MISCELLANEOUS CYBERSECURITY NEWS:

MISCELLANEOUS CYBERSECURITY NEWS: Compromised backups send ransomware recovery costs soaring - There's a common misperception that to defeat ransomware attacks, organizations must simply back up their systems and data. Unfortunately, thats not necessarily the case. https://www.scmagazine.com/resource/compromised-backups-send-ransomware-recovery-costs-soaring Verizons 2024 Data Breach Investigations Report: 5 key takeaways - Verizon published its 2024 Data Breach Investigations Report (DBIR) Wednesday, highlighting the interplay between actions and attack vectors that provide the initial pathway for breaches. https://www.scmagazine.com/news/verizons-2024-data-breach-investigations-report-5-key-takeaways CISA warned 1,750 organizations of ransomware vulnerabilities last year. Only half took action. - More than half of CISAs ransomware vulnerability warning pilot alerts were sent to government facilities, healthcare and public health organizations. https://www.cybersecuritydive.com/news/cisa-ransomware-vulnerability-warnings/714951/ The White House Has a New Master Plan to Stop Worst-Case Scenarios - The President has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change. The administration is updating the US governments blueprint for protecting the countrys most important infrastructure from hackers, terrorists, and natural disasters. https://www.wired.com/story/biden-national-security-memorandum-critical-infrastructure-threats/ Florida man gets 6 years behind bars for flogging fake Cisco kit to US military - Miami resident Onur Aksoy has been sentenced to six and a half years in prison for running a multi-million-dollar operation selling fake Cisco equipment that ended up in the US military. https://www.theregister.com/2024/05/02/fake_cisco_prison/ RSAC 2024: CISA, DHS grapple with cyber risks in the age of AI - Current and former U.S. government agency leaders stressed the importance for public and private guardrails on AI and voiced concern geopolitical strife is increasingly creating existential cybersecurity threats to the U.S. critical infrastructure. https://www.scmagazine.com/news/rsac-2024-keynotes-cisa-dhs-officials-talk-new-frontiers-in-cyber-risk-defense CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS: Kaiser Permanente notifies 13.4M patients of potential data exposure - Kaiser Permanente informed 13.4 million current and former members and patients who accessed its websites and mobile apps that certain online tracking technologies may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X when members accessed those websites or apps. https://www.scmagazine.com/news/kaiser-permanente-notifies-134m-patients-of-potential-data-exposure Verizon DBIR 2024 Shows Surge in Vulnerability Exploitation, Confirmed Data Breaches - The DBIR is one of the cybersecurity industrys most anticipated reports due to the fact that its based on the analysis of a significant number of real-world incidents. https://www.securityweek.com/verizon-dbir-2024-shows-surge-in-vulnerability-exploitation-confirmed-data-breaches/ Hackers Compromised Dropbox eSignature Service - Dropbox says hackers breached its Sign production environment and accessed customer email addresses and hashed passwords. Dropbox on Wednesday disclosed a data breach impacting customers of Sign, the companys electronic signature service. https://www.securityweek.com/dropbox-data-breach-impacts-customer-information/ City of Wichita shuts down IT network after ransomware attack - The City of Wichita, Kansas, disclosed it was forced to shut down portions of its network after suffering a weekend ransomware attack. https://www.bleepingcomputer.com/news/security/city-of-wichita-shuts-down-it-network-after-ransomware-attack/ Ascension hit by cybersecurity incident disrupting clinical operations - Ascension said it was responding to a cybersecurity incident after discovering unusual activity on some technology network systems Wednesday thats disrupting clinical operations. https://www.cybersecuritydive.com/news/ascension-cybersecurity-incident-disrupts-clinical-operations/715671/ Return to the top of the newsletter WEB SITE COMPLIANCE -  We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.      Board and Management Oversight - Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.        Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.        To ensure effective response to unforeseen incidents, banks should develop:         1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.        2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.        3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.        4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.        5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.        6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.        7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.        8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers Return to the top of the newsletter FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.          SECURITY CONTROLS - IMPLEMENTATION        LOGICAL AND ADMINISTRATIVE ACCESS CONTROL         AUTHENTICATION - Biometrics (Part 2 of 2)        Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.        Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.        Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack. Return to the top of the newsletter NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.  Chapter 9 - Assurance    9.3.2 NIST Conformance Testing and Validation Suites    NIST produces validation suites and conformance testing to determine if a product (software, hardware, firmware) meets specified standards. These test suites are developed for specific standards and use many methods. Conformance to standards can be important for many reasons, including interoperability or strength of security provided. NIST publishes a list of validated products quarterly.    9.3.3 Use of Advanced or Trusted Development    In the development of both commercial off-the-shelf products and more customized systems, the use of advanced or trusted system architectures, development methodologies, or software engineering techniques can provide assurance. Examples include security design and development reviews, formal modeling, mathematical proofs, ISO 9000 quality techniques, or use of security architecture concepts, such as a trusted computing base (TCB) or reference monitor.    9.3.4 Use of Reliable Architectures    Some system architectures are intrinsically more reliable, such as systems that use fault-tolerance, redundance, shadowing, or redundant array of inexpensive disks (RAID) features. These examples are primarily associated with system availability.    9.3.5 Use of Reliable Security    One factor in reliable security is the concept of ease of safe use, which postulates that a system that is easier to secure will be more likely to be secure. Security features may be more likely to be used when the initial system defaults to the "most secure" option. In addition, a system's security may be deemed more reliable if it does not use very new technology that has not been tested in the "real" world (often called "bleeding-edge" technology). Conversely, a system that uses older, well-tested software may be less likely to contain bugs.