FYI - New chief of Carnegie Mellon’s CERT: Feds needs to do better with info sharing - New head of Carnegie Mellon University’s CERT and former federal Chief Information Security Officer Greg Touhill said Thursday that federal strategies for information sharing needed to keep their eye on the ball. https://www.scmagazine.com/home/security-news/government-and-defense/new-chief-of-carnegie-mellons-cert-feds-needs-to-do-better-with-info-sharing/

Public utilities in the U.S. need to lock down critical infrastructure facilities - Critical infrastructure such as water treatment facilities and electric power plants in the United States have become more vulnerable than ever to a cyberattack. https://www.scmagazine.com/perspectives/public-utilities-in-the-u-s-need-to-lock-down-critical-infrastructure-facilities/

New certification program trains cyber pros in cloud, IoT and other emerging tech - Cybersecurity and IT governance professionals who are knowledgeable in their core field, but perhaps unsure how best to apply their skills to AI, blockchain, cloud and IoT now have a new certification course that can teach them the fundamentals of these emerging tech spaces. https://www.scmagazine.com/home/security-news/cloud-security/new-certification-program-trains-cyber-pros-in-cloud-iot-and-other-emerging-tech/

Easy-to-guess default device passwords are a step closer to being banned - New plans designed to protect IoT devices from cyberattacks will ban default passwords and require manufacturers to tell users how long smart devices - including phones - will receive security updates for. https://www.zdnet.com/article/easy-to-guess-default-device-passwords-are-a-step-closer-to-being-banned/

Ransomware Targeted by New Justice Department Task Force - After ‘worst year ever’ for the cyberattacks, department seeks to disrupt digital ecosystem that supports them - The Justice Department has formed a task force to curtail the proliferation of ransomware cyberattacks, in a bid to make the popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them. https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158

How security pros, the insurance industry, and regulators can combat ransomware - We are all well aware that ransomware exposures and impacts have grown rapidly as professionals have shifted to working from home because of the pandemic, resulting in expanded threat and attack surfaces. https://www.scmagazine.com/perspectives/how-security-pros-the-insurance-industry-and-regulators-can-combat-ransomware/ 

Water utility CISO offers tips to stay secure as IT and OT converge - As critical infrastructure facilities increasingly converge their IT and OT systems, visibility into traditionally isolated operational systems is turning into a key security challenge. https://www.scmagazine.com/home/security-news/iot/water-utility-ciso-offers-tips-to-stay-secure-as-it-and-ot-converge/

US aviation regulator warns of mid-air collision risk if Garmin TCAS boxes are not updated - American aviation regulators have ordered private jet operators to install software updates for Garmin collision avoidance units after multiple reports of false alarms – raising the risk of a mid-air crash. https://www.theregister.com/2021/04/22/garmin_tcas_software_collision_risks_faa/

22% of all users still run Microsoft end-of-life Windows 7 - Researchers on Monday reported that 22% of PC users still use Windows 7, which Microsoft stopped supporting in January 2020. https://www.scmagazine.com/home/security-news/vulnerabilities/22-of-all-users-still-run-microsoft-end-of-life-windows-7/

50 companies named trusted providers by Cloud Security Alliance - The Cloud Security Alliance (CSA) on Thursday announced the selection of a first round of “trusted providers” for cloud security. https://www.scmagazine.com/home/security-news/cloud-security/50-companies-named-trusted-providers-by-cloud-security-alliance/

Cloud security tops among list of skills needed to pursue cyber career - Current and aspiring cybersecurity professionals named cloud security, data analysis and coding/programming as the top three most important skills to possess if you’re looking to join the cyber workforce today. https://www.scmagazine.com/home/security-news/cloud-security/cloud-security-tops-among-list-of-skills-needed-to-pursue-cyber-career/

Scammers imitate Windows logo with HTML tables to slip through email gateways - A recently discovered phishing scam that convincingly impersonates the Microsoft Windows logo with an HTML table serves as a new reminder of how social engineers can abuse various elements in emails to fool both human recipients and certain security solutions. https://www.scmagazine.com/home/security-news/phishing/scammers-imitate-windows-logo-with-html-tables-to-slip-through-email-gateways/

