|
SEC requires financial firms to disclose data breaches
within 30 days - The regulatory agency’s rule change comes
less than a year after it required publicly traded companies
to disclose material security incidents within four business
days.
https://www.cybersecuritydive.com/news/sec-financial-firms-data-breach-rule/716591/
‘Shadow AI’ on the rise; sensitive data input by workers up
156% - AI use in the workplace is growing exponentially, and
workers are inputting sensitive data into chatbots like
ChatGPT and Gemini more than twice as often as they did last
year, a new report by Cyberhaven revealed.
https://www.scmagazine.com/news/shadow-ai-on-the-rise-sensitive-data-input-by-workers-up-156
Why email attacks still loom as a major threat to critical
infrastructure sectors - While every organization across
every vertical faces the risk of experiencing a cyberattack,
certain industries are particularly susceptible to being
targeted by threat actors - especially those in critical
infrastructure sectors.
https://www.scmagazine.com/perspective/why-email-attacks-still-loom-as-a-major-threat-to-critical-infrastructure-sectors
SEC fines NYSE’s parent $10M for failing to report
cyberattack - The settlement sheds light on the costs of
cyberattacks that can include penalties for non-compliance
with timely disclosure requirements after the events occur.
https://www.cybersecuritydive.com/news/sec-nyses-owner-10m-cyberattack/716962/
HHS agency launches program to automate cybersecurity at
hospitals - The program will invest more than $50 million to
create a software suite that can automatically find
potential vulnerabilities that hackers could exploit and
deploy fixes.
https://www.cybersecuritydive.com/news/healthcare-cybersecurity-upgrade-program/716918/
Enterprises are embracing AI. But can they secure it? - AI
offers an amazing opportunity to create new capabilities,
richer experiences, and unprecedented economic
opportunities.
https://www.cybersecuritydive.com/spons/enterprises-are-embracing-ai-but-can-they-secure-it/716362/
Go after UnitedHealth, not us, 100+ medical groups urge
Uncle Sam - More than 100 medical industry groups have asked
the Feds to make UnitedHealth Group, not them, go through
the rigmarole of notifying everyone about the Change
Healthcare ransomware infection.
https://www.theregister.com/2024/05/22/change_healthcare_hippa/
There are no bad machines - only ones that behave badly
because of human error - There’s no such thing as a bad
machine, only bad machine behavior. Like when they give up
digital secrets that lead to catastrophic data breaches.
https://www.scmagazine.com/perspective/there-are-no-bad-machines-only-machines-that-behave-badly-because-of-human-error
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
London Drugs waiting on LockBit’s next move after ransomware
attack - As of the afternoon of May 23, the situation with
Canada-based London Drugs remained unclear as LockBit
reportedly posted on its dark web site that it would start
releasing stolen data if a $25 million ransom was not paid
by Thursday.
https://www.scmagazine.com/news/london-drugs-waiting-on-lockbits-next-move-after-ransomware-attack
Rockwell Automation Urges Customers to Disconnect ICS From
Internet - The industrial automation giant has told
customers to take ‘immediate’ action and check whether any
devices that are not specifically designed for public
connectivity are exposed to the web.
https://www.securityweek.com/rockwell-automation-urges-customers-to-disconnect-ics-from-internet/
400,000 Impacted by CentroMed Data Breach - San
Antonio-based healthcare provider El Centro Del Barrio
(which operates as CentroMed) is informing 400,000 patients
that their personal and protected health information was
compromised in a recent cyberattack.
https://www.securityweek.com/400000-impacted-by-centromed-data-breach/
London Drugs waiting on LockBit’s next move after ransomware
attack - As of the afternoon of May 23, the situation with
Canada-based London Drugs remained unclear as LockBit
reportedly posted on its dark web site that it would start
releasing stolen data if a $25 million ransom was not paid
by Thursday.
https://www.scmagazine.com/news/london-drugs-waiting-on-lockbits-next-move-after-ransomware-attack
RansomHub threatens to leak data of Christie’s auction house
clients - The ransomware group RansomHub claimed
responsibility for conducting a cyberattack on the British
auction house Christie’s earlier this month.
https://www.scmagazine.com/news/ransomhub-threatens-to-leak-data-of-christies-auction-house-clients
First American says personal data of 44K breached in
December cyberattack - First American Financial said about
44,000 people had their personal information breached in a
December cyberattack, according to Tuesday filing with the
Securities and Exchange Commission.
https://www.cybersecuritydive.com/news/first-american-44k-breached-cyberattack/717377/
Return to
the top of the newsletter
WEB SITE COMPLIANCE -
We
continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by
the Basel Committee on Bank Supervision.
