MISCELLANEOUS CYBERSECURITY NEWS:

MISCELLANEOUS CYBERSECURITY NEWS: CISA senior official Goldstein to leave agency in June - The executive assistant director for cybersecurity at CISA often served as the voice of the agency and helped steer its secure-by-design efforts. The executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, is leaving the organization next month, CISA confirmed on Thursday. https://www.cybersecuritydive.com/news/eric-goldstein-departing-cisa/716401/ Nigeria Halts Cybersecurity Tax After Public Outrage - In the midst of an economy struggling with soaring inflation, the Nigerian government paused plans to place a levy on domestic transactions that was aimed at enhancing cybersecurity. https://www.darkreading.com/cyber-risk/nigeria-halts-cybersecurity-tax-after-public-outrage Norway recommends replacing SSL VPN to prevent breaches - The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with alternatives due to the repeated exploitation of related vulnerabilities in edge network devices to breach corporate networks. https://www.bleepingcomputer.com/news/security/norway-recommends-replacing-ssl-vpn-to-prevent-breaches/ The role identity plays in nearly every attack, including ransomware - The common misperception that identity infrastructure and IAMs like Active Directory, Okta, or Ping can adequately secure the entire identity infrastructure is to blame for the continued barrage of cyber and ransomware attacks. https://www.scmagazine.com/resource/the-role-identity-plays-in-nearly-every-attack-including-ransomware SEC requires financial institutions to notify customers of breaches within 30 days - The Securities and Exchange Commission (SEC) announced the adoption of amendments to Regulation S-P to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions. https://www.helpnetsecurity.com/2024/05/20/sec-financial-institutions-rules/ More than 70% of surveyed water systems failed to meet EPA cyber standards - The agency says it will take certain enforcement actions in cases where there is imminent danger from a cyberthreat against water infrastructure. https://www.nextgov.com/cybersecurity/2024/05/more-70-surveyed-water-systems-failed-meet-epa-cyber-standards/396727/ Four ways CISOs can navigate today’s legal and regulatory minefields - The role of chief information security officer (CISO) has never been more challenging or scrutinized. Escalating cyber threats, tightening regulations, and increasing responsibilities place CISOs at the front lines of digital defense and corporate accountability. https://www.scmagazine.com/perspective/four-ways-cisos-can-navigate-todays-legal-and-regulatory-minefields Rockwell to customers: Remove public-facing ICS devices from internet - In response to heightened geopolitical tensions and potential attacks on critical infrastructure sectors, Rockwell Automation released guidance encouraging users to remove connectivity to all industrial control systems (ICS) devices with public-facing internet access. https://www.scmagazine.com/news/rockwell-to-customers-remove-public-facing-ics-devices-from-internet Unpatched vulnerabilities making bad ransomware outcomes worse: What you need to know - While the military strategist and philosopher Sun Tzu never had to grapple with a ransomware attack, he knew something about conflict: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." https://www.scmagazine.com/resource/unpatched-vulnerabilities-making-bad-ransomware-outcomes-worse-what-you-need-to-know CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS: LockBit ransomware spread in millions of emails via Phorpiex botnet - Millions of emails containing LockBit ransomware were deployed daily at the end of April with the help of the Phorpiex botnet, Proofpoint researchers revealed Tuesday. https://www.scmagazine.com/news/lockbit-ransomware-spread-in-millions-of-emails-via-phorpiex-botnet Flaw in Wi-Fi Standard Can Enable SSID Confusion Attacks - Researchers at Belgium's KU Leuven discovered a fundamental design flaw in the IEEE 802.11 Wi-Fi standard that gives attackers a way to trick victims into connecting with a less secure wireless network than the one to which they intended to connect. https://www.darkreading.com/endpoint-security/flaw-in-wi-fi-standard-can-enable-ssid-confusion-attacks WebTPA reports 2.4 million plan members had their data stolen - WebTPA Employer Services, the Texas-based provider of administrative services to health insurance and benefits plans, reported to the Department of Health and Human Services on May 8 that more than 2.4 million plan members had their personal information stolen. https://www.scmagazine.com/news/webtpa-reports-2-4-million-plan-members-had-their-data-stolen Aussie cops probe MediSecure's 'large-scale ransomware data breach' - Australian prescriptions provider MediSecure is the latest healthcare org to fall victim to a ransomware attack, with crooks apparently stealing patients' personal and health data. https://www.theregister.com/2024/05/17/medisecure_ransomware_attack/ American Radio Relay League Hit by Cyberattack - Founded in 1914, the ARRL is the United States’ national association for amateur radio. The non-profit organization’s website says it has 100 full-time and part-time staff members, and roughly 160,000 members. https://www.securityweek.com/american-radio-relay-league-hit-by-cyberattack/  Return to the top of the newsletter WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.        Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)        1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.        a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.    b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.    c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.        2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.        a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.    b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.    c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.    d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.    e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.    f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship. Return to the top of the newsletter FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.          SECURITY CONTROLS - IMPLEMENTATION        LOGICAL AND ADMINISTRATIVE ACCESS CONTROL         Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)        All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.        Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.        Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.        Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for large-scale re-issuances of authentication devices. Return to the top of the newsletter NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.    Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS    14.2 Software Support    Software is the heart of an organization's computer operations, whatever the size and complexity of the system. Therefore, it is essential that software function correctly and be protected from corruption. There are many elements of software support.    One is controlling what software is used on a system. If users or systems personnel can load and execute any software on a system, the system is more vulnerable to viruses, to unexpected software interactions, and to software that may subvert or bypass security controls. One method of controlling software is to inspect or test software before it is loaded (e.g., to determine compatibility with custom applications or identify other unforeseen interactions). This can apply to new software packages, to upgrades, to off-the-shelf products, or to custom software, as deemed appropriate. In addition to controlling the loading and execution of new software, organizations should also give care to the configuration and use of powerful system utilities.  System utilities can compromise the integrity of operating systems and logical access controls.    A second element in software support can be to ensure that software has not been modified without proper authorization. This involves the protection of software and backup copies. This can be done with a combination of logical and physical access controls.    Many organizations also include a program to ensure that software is properly licensed, as required. For example, an organization may audit systems for illegal copies of Copyright 2013ed software. This problem is primarily associated with PCs and LANs, but can apply to any type of system.    Viruses take advantage of the weak software controls in personal computers. Also, there are powerful utilities available for PCs that can restore deleted files, find hidden files, and interface directly with PC hardware, bypassing the operating system. Some organizations use personal computers without floppy drives in order to have better control over the system.    There are several widely available utilities that look for security problems in both networks and the systems attached to them. Some utilities look for and try to exploit security vulnerabilities.