MISCELLANEOUS CYBERSECURITY NEWS:

Dr. Hacker: With ‘no carrot,’ healthcare can’t overcome cybersecurity failures - Healthcare's systemic cybersecurity challenges won't improve without congressional action as there is simply “no carrot,” or incentive, to do so. https://www.scmagazine.com/analysis/device-security/dr-hacker-with-no-carrot-healthcare-cant-overcome-cybersecurity-failures

CISA expands Joint Cyber Defense Collaborative to include GE, Siemens - Critical infrastructure organizations across all sectors depend on industrial control systems, said the agency – which means their security is a high priority. https://www.healthcareitnews.com/news/cisa-expands-joint-cyber-defense-collaborative-include-ge-siemens

Visa takes a more aggressive stand on cybersecurity - Earlier this week, Visa set a more ambitious stance on cybersecurity, blogging about the company’s commitment to IT security in the face of heightened digital security concerns. https://www.scmagazine.com/analysis/identity-and-access/visa-takes-a-more-aggressive-stand-on-cybersecurity

Cyberattacks on financial firms are more damaging, target sensitive data - Just as the tools to limit financial fraud have evolved, so have the threats aimed at U.S. financial firms, in terms of more advanced and subtle intrusions, and where they strike, according to a recent study. https://www.scmagazine.com/analysis/cybercrime/cyberattacks-on-financial-firms-are-more-damaging-target-sensitive-data

Proposed $5M settlement in Solara Medical lawsuit mandates security overhaul - A proposed $5 million settlement in the data breach class-action lawsuit against Solara Medical Supplies would require the diabetes medical supply vendor to undergo annual incident response tests and make a number of improvements to its security program. https://www.scmagazine.com/analysis/breach/proposed-5m-settlement-in-solara-medical-lawsuit-mandates-security-overhaul

New payment security standards create new opportunities for online financial firms - New security standards released a month ago has promised to create a much more secure environment for card-based payments. https://www.scmagazine.com/analysis/identity-and-access/new-payment-security-standards-create-new-opportunities-for-online-financial-firms

Will the cloud bring a sunset to ransomware? - Ransomware has been the scourge of the enterprise for several years now. And while it’s difficult to imagine right now, we are very close to finally eliminating it as a major threat to data and business operations. https://www.scmagazine.com/perspective/ransomware/will-the-cloud-bring-a-sunset-to-ransomware%EF%BF%BC

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Healthcare vendor accused of ‘concealed’ ransomware, lengthy service outages - What happens when a business associate allegedly fails to timely notify covered entities of ransomware attacks and a series of prolonged network downtime? https://www.scmagazine.com/analysis/incident-response/healthcare-vendor-accused-of-concealed-ransomware-lengthy-service-outages

Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code - KrebsOnSecurity recently reviewed a copy of the private chat messages between members of the LAPSUS$ cybercrime group in the week leading up to the arrest of its most active members last month. https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/

Cyberattack Causes Chaos in Costa Rica Government Systems - Nearly a week into a ransomware attack that has crippled Costa Rican government computer systems, the country refused to pay a ransom as it struggled to implement workarounds and braced itself as hackers began publishing stolen information. https://www.securityweek.com/cyberattack-causes-chaos-costa-rica-government-systems

French hospital group disconnects Internet after hackers steal data - The GHT Coeur Grand Est. Hospitals and Health Care group has disconnected all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data. https://www.bleepingcomputer.com/news/security/french-hospital-group-disconnects-internet-after-hackers-steal-data/

Ransomware attacks are hitting universities hard, and they are feeling the pressure - Cyber criminals are targeting universities with ransomware attacks that are costing millions of pounds, while IT departments are feeling overstretched. https://www.zdnet.com/article/ransomware-attacks-are-hitting-universities-hard-and-they-are-feeling-the-pressure/

Tenet Health investigating cybersecurity incident, IT outage - A “cybersecurity incident” struck Tenet Healthcare last week, resulting in the immediate suspension of access to IT applications. Tenet is one of the largest hospital care service providers in the U.S. with over 146 hospitals. https://www.scmagazine.com/analysis/cybercrime/tenet-health-investigating-cybersecurity-incident-it-outage

Breach update shows 2.6M individuals affected by Smile Brands data theft - In an update to its initial September 2021 breach notice, Smile Brands has assessed that the ransomware attack and subsequent data theft impacted approximately 2.6 million individuals. Smile Brands is a dental support services vendor. https://www.scmagazine.com/analysis/ransomware/breach-update-shows-2-6m-individuals-affected-by-smile-brands-data-theft

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)
   
   Define what constitutes an incident.
   
   An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.
   
   Detection
   
   The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.
   
   Identify indicators of unauthorized system access.
   
   Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)
   
   Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.
   
   Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.
   
   Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.
   
   Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 18 - AUDIT TRAILS
  
  18.4 Interdependencies
  
  The ability to audit supports many of the controls presented in this handbook. The following paragraphs describe some of the most important interdependencies.
  
  Policy. The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.
  
  Assurance. System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.
  
  Identification and Authentication. Audit trails are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If a user is impersonated, the audit trail will establish events but not the identity of the user.
  
  Logical Access Control. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure that audit trails are not modified.
  
  Contingency Planning. Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).
  
  Incident Response. If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords?
  
  Cryptography. Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important.