accreditation also addresses whether the system's security requirements are correct and well implemented and whether the level of quality is sufficiently high.