FYI - 85% of Data Breaches Involve Human Interaction: Verizon DBIR - Web application attacks, phishing, and ransomware increased over the past year, emphasizing a shift as attackers took advantage of people working from home and spending more time online amid the COVID-19 pandemic. Most (85%) attacks seen in 2020 involved human interaction.
 https://www.darkreading.com/operations/85--of-data-breaches-involve-human-interaction-verizon-dbir/d/d-id/1341012
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20210517a.htm
https://www.occ.treas.gov/news-issuances/news-releases/2021/nr-ia-2021-54.html
https://www.ncua.gov/newsroom/press-release/2021/agencies-extend-comment-period-request-information-artificial-intelligence

Agencies Extend Comment Period on Request for Information on Artificial Intelligence - Five federal financial regulatory agencies announced today they will extend the comment period on the request for information on financial institutions’ use of artificial intelligence (AI) until July 1, 2021. https://www.fdic.gov/news/press-releases/2021/pr21045.html

Chart a course to the passwordless future on World Password Day - It’s World Password Day, do the company’s users still rely on passwords? Has the security team replaced them? Passwords are no longer considered a secure way to log in, so what does the company plan to do about it? https://www.scmagazine.com/perspectives/chart-a-course-to-the-passwordless-future-on-world-password-day/

H&R Block seeks out open-source expertise for SOC - College graduates and cert-holders certainly make for valuable hiring candidates. But dig a little deeper and you’ll find that contributors to open source projects constitute an overlooked pool of talent who can bring diversity of thought and experience to your security team. https://www.scmagazine.com/home/security-news/network-security/hr-block-seeks-out-open-source-expertise-to-stock-up-on-soc-talent/

‘FragAttacks’: Wi-Fi Bugs Affect Millions of Devices - A Belgian security researcher specializing in Wi-Fi bugs has unearthed a clutch of new ones, which he called FragAttacks, that affect the Wi-Fi standard itself. The name is short for “fragmentation and aggregation attacks.” https://threatpost.com/fragattacks-wifi-bugs-millions-devices/166080/

Cisco and Netflix execs: The pandemic brought good, and some bad changes in security standards - On the one hand, there is no doubt the nearly overnight shift to remote work led to sometimes sloppy IT architecting that increased the overall attack surface for many businesses, quickly followed by a worrying increase in the amount of new vulnerabilities discovered and a cornucopia of high profile hacking incidents against government and industry. https://www.scmagazine.com/home/2021-rsa-conference/cisco-and-netflix-execs-the-pandemic-brought-some-good-some-bad-and-a-lot-of-change/

UK govt seeks advice on defending against supply-chain cyberattacks - Today, the UK government has announced a call for advice on defending against software supply-chain attacks and ways to strengthen IT Managed Service Providers (MSPs) across the country. https://www.bleepingcomputer.com/news/security/uk-govt-seeks-advice-on-defending-against-supply-chain-cyberattacks/

Attention CEOs: No news can be good news when investigating a breach - A potential data breach inside an organization typically brings demands from top executives for answers, often before security teams can provide any. https://www.scmagazine.com/home/2021-rsa-conference/attention-ceos-no-news-can-be-good-news-when-investigating-a-breach/

How the ransomware explosion is reshaping the cyber insurance market - There has never been a brighter spotlight on the societal scourge of ransomware than the one cast over the past two weeks, as separate attacks led to a temporary gas shortage across the eastern United States, disrupted the IT networks of nationalized health care systems in Ireland and New Zealand and caused an international uproar for governments and industry to do more to hold cybercriminals accountable. https://www.scmagazine.com/home/security-news/ransomware/how-the-ransomware-explosion-is-reshaping-the-cyber-insurance-market/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Rapid7: Attackers got ‘limited access’ to source code, customer data after Codecov breach - Security vendor Rapid7 confirmed that “a small subset” of its source code repositories and some customer credentials and other data were accessed by an unauthorized party following a breach of code-testing company Codecov last month. https://www.scmagazine.com/home/security-news/data-breach/rapid7-attackers-got-limited-access-to-source-code-customer-data-after-codecov-breach/

Ireland’s health care system taken down after ransomware attack - Doctors left unable to access patient records after "very sophisticated" attack. Ireland has shut down most of the major IT systems running its national health care service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” ransomware attack. https://arstechnica.com/information-technology/2021/05/irelands-healthcare-system-taken-down-after-ransomware-attack/

Axa insurance offshoots pwned as Ireland reveals second ransomware hit - The murky world of ransomware criminals is all aflutter after it was revealed that Ireland's health services were hit by a second attack hot on the heels of one that took out its hospitals, while ransomware insurance refusenik Axa was itself hit with ransomware after its French branch vowed to stop buying off criminals on behalf of its customers. https://www.theregister.com/2021/05/17/ransomware_roundup/

Toshiba unit struck by DarkSide ransomware group - Following Colonial Pipeline, a DarkSide affiliate has claimed another victim. A Toshiba unit has become the latest victim of a DarkSide ransomware attack. https://www.zdnet.com/article/toshiba-unit-struck-by-darkside-ransomware-group/

Betenbough Companies victim of ransomware attack - Cyberattack results in system breach of local company - Russian cybercriminals targeted and victimized local company, Betenbough Companies, resulting in a system breach on May 3. These criminals acted in a similar manner to those that held the Colonial Pipeline’s system for ransom and have attempted to strongarm Betenbough Companies with similar tactics. https://www.newschannel10.com/2021/05/19/betenbough-companies-victim-of-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:
   
   1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.
   
   2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 
   
   3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."
   
   4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY RISK ASSESSMENT
   
   ANALYZE INFORMATION (1 of 2)
   
   The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.
   
   System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.
   
   A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.
   
   Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.
   
   An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
 
 14.5.6 Transmittal
 
 Media control may be transferred both within the organization and to outside elements. Possibilities for securing such transmittal include sealed and marked envelopes, authorized messenger or courier, or U.S. certified or registered mail.
 
 14.5.7 Disposition
 
 When media is disposed of, it may be important to ensure that information is not improperly disclosed. This applies both to media that is external to a computer system (such as a diskette) and to media inside a computer system, such as a hard disk. The process of removing information from media is called sanitization.
 
 Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). Overwriting requires that the media be in working order. Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers. The final method of sanitization is destruction of the media by shredding or burning.
 
 Many people throw away old diskettes, believing that erasing the files on the diskette has made the data un-retrievable. In reality, however, erasing a file simply removes the pointer to that file. The pointer tells the computer where the file is physically stored. Without this pointer, the files will not appear on a directory listing. This does not mean that the file was removed. Commonly available utility programs can often retrieve information that is presumed deleted.