MISCELLANEOUS CYBERSECURITY NEWS:
Follow CISA’s four best practices for staying safe against potential Russian cyberattacks - The Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Energy (DOE) released a joint advisory in late March (Alert AA22-083A) that details intrusion campaigns conducted by state-sponsored Russian cyber actors against U.S. energy sector organizations. https://www.scmagazine.com/perspective/critical-infrastructure/follow-cisas-four-best-practices-for-staying-safe-against-potential-russian-cyberattacks%EF%BF%BC

Insurance companies increasingly fall prey to cyberattacks - For many years, cybercriminals have focused their attacks on banks, credit unions and investment firms. https://www.scmagazine.com/analysis/cybercrime/insurance-companies-increasingly-fall-prey-to-cyberattacks

Multiple lawsuits against SuperCare allege FTC, HIPAA violations in 2021 breach - Some of the 318,379 patients whose health data was accessed during a July 2021 hack of SuperCare filed two separate lawsuits, claiming inadequate security led to the exposure in possible violation of Federal Trade Commission and The Health Insurance Portability and Accountability Act regulations. https://www.scmagazine.com/analysis/breach/multiple-lawsuits-against-supercare-allege-ftc-hipaa-violations-in-2021-breach

FDA on medical device security: ‘We’re not waiting for harm’ to act - Following a ransomware attack simulation within the clinical environment at CyberMed, the Food and Drug Administration’s Office of Strategic Partnerships & Technology Director Suzanne Schwartz reaffirmed the FDA’s proactive posture to swiftly move the needle on much needed pre- and post-market medical device security. https://www.scmagazine.com/analysis/device-security/fda-on-medical-device-security-were-not-waiting-for-harm-to-act

5 ways to automate multi-cloud security - A survey by Valtix earlier this year found that 51% of respondents have resisted moving to multi-cloud platforms because of the added security complexities these environments create. https://www.scmagazine.com/analysis/cloud-security/5-ways-to-automate-multi-cloud-security

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Email warnings to healthcare employees after a PHI breach drastically reduces repeat offenses - Research consistently shows healthcare is one of the worst sectors at stopping data breaches caused by insiders. New data published in JAMA Network Open reveals sending email warnings to employees after unauthorized access prevented a repeat occurrence in 95% of cases. https://www.scmagazine.com/analysis/compliance/email-warnings-to-healthcare-employees-after-a-phi-breach-drastically-reduces-repeat-offenses

Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up - A series of poor cybersecurity decisions meant the victim didn't notice intruders on their network - until more sophisticated attackers arrived. https://www.zdnet.com/article/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-then-a-ransomware-gang-took-over/

Hospital hallway robots get patches for potentially serious bugs - Rolling robots used at hospitals for a variety of tasks — including transporting medication — have been patched for five vulnerabilities that could have allowed attackers to potentially disrupt patient care or capture sensitive information, researchers said Tuesday. https://www.cyberscoop.com/aethon-tug-robot-vulnerabilities-cynerio/

DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii - Federal agents in Honolulu last week “disrupted” an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region, the agency said in a statement Tuesday. https://www.cyberscoop.com/undersea-cable-operator-hacked-hawaii/

A single email account hack spurs breach notice for 503K Christie Clinic patients - The hack of a single employee email account at Christie Clinic led to the potential access of protected health information tied to 502,869 patients. https://www.scmagazine.com/analysis/breach/a-single-email-account-hack-spurs-breach-notice-for-503k-christie-clinic-patients

GitHub Warns of Private Repositories Downloaded Using Stolen OAuth Tokens - GitHub has sounded the alarm on a cyberattack that resulted in the private repositories of dozens of organizations being downloaded by an unauthorized party abusing stolen OAuth user tokens. https://www.securityweek.com/github-warns-private-repositories-downloaded-using-stolen-oauth-tokens

Healthcare vendor accused of ‘concealed’ ransomware, lengthy service outages - A newly filed lawsuit details a host of care and business impacts, lost data, disruptions of service, and reputational damage due to a “concealed” ransomware attack and subsequent outages. https://www.scmagazine.com/analysis/incident-response/healthcare-vendor-accused-of-concealed-ransomware-lengthy-service-outages

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (6 of 12)
  
  Best Practices-Going Beyond the Minimum
  
  Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.
  
  Preparation
  
  Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.
  
  Establish an incident response team.
  
  A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)
  
  Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
  
  Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
  
  An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
  
  Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 18 - AUDIT TRAILS

18.3.3 Tools for Audit Trail Analysis

Many types of tools have been developed to help to reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create very large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Some of the types of tools include:

Audit reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. (This alone may cut in half the number of records in the audit trail.) These tools generally remove records generated by specified classes of events, such as records generated by nightly backups might be removed.

Trends/variance-detection tools look for anomalies in user or system behavior. It is possible to construct more sophisticated processors that monitor usage trends and detect major variations. For example, if a user typically logs in at 9 a.m., but appears at 4:30 a.m. one morning, this may indicate a security problem that may need to be investigated.

Attack signature-detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example would be repeated failed log-in attempts.