MISCELLANEOUS CYBERSECURITY NEWS:

Employees’ email still drives most of the data loss at organizations - Cyber thieves are increasingly finding new channels to steal data from unaware employees. However, email is still by far the most popular medium by which enterprises have lost data, according to new research released last week by email security provider Tessian and the Ponemon Institute. https://www.scmagazine.com/analysis/email-security/employees-email-still-drives-most-of-the-data-loss-at-organizations

DoJ won’t prosecute ‘good faith’ security researchers - The Department of Justice is significantly revising how it interprets and brings cases under the nation’s premier hacking law, saying it will no longer bring cases against “good faith” security researchers or individuals who violate trivial or non-material parts of a company’s policies or terms of service. https://www.scmagazine.com/analysis/vulnerability-management/doj-wont-prosecute-good-faith-security-researchers

NIST’s Cybersecurity Framework has become the common language for international cybersecurity -0 All organizations, whether public or private and regardless of where they operate, are working in one of the most chaotic threat landscapes ever witnessed. https://www.scmagazine.com/perspective/compliance/nists-cybersecurity-framework-has-become-the-common-language-for-international-cybersecurity-%EF%BF%BC

FBI and NSA say: Stop doing these 10 things that let the hackers in - Enable multi-factor authentication, patch your software, and deploy a VPN, but configure them securely, the US government and allies warn. https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

iPhones Vulnerable to Attack Even When Turned Off - Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware. https://threatpost.com/iphones-attack-turned-off/179641/

As Ukraine conflict continues, US banks still face threats from Russian cyberattacks - When the Russo-Ukrainian war began in late February, there was an almost immediate response from government and cybersecurity experts alike: the U.S. financial industry should beware that just because they may not be affected by the ground assault, there was a good chance they’d be prime targets for the online attack that was threatened. https://www.scmagazine.com/analysis/critical-infrastructure/as-ukraine-conflict-continues-us-banks-still-face-threats-from-russian-cyberattacks

Remote work complicates insider-threat challenge, says ex-Bank of America CIO - With more than two decades of experience leading technology and information security teams at major blue-chip U.S. financial firms, including Morgan Stanley and Goldman Sachs, David Reilly understands the importance of evaluating and mitigating insider security threats within banks and investment firms. https://www.scmagazine.com/analysis/remote-access/remote-work-complicates-insider-threat-challenge-says-ex-bank-of-america-cio

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Strapi exposed data, password reset to CMS users lacking proper privilege - The popular, headless CMS Strapi patched two vulnerabilities that allowed users with lower levels of privilege to see data only higher-privileged users were cleared to see — including information allowing account takeover. https://www.scmagazine.com/analysis/application-security/strapi-exposed-data-password-reset-to-cms-users-lacking-proper-privilege

Over 194K patients added to ongoing Eye Care Leaders breach tally - A breach notice from West Virginia-based Regional Eye Associates informs 194,035 patients that their data was accessed and deleted from their third-party vendor’s system in December 2021, ahead of a ransomware attack. https://www.scmagazine.com/analysis/ransomware/over-194k-patients-added-to-ongoing-eye-care-leaders-breach-tally

Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems - The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open source software repositories. https://www.darkreading.com/application-security/malicious-package-python-repository-cobalt-strike-windows-macos-linux

Cyberattack Affects Greenland's Healthcare Services - Greenland's healthcare services have been "severely limited" due to a cyberattack that has lasted for at least two weeks to date, says the Naalakkersuisut, the country's government. https://www.govinfosecurity.com/cyberattack-affects-greenlands-healthcare-services-a-19120

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (11 of 12)
 
 Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.
 
 Additional IRP Best Practices
 
 1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
 2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
 3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
 4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
 5) Inform users about the status of any compromised system they may be using.
 6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
 7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ENCRYPTION TYPES
  
  Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.
  
  A cryptographic hash reduces a variable - length input to a fixed-length output. The fixed-length output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.
  
  Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.
  
  Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1.1 Secret Key Cryptography

In secret key cryptography, two (or more) parties share the same key, and that key is used to encrypt and decrypt data. As the name implies, secret key cryptography relies on keeping the key secret. If the key is compromised, the security offered by cryptography is severely reduced or eliminated. Secret key cryptography assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification.

The best known secret key system is the Data Encryption Standard (DES), published by NIST as Federal Information Processing Standard (FIPS) 46-2. Although the adequacy of DES has at times been questioned, these claims remain unsubstantiated, and DES remains strong. It is the most widely accepted, publicly available cryptographic system today. The American National Standards Institute (ANSI) has adopted DES as the basis for encryption, integrity, access control, and key management standards.