MISCELLANEOUS CYBERSECURITY NEWS:

What is success in cybersecurity? Failing less. Defenders aren’t measured by pure wins or losses. Intrusions will happen, and their job is to keep a bad situation from getting worse. https://www.cybersecuritydive.com/news/success-failing-less-cybersecurity/714372/

Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros - Malaysia, Singapore, and Ghana are among the first countries to pass laws that require cybersecurity firms - and in some cases, individual consultants - to obtain licenses to do business, but concerns remain. https://www.darkreading.com/cyber-risk/licensed-to-bill-nations-mandate-certification-licensure-of-cybersecurity-pros

CISA Announces Winners of the 5th Annual President’s Cup Cybersecurity Competition - The Cybersecurity and Infrastructure Security Agency (CISA) hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions. https://www.cisa.gov/news-events/news/cisa-announces-winners-5th-annual-presidents-cup-cybersecurity-competition

FTC broadens health breach notification rule - Regulators have been pursuing more enforcement actions against health apps sharing consumers’ data. Friday’s final rule should give those actions more heft. https://www.cybersecuritydive.com/news/ftc-final-health-breach-notification-rule-apps/714591/

FCC fines carriers $200 million for illegally sharing user location - ​The Federal Communications Commission (FCC) has fined the largest U.S. wireless carriers almost $200 million for sharing their customers' real-time location data without their consent. https://www.bleepingcomputer.com/news/technology/fcc-fines-carriers-200-million-for-illegally-sharing-user-location/

UK lays down fresh legislation banning crummy default device passwords - Smart device manufacturers will have to play by new rules in the UK as of today, with laws coming into force to make it more difficult for cybercriminals to break into hardware such as phones and tablets. https://www.theregister.com/2024/04/29/uk_lays_password_legislation/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability - The recently disclosed Palo Alto Networks firewall vulnerability tracked as CVE-2024-3400, which has been exploited in attacks for at least one month, has been found to impact one of Siemens’ industrial products. https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/

Plasma donation company Octapharma slowly reopening as BlackSuit gang claims attack - The plasma donation company Octapharma has begun to reopen some of its 180 centers around the world following a ransomware attack that forced it to shut down operations for nearly a week. https://therecord.media/plasma-donation-company-cyberattack-blacksuit

LA County Health Services: Patients' data exposed in phishing attack - ​The Los Angeles County Department of Health Services disclosed a data breach after thousands of patients' personal and health information was exposed in a data breach resulting from a recent phishing attack impacting over two dozen employees. https://www.bleepingcomputer.com/news/security/la-county-health-services-thousands-of-patients-data-exposed-in-email-breach/

Kaiser Permanente notifies 13.4M patients of potential data exposure - Kaiser Permanente informed 13.4 million current and former members and patients who accessed its websites and mobile apps that certain online tracking technologies may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X when members accessed those websites or apps.
https://www.scmagazine.com/news/kaiser-permanente-notifies-134m-patients-of-potential-data-exposure
https://www.securityweek.com/kaiser-permanente-discloses-data-breach-impacting-13-4-million-patients/

London Drugs closes all of its pharmacies following 'cybersecurity incident' - Canadian pharmacy chain London Drugs closed all of its stores over the weekend until further notice following a "cybersecurity incident." https://www.theregister.com/2024/04/29/canada_london_drugs/

Collection Agency FBCS Says Data Breach Exposed Nearly 2 million People - Debt collection agency Financial Business and Consumer Solutions (FBCS) is notifying roughly 2 million individuals that their personal information was compromised in a recent data breach. https://www.securityweek.com/2-million-impacted-by-data-breach-at-debt-collector-fbcs/

Voter Registration System Taken Offline in Coffee County Cyber-Incident - Coffee County in the US State of Georgia has been hit by a cyber-incident, reportedly leading to its connection to the state’s voter registration system being severed. https://www.infosecurity-magazine.com/news/voter-registration-offline-coffee/

Change Healthcare, compromised by stolen credentials, did not have MFA turned on - AlphV deployed ransomware nine days after it used access to a Citrix portal on Change’s network to move laterally within systems, CEO Andrew Witty said in testimony prepared for a House subcommittee. https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/

Verizon’s 2024 Data Breach Investigations Report: 5 key takeaways - Verizon published its 2024 Data Breach Investigations Report (DBIR) Wednesday, highlighting the interplay between actions and attack vectors that provide the initial pathway for breaches. https://www.scmagazine.com/news/verizons-2024-data-breach-investigations-report-5-key-takeaways

Every Dropbox Sign user, account holders or not, stung in cyberattack - An attacker intruded the electronic signature platform’s production environment and accessed a trove of user data, including OAuth tokens. https://www.cybersecuritydive.com/news/dropbox-sign-cyberattack/714999/

Return to the top of the newsletter

WEB SITE COMPLIANCE -  We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 Board and Management Oversight - Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
   
   To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.
   
   The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:
   
   1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.
   
   2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.
   
   3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - Biometrics (Part 1 of 2)
   
   Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.
   
   Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.
   
   When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.3 Design and Implementation Assurance
 
 Design and implementation assurance addresses whether the features of a system, application, or component meets security requirements and specifications and whether they are they are well designed and well built. Design and implementation assurance examines system design, development, and installation. Design and implementation assurance is usually associated with the development/acquisition and implementation phase of the system life cycle; however, it should also be considered throughout the life cycle as the system is modified.
 
 As stated earlier, assurance can address whether the product or system meets a set of security specifications, or it can provide other evidence of quality. This section outlines the major methods for obtaining design and implementation assurance.
 
 Design and implementation assurance should be examined from two points of view: the component and the system. Component assurance looks at the security of a specific product or system component, such as an operating system, application, security add-on, or telecommunications module. System assurance looks at the security of the entire system, including the interaction between products and modules.
 
 9.3.1 Testing and Certification
 
 Testing can address the quality of the system as built, as implemented, or as operated. Thus, it can be performed throughout the development cycle, after system installation, and throughout its operational phase. Some common testing techniques include functional testing (to see if a given function works according to its requirements) or penetration testing (to see if security can be bypassed). These techniques can range from trying several test cases to in-depth studies using metrics, automated tools, or multiple detailed test cases.
 
 Certification is a formal process for testing components or systems against a specified set of security requirements. Certification is normally performed by an independent reviewer, rather than one involved in building the system. Certification is more often cost-effective for complex or high-risk systems. Less formal security testing can be used for lower-risk systems. Certification can be performed at many stages of the system design and implementation process and can take place in a laboratory, operating environment, or both.