MISCELLANEOUS CYBERSECURITY NEWS:

Experts warn patching won’t protect critical infrastructure against ‘new-age malware’ - The world’s most advanced industrial malware, PIPEDREAM, could be hiding within critical infrastructure control systems ready to unleash its “wartime capabilities,” a management consultancy has warned. https://www.scmagazine.com/analysis/security-awareness/experts-warn-patching-wont-protect-critical-infrastructure-against-new-age-malware

Five Eye nations release new guidance on smart city cybersecurity - Australia, Canada, New Zealand, UK, and US offer advice on potential smart city vulnerabilities and how to mitigate them. https://www.csoonline.com/article/3694149/five-eye-nations-release-new-guidance-on-smart-city-cybersecurity.html

JP Morgan Chase exec offers 5-step approach to supply chain security - While there’s no such thing as perfect security, there are at least five steps security teams can take to more effectively secure their supply chains. https://www.scmagazine.com/news/third-party-risk/jp-morgan-chase-5-step-approach-supply-chain-security

Why CISOs and legal need to be on the same page when their company is hacked - Your budget is never what you think it needs to be, you’re often widely viewed within the organization as a cost center and an obstacle, your influence over larger business decisions that impact security is usually limited, and if there is a damaging breach or incident within an organization, the CISO is the first person that executive leadership and the public look to blame. https://www.scmagazine.com/analysis/compliance/cisos-legal-department-company-hacked

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Military helicopter crash blamed on failure to apply software patch - An Australian military helicopter crash was reportedly caused by failure to apply a software patch, with a hefty side serving of pilot error. https://www.theregister.com/2023/04/18/helicopter_crash_missing_software_patch/

Medtronic latest to reveal health data disclosure via pixel tracking tools - Medtronic MiniMed has joined the long list of healthcare entities to report unintentional disclosures to third parties without authorization due to the use of tracking or pixel technology. https://www.scmagazine.com/news/privacy/medtronic-health-data-disclosure-via-pixel-tracking-tools

Ransomware Attack Hits Health Insurer Point32Health - Established in 2021 as the merger between Harvard Pilgrim Health Care and Tufts Health Plan, Point32Health is the second largest health insurer in Massachusetts, serving more than 2 million customers. https://www.securityweek.com/ransomware-attack-hits-health-insurer-point32health/

Capita admits data stolen during cyberattack - Outsourcing giant Capita, which provides essential services to the UK's government, admitted that hackers stole data from its system during a cyberattack last month. https://www.scmagazine.com/analysis/ransomware/capita-admits-data-stolen-during-cyberattack

Capita admits data stolen during cyberattack - Outsourcing giant Capita, which provides essential services to the UK's government, admitted that hackers stole data from its system during a cyberattack last month. https://www.scmagazine.com/analysis/ransomware/capita-admits-data-stolen-during-cyberattack

DC Health Link Data Breach Caused by Human Error - Further information has been released on the data breach at the Washington DC health insurance exchange, DC Health Link, ahead of a House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation hearing today. https://www.hipaajournal.com/dc-health-link-data-breach-caused-by-human-error/

Shields Health Breach Exposes 2.3M Users' Data - An unauthorized actor gained access to the systems of Shields Health Care Group (SHCG) in March, exposing driver's license numbers as well as other identification information for more than 2.3 million patients, according to the company. https://www.darkreading.com/attacks-breaches/shields-health-breach-exposes-2-3m-users-data

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements
  
  Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.
  
  In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
   
   Data Integrity 
   
   Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  
   
   Authentication 
   
   Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4.1 Errors and Omissions
  
  Errors and omissions are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. A sound awareness and training program can help an organization reduce the number and severity of errors and omissions.
  
  Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Errors can occur during all phases of the systems life cycle. A long-term survey of computer-related economic losses conducted by Robert Courtney, a computer security consultant and former member of the Computer System Security and Privacy Advisory Board, found that 65 percent of losses to organizations were the result of errors and omissions. This figure was relatively consistent between both private and public sector organizations.
  
  Programming and development errors, often called "bugs," can range in severity from benign to catastrophic. In a 1989 study for the House Committee on Science, Space and Technology, entitled Bugs in the Program, the staff of the Subcommittee on Investigations and Oversight summarized the scope and severity of this problem in terms of government systems as follows:
  
  a)  As expenditures grow, so do concerns about the reliability, cost and accuracy of ever-larger and more complex software systems. These concerns are heightened as computers perform more critical tasks, where mistakes can cause financial turmoil, accidents, or in extreme cases, death.
  
  Since the study's publication, the software industry has changed considerably, with measurable improvements in software quality. Yet software "horror stories" still abound, and the basic principles and problems analyzed in the report remain the same. While there have been great improvements in program quality, as reflected in decreasing errors per 1,000 lines of code, the concurrent growth in program size often seriously diminishes the beneficial effects of these program quality enhancements.
  
  Installation and maintenance errors are another source of security problems. For example, an audit by the President's Council for Integrity and Efficiency (PCIE) in 1988 found that every one of the ten mainframe computer sites studied had installation and maintenance errors that introduced significant security vulnerabilities.