Ransomware Task Force releases long-awaited recommendations - The Ransomware Task Force, a collaboration of more than 60 stakeholders, released its long-awaited ransomware framework on Thursday morning, advocating nearly 50 interlocking government and private sector strategies to tackle the criminal scourge. https://www.scmagazine.com/home/security-news/ransomware/ransomware-task-force-releases-long-awaited-recommendations/ 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta - As Apple Inc. was revealing its newest line of iPads and flashy new iMacs on Tuesday, one of its primary suppliers was enduring a ransomware attack from a Russian operator claiming to have stolen blueprints of the U.S. company’s latest products. https://www.bloomberg.com/news/articles/2021-04-21/apple-targeted-in-50-million-ransomware-hack-of-supplier-quanta

At least 24 agencies run Pulse Secure software. How many were hacked is an open question. - At least two-dozen U.S. federal agencies run the Pulse Connect Secure enterprise software that two advanced hacking groups have recently exploited, according to the Department of Homeland Security’s cybersecurity agency. https://www.cyberscoop.com/pulse-secure-24-agencies-espionage-department-of-energy/

CISA orders federal orgs to mitigate Pulse Secure VPN bug by Friday - The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new emergency directive ordering federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure (PCS) VPN appliances on their networks by Friday. https://www.bleepingcomputer.com/news/security/cisa-orders-federal-orgs-to-mitigate-pulse-secure-vpn-bug-by-friday/

Backdoored password manager stole data from as many as 29K enterprises - As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app-maker told customers. https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/

Radixx Announces Security Incident Impacting Radixx Res - Radixx, a subsidiary of Sabre Corporation (NASDAQ: SABR), that serves the low-cost airline carrier segment, today announced that Radixx Res™ has experienced an event impacting its Radixx reservation system. https://www.radixx.com/news/radixx-announces-security-incident-impacting-radixx-res/

DC police department sees data breach after cyberattack - The Washington, D.C., Metropolitan Police Department on Monday experienced a large data breach after a ransomware syndicate leaked many of the agency's police reports, internal memos, and arrest information. https://www.washingtonexaminer.com/news/washington-dc-police-department-cyberattack-data-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
  
  INFORMATION SECURITY PROGRAM
  
  A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components: 
  
  1) Prevention 
  2) Detection 
  3) Response 
  
  Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. 
  
  Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.
  
  Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY RISK ASSESSMENT
   
   Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively
   
   1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
   
   2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and
   
   3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
 
 14.3 Configuration Management
 
 Closely related to software support is configuration management -- the process of keeping track of changes to the system and, if needed, approving them. Configuration management normally addresses hardware, software, networking, and other changes; it can be formal or informal. The primary security goal of configuration management is ensuring that changes to the system do not unintentionally or unknowingly diminish security. Some of the methods discussed under software support, such as inspecting and testing software changes, can be used.
 
 Note that the security goal is to know what changes occur, not to prevent security from being changed. There may be circumstances when security will be reduced. However, the decrease in security should be the result of a decision based on all appropriate factors.
 
 A second security goal of configuration management is ensuring that changes to the system are reflected in other documentation, such as the contingency plan. If the change is major, it may be necessary to reanalyze some or all of the security of the system.
 
 For networked systems, configuration management should include external connections. Is the computer system connected? To what other systems? In turn, to what systems are these systems and organizations connected?
 
 14.4 Backups
 
 Support and operations personnel and sometimes users back up software and data. This function is critical to contingency planning. Frequency of backups will depend upon how often data changes and how important those changes are. Program managers should be consulted to determine what backup schedule is appropriate. Also, as a safety measure, it is useful to test that backup copies are actually usable. Finally, backups should be stored securely, as appropriate.
 
 Users of smaller systems are often responsible for their own backups. However, in reality they do not always perform backups regularly. Some organizations, therefore, task support personnel with making backups periodically for smaller systems, either automatically (through server software) or manually (by visiting each machine).