|
MISCELLANEOUS CYBERSECURITY NEWS:
‘One of the key issues is a lack of experience’: Security teams
struggle amid shift to cloud - Most organizations know that cloud
computing will comprise the majority of their future
business-technology systems. The problem is they’re not quite sure
what that looks like yet.
https://www.scmagazine.com/research-article/cloud-security/companies-struggle-to-manage-security-amid-shift-to-cloud-first-strategy
Managing security for hybrid- and multi-cloud operations a top
concern, IT leaders say - A Cisco study done in tandem with 451
Research found that security at 37% was the top issue among IT
leaders looking to manage their hybrid- and multi-cloud operations.
https://www.scmagazine.com/news/cloud-security/managing-security-for-hybrid-and-multi-cloud-operations-a-top-concern-it-leaders-say
Indian stock markets given ten day deadline to file infosec report,
secure board signoff - Indian IT shops have been handed another
extraordinarily short deadline within which to perform significant
infosec work.
https://www.theregister.com/2022/05/25/sebi_modified_mii_infosec_rules/
FBI warns of education credentials awash on dark web - The FