MISCELLANEOUS CYBERSECURITY NEWS:

NSA sounds alarm on AI’s cybersecurity risks - Attack vectors unique to AI may attract malicious actors on the hunt for sensitive data or intellectual property, the NSA warned. https://www.cybersecuritydive.com/news/nsa-generative-ai-artificial-intelligence-cybersecurity-risk/713661/

Phishing remains top route to initial access - Tricking individuals to reveal sensitive information turns human behavior and trust into a weapon. Threat actors used phishing links or attacks in 71% of all security incidents in 2023. https://www.cybersecuritydive.com/news/phishing-initial-access-cyber-attack/711371/

Akira takes in $42 million in ransom payments, now targets Linux servers - The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. https://www.scmagazine.com/news/akira-takes-in-42-million-in-ransom-payments-now-targets-linux-servers

Change Healthcare’s ransomware attack costs edge toward $1B so far - UnitedHealth, parent company of ransomware-besieged Change Healthcare, says the total costs of tending to the February cyberattack for the first calendar quarter of 2024 currently stands at $872 million. https://www.theregister.com/2024/04/16/change_healthcares_ransomware_attack_has/

Cyber insurance gaps stick firms with millions in uncovered losses - A CYE analysis of 101 breaches across various sectors revealed insurance gaps resulting in an average of $27.3 million in uncovered losses per incident. https://www.cybersecuritydive.com/news/cyber-insurance-gaps-cyberattack/713786/

Will the Change Healthcare case finally make providers do a business impact analysis? - Just over a month since the cyberattack on Change Healthcare disrupted business operations, prescription access, and billing for providers across the country, United Health Group last week confirmed what industry leaders have suspected: patient data was compromised during the incident. https://www.scmagazine.com/perspective/will-the-change-healthcare-case-finally-make-providers-do-a-business-impact-analysis

What’s going on with the National Vulnerability Database? - CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape. https://www.cybersecuritydive.com/news/nist-national-vulnerability-database/712826/

UnitedHealth admits it paid a ransom in Change Healthcare attack - The insurer also confirmed Monday that more than 20 screenshots of potentially stolen patient data were posted on the dark web for about a week. https://www.cybersecuritydive.com/news/unitedhealth-paid-ransom-change-cyberattack/714008/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Russia’s Sandworm APT linked to attack on Texas water plant - Researchers have linked a cyberattack on a Texas water facility to Sandworm, a top Russian military-aligned threat group responsible for a decade of “disruptive and destructive” campaigns targeting Ukraine. https://www.scmagazine.com/news/russias-sandworm-apt-linked-to-attack-on-texas-water-plant

Frontier Communications hit by cyberattack, IT systems impacted - The telecom provider said a cybercrime group intruded its IT infrastructure and gained access to PII. The operational disruption following its containment “could be considered material.”
https://www.cybersecuritydive.com/news/frontier-communications-cyberattack/713732/
https://www.bleepingcomputer.com/news/security/frontier-communications-shuts-down-systems-after-cyberattack

185K people's sensitive data in the pits after ransomware raid on Cherry Health - Ransomware strikes at yet another US healthcare organization led to the theft of sensitive data belonging to just shy of 185,000 people. https://www.theregister.com/2024/04/18/ransomware_cherry_health/

840-bed hospital in France postpones procedures after cyberattack - The Hospital Simone Veil in Cannes (CHC-SV) has announced that it was targeted by a cyberattack on Tuesday morning, severely impacting its operations and forcing staff to go back to pen and paper. https://www.bleepingcomputer.com/news/security/chc-sv-hospital-in-france-postpones-procedures-after-cyberattack/

United Nations Agency Investigating Ransomware Attack Involving Data Theft - In a statement, the organization said the attack targeted local IT infrastructure in UN City, the Copenhagen-based complex that houses nearly a dozen UN agencies. https://www.securityweek.com/united-nations-agency-investigating-ransomware-attack-involving-data-theft/

5.3M World-Check records may be leaked; how to check your records - World-Check, a “know your customer” (KYC) database with millions of records on “high risk” individuals and organizations, may soon have its database leaked by hackers who claim to have stolen 5.3 million World-Check records from a third party. https://www.scmagazine.com/news/5-3m-world-check-records-may-be-leaked-how-to-check-your-records |

Cisco Duo customer MFA message logs stolen in supply chain hack - Phone numbers and other data belonging to users of Cisco Duo’s identity authentication service have been stolen following the breach of a third-party telephony supplier. https://www.scmagazine.com/news/cisco-duo-customer-mfa-message-logs-stolen-in-supply-chain-hack

MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days - The attack occurred in early January, but it was only discovered this month. It targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping. https://www.securityweek.com/mitre-hacked-by-state-sponsored-group-via-ivanti-zero-days/

Synlab Italia suspends operations following ransomware attack - Synlab Italia has suspended all its medical diagnostic and testing services after a ransomware attack forced its IT systems to be taken offline. https://www.bleepingcomputer.com/news/security/synlab-italia-suspends-operations-following-ransomware-attack/

Sacramento airport goes no-fly after AT&T internet cable snipped - Sacramento International Airport (SMF) suffered hours of flight delays yesterday after what appears to be an intentional cutting of an AT&T internet cable serving the facility. https://www.theregister.com/2024/04/19/sacramento_airport_outage/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 Board and Management Oversight - Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.
   
   Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:
   
   1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.
   
   2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.
   
   3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.
   
   4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.
   
   5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.
`

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)
   
   When utilizing PKI policies and controls, financial institutions need to consider the following:
   
   ! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;
   
   ! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;
   
   ! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;
   
   ! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;
   
   ! Updating the database of revoked certificates frequently, ideally in real - time mode;
   
   ! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;
   
   ! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;
   
   ! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;
   
   ! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and
   
   ! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.
   
   The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 9 - Assurance

9.1.2 Selecting Assurance Methods

The accrediting official makes the final decision about how much and what types of assurance are needed for a system. For this decision to be informed, it is derived from a review of security, such as a risk assessment or other study (e.g., certification), as deemed appropriate by the accrediting official.  The accrediting official needs to be in a position to analyze the pros and cons of the cost of assurance, the cost of controls, and the risks to the organization. At the end of the accreditation process, the accrediting official will be the one to accept the remaining risk. Thus, the selection of assurance methods should be coordinated with the accrediting official.

In selecting assurance methods, the need for assurance should be weighed against its cost. Assurance can be quite expensive, especially if extensive testing is done. Each method has strengths and weaknesses in terms of cost and what kind of assurance is actually being delivered. A combination of methods can often provide greater assurance, since no method is foolproof, and can be less costly than extensive testing.
 
The accrediting official is not the only arbiter of assurance. Other officials who use the system should also be consulted. (For example, a Production Manager who relies on a Supply System should provide input to the Supply Manager.) In addition, there may be constraints outside the accrediting official's control that also affect the selection of methods. For instance, some of the methods may unduly restrict competition in acquisitions of federal information processing resources or may be contrary to the organization's privacy policies. Certain assurance methods may be required by organizational policy or directive.

9.2 Planning and Assurance

Assurance planning should begin during the planning phase of the system life cycle, either for new systems or a system upgrades. Planning for assurance when planning for other system requirements makes sense. If a system is going to need extensive testing, it should be built to facilitate such testing.

Planning for assurance helps a manager make decisions about what kind of assurance will be cost-effective. If a manager waits until a system is built or bought to consider assurance, the number of ways to obtain assurance may be much smaller than if the manager had planned for it earlier, and the remaining assurance options may be more expensive.