MISCELLANEOUS CYBERSECURITY NEWS:

Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking - As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen. https://www.darkreading.com/ics-ot/bridgestone-ciso-lessons-ransomware-attack-acting-thinking

Practicefirst pays New York $550K after patching failure leads to 2020 breach - Practicefirst Medical Management Solutions and PBS Medcode will pay the state of New York $550,000 after it failed to timely apply a patch to a known vulnerability, leading to a massive data breach impacting over 1.2 million individuals, 428,000 of whom reside in New York. https://www.scmagazine.com/news/compliance/practicefirst-pays-new-york-550k-after-patching-failure-leads-to-2020-breach

CISO Criminalization, Vague Cyber Disclosure Rules Create Angst for Security Teams - Getting cybersecurity incident disclosure right can mean the difference between prison and freedom. But the rules remain woefully vague. https://www.darkreading.com/operations/criminalization-of-cisos-creating-angst-among-cyber-teams

Software liability: The hard truths of holding manufacturers responsible - For years, companies have been victimized by hackers exploiting vulnerabilities left by software makers who prioritize development speed, convenience and interoperability over security, while disavowing culpability through licensing and terms-of-service contracts. https://www.scmagazine.com/analysis/compliance/software-liability-the-hard-truths-of-holding-manufacturers-responsible

Cyber insurance more popular than ever despite rising costs, ransomware threat - Despite a perception that insurers are blanching at the costs from covering cyberattacks and shying away from offering new policies, new research and insurance executives indicate that cyber-specific insurance has never been more popular. https://www.scmagazine.com/analysis/ransomware/cyber-insurance-more-popular-than-ever-despite-rising-costs-ransomware-threat
 

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Apria Healthcare says potentially 2M people caught up in IT security breach - Personal and financial data describing almost 1.9 million Apria Healthcare patients and employees may have been accessed by crooks who breached the company's networks over a series of months in 2019 and 2021. https://www.theregister.com/2023/05/23/apria_healthcare_breach/

Arms maker Rheinmetall confirms BlackBasta ransomware attack - German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business. https://www.bleepingcomputer.com/news/security/arms-maker-rheinmetall-confirms-blackbasta-ransomware-attack/

OneMain pays $4.5M after ignored security flaws caused data breaches - OneMain Financial experienced at least three lengthy cybersecurity events between 2018 and 2020 brought on by a host of security program and access control failures that made it “more vulnerable to instances of unauthorized access,” according to the audit findings from the New York Department of Financial Services. https://www.scmagazine.com/news/identity-and-access/onemain-pays-4-5m-after-ignored-security-flaws-caused-data-breaches

ABB confirms data stolen in Black Basta ransomware attack - Global industrial automation company ABB has confirmed it had data stolen in an attack attributed to the Black Basta ransomware group. https://www.scmagazine.com/news/ransomware/abb-basta-ransomware-attack

Cyberattack on Norton Health spurs long waits, prescription and lab delays - The FBI is actively working with Norton Healthcare to determine the scope of an ongoing cyberattack, as the Louisville, Kentucky, health network works to recover a number of patient care systems. https://www.scmagazine.com/news/privacy/cyberattack-on-norton-health-spurs-long-waits-prescription-and-lab-delays

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
   
   Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
   
   Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
   
   Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
   
   The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
   
   SECURITY MEASURES
   
   Encryption 
   
   Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.
   
   Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.7 Malicious Code
 
 Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Sometimes mistakenly associated only with personal computers, malicious code can attack other platforms.
 
 A 1993 study of viruses found that while the number of known viruses is increasing exponentially, the number of virus incidents is not. The study concluded that viruses are becoming more prevalent, but only "gradually."
 
 The rate of PC-DOS virus incidents in medium to large North American businesses appears to be approximately 1 per 1,000 PCs per quarter; the number of infected machines is perhaps 3 or 4 times this figure if we assume that most such businesses are at least weakly protected against viruses.
 
 Actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant.
 
 Malicious Software: A Few Key Terms
 
 1)  Virus: A code segment that replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses, including variants, overwriting, resident, stealth, and polymorphic.
 
 2)  Trojan Horse: A program that performs a desired task, but that also includes unexpected (and undesirable) functions. Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing), but the deletions are unexpected and definitely undesired!
 
 3)  Worm: A self-replicating program that is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use network services to propagate to other host systems.
 
 4.8 Foreign Government Espionage
 
 In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Some unclassified information that may be of interest includes travel plans of senior officials, civil defense and emergency preparedness, manufacturing technologies, satellite data, personnel and payroll data, and law enforcement, investigative, and security files. Guidance should be sought from the cognizant security office regarding such threats.