MISCELLANEOUS CYBERSECURITY NEWS:

New US Breach Reporting Rules for Banks Take Effect May 1 - New cyber incident reporting rules are set to come into effect in the U.S. on May 1. Banks in the country will be required to notify regulators within the first 36 hours after an organization suffers a qualifying "computer-security incident." https://www.govinfosecurity.com/new-us-breach-reporting-rules-for-banks-take-effect-may-1-a-18998

Here are what CISOs named as their 20 critical priorities for 2022 - re in the wake of the Russia-Ukraine war, and continued disruption from an unending variety of malware and ransomware? https://www.scmagazine.com/analysis/leadership/here-are-what-cisos-named-as-their-20-critical-priorities-for-2022

Ransomware attacks struck two-thirds of organizations last year - A new survey of IT professionals shows that 66% of organizations experienced a ransomware attack in 2021, up from 37% in 2020, while ransom payments have also increased. https://www.scmagazine.com/news/ransomware/ransomware-attacks-struck-two-thirds-of-organizations-last-year

Healthcare cyber group shares business continuity toolkit, on the heels of ransomware alert - The Health Sector Coordinating Council’s Cybersecurity Working Group issued another healthcare resource this week: a toolkit meant to support operational staff and executive leadership with responding to extended outages brought on by cyberattacks. https://www.scmagazine.com/analysis/incident-response/healthcare-cyber-group-shares-business-continuity-toolkit-on-the-heels-of-ransomware-alert

Pandemic relief programs introduced new cyber risks for SBA - The Small Business Administration’s information security program is “not effective” according to its inspector general. https://www.scmagazine.com/analysis/asset-management/sba-watchdog-says-information-security-program-not-effective

Audit again deems HHS security program ‘not effective’ - The Department of Health and Human Services’ Office of the Inspector General has again deemed the HHS’ information security program “not effective," under the Federal Information Security Modernization Act (FISMA) metrics. https://www.scmagazine.com/analysis/compliance/audit-again-deems-hhs-security-program-not-effective

Prepare today for repeat ransomware attacks - Ransomware attacks can devastate an organization. Worse, there have been instances where organizations experience repeat attacks. https://www.scmagazine.com/perspective/ransomware/prepare-today-for-repeat-ransomware-attacks

Congress wants to study the cybersecurity of satellites after Viasat hack - Two members of the House have brought forth legislation that would press federal agencies to revisit what policies and programs are in place to help U.S. satellite owners and operators defend against hacks to their systems and assets. https://www.scmagazine.com/analysis/device-security/congress-wants-to-study-the-cybersecurity-of-satellites-after-viasat-hack

New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours - CERT-In updates cybersecurity rules to include mandatory reporting, record-keeping, and more. The Indian Computer Emergency Response Team (CERT-In) issued new cyber incident reporting guidelines, including the requirement for service providers, intermediaries, data centers, corporations, and government agencies to report cyber incidents to the regulator within six hours. https://www.darkreading.com/attacks-breaches/new-regulations-give-indian-orgs-6-hours-to-report-cyber-incidents

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Tenet Health investigating cybersecurity incident, IT outage - A “cybersecurity incident” struck Tenet Healthcare last week, resulting in the immediate suspension of access to IT applications. Tenet is one of the largest hospital care service providers in the U.S. with over 146 hospitals. https://www.scmagazine.com/analysis/cybercrime/tenet-health-investigating-cybersecurity-incident-it-outage

Cloudflare stomps huge DDoS attack on crypto platform - Cloudflare this month halted a massive distributed denial-of-service (DDoS) attack on a cryptocurrency platform that not only was unusual in its sheer size but also because it was launched over HTTPS and primarily originated from cloud datacenters rather than residential internet service providers (ISPs).  https://www.theregister.com/2022/04/28/cloudflare-largest-ddos-attack-/

GitHub: How stolen OAuth tokens helped breach dozens of orgs - GitHub has shared a timeline of this month's security breach when a threat actor gained access to and stole private repositories belonging to dozens of organizations. https://www.bleepingcomputer.com/news/security/github-how-stolen-oauth-tokens-helped-breach-dozens-of-orgs/

How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities - The pictures show neatly trimmed fiber optic cables dug up from underground behind what appears to be a well-hidden grate. https://www.cyberscoop.com/french-fiber-optic-cables-attack-critical-infrastructure/

Digital health company myNurse reports data access, will stop operations - Digital health company myNurse, also known as Salusive Health, recently notified patients of a systems hack that led to the access of their personal and protected health information. https://www.scmagazine.com/analysis/breach/digital-health-company-mynurse-reports-data-access-will-stop-operations

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (8 of 12)
   
   Containment
   
   During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.
   
   Establish notification escalation procedures.
   
   If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.
   
   Document details, conversations, and actions.
   
   Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   ENCRYPTION
   
   Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.
   
   Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.
   
   Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.
   
   Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.
   
   Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.
   
   Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.
   
   Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.
   
   Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 18 - AUDIT TRAILS
  
  18.5 Cost Considerations
  
  Audit trails involve many costs. First, some system overhead is incurred recording the audit trail. Additional system overhead will be incurred storing and processing the records. The more detailed the records, the more overhead is required. Another cost involves human and machine time required to do the analysis. This can be minimized by using tools to perform most of the analysis. Many simple analyzers can be constructed quickly (and cheaply) from system utilities, but they are limited to audit reduction and identifying particularly sensitive events. More complex tools that identify trends or sequences of events are slowly becoming available as off-the-shelf software. (If complex tools are not available for a system, development may be prohibitively expensive. Some intrusion detection systems, for example, have taken years to develop.)
  
  The final cost of audit trails is the cost of investigating anomalous events. If the system is identifying too many events as suspicious, administrators may spend undue time reconstructing events and questioning personnel.