Sound Practices for Managing
Outsourced E-Banking Systems and Services (Part
2 of 3)
3. Banks should adopt
appropriate procedures for ensuring the adequacy of
contracts governing e-banking. Contracts governing
outsourced e-banking activities should address, for example,
the following:
a) The contractual
liabilities of the respective parties as well as
responsibilities for making decisions, including any
sub-contracting of material services are clearly defined.
b) Responsibilities for
providing information to and receiving information from the
service provider are clearly defined. Information from the
service provider should be timely and comprehensive enough
to allow the bank to adequately assess service levels and
risks. Materiality thresholds and procedures to be used to
notify the bank of service disruptions, security breaches
and other events that pose a material risk to the bank
should be spelled out.
c) Provisions that
specifically address insurance coverage, the ownership of
the data stored on the service provider's servers or
databases, and the right of the bank to recover its data
upon expiration or termination of the contract should be
clearly defined.
d) Performance expectations,
under both normal and contingency circumstances, are
defined.
e) Adequate means and guarantees,
for instance through audit clauses, are defined to insure
that the service provider complies with the bank's
policies.
f) Provisions are in place
for timely and orderly intervention and rectification in the
event of substandard performance by the service provider.
g) For cross-border
outsourcing arrangements, determining which country laws and
regulations, including those relating to privacy and other
customer protections, are applicable.
h) The right of the bank to conduct independent
reviews and/or audits of security, internal controls and
business continuity and contingency plans is explicitly
defined.
Return to the top of the newsletter
FFIEC IT
SECURITY - We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples
of Common Authentication Weaknesses, Attacks, and Offsetting
Controls (Part
2 of 2)
Social
engineering involves
an attacker obtaining authenticators by simply asking for
them. For instance, the attacker may masquerade as a
legitimate user who needs a password reset, or a contractor
who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive,
or using other interpersonal skills, the attackers encourage
a legitimate user or other authorized person to give them
authentication credentials. Controls against these attacks
involve strong identification policies and employee
training.
Client attacks are
an area of vulnerability common to all authentication
mechanisms. Passwords, for instance, can be captured by
hardware - or software - based keystroke capture
mechanisms. PKI private keys could be captured or reverse -
engineered from their tokens. Protection against these
attacks primarily consists of physically securing the client
systems, and, if a shared secret is used, changing the
secret on a frequency commensurate with risk. While
physically securing the client system is possible within
areas under the financial institution's control, client
systems outside the institution may not be similarly
protected.
Replay attacks occur
when an attacker eavesdrops and records the authentication
as it is communicated between a client and the financial
institution system, then later uses that recording to
establish a new session with the system and masquerade as
the true user. Protections against replay attacks include
changing cryptographic keys for each session, using dynamic
passwords, expiring sessions through the use of time stamps,
expiring PKI certificates based on dates or number of uses,
and implementing liveness tests for biometric systems.
Hijacking is
an attacker's use of an authenticated user's session to
communicate with system components. Controls against
hijacking include encryption of the user's session and the
use of encrypted cookies or other devices to authenticate
each communication between the client and the server.
Return to the
top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the National Institute of
Standards and Technology (NIST) Handbook.
Chapter 9 - Assurance
9.3.9
Self-Certification
A vendor's, integrator's, or system developer's
self-certification does not rely on an impartial or
independent agent to perform a technical evaluation of a
system to see how well it meets a stated security
requirement. Even though it is not impartial, it can still
provide assurance. The self-certifier's reputation is on the
line, and a resulting certification report can be read to
determine whether the security requirement was defined and
whether a meaningful review was performed.
A hybrid certification is possible where the work is
performed under the auspices or review of an independent
organization by having that organization analyze the
resulting report, perform spot checks, or perform other
oversight. This method may be able to combine the lower cost
and greater speed of a self-certification with the
impartiality of an independent review. The review, however,
may not be as thorough as independent evaluation or testing.
9.3.10 Warranties, Integrity Statements, and Liabilities
Warranties are another source of assurance. If a
manufacturer, producer, system developer, or integrator is
willing to correct errors within certain time frames or by
the next release, this should give the system manager a
sense of commitment to the product and of the product's
quality. An integrity statement is a formal declaration or
certification of the product. It can be backed up by a
promise to (a) fix the item (warranty) or (b) pay for losses
(liability) if the product does not conform to the integrity
statement.
9.3.11 Manufacturer's Published Assertions
A manufacturer's or developer's published assertion or
formal declaration provides a limited amount of assurance
based exclusively on reputation.
9.3.12 Distribution Assurance
It is often important to know that software has arrived
unmodified, especially if it is distributed electronically.
In such cases, checkbits or digital signatures can provide
high assurance that code has not been modified. Anti-virus
software can be used to check software that comes from
sources with unknown reliability (such as a bulletin board).
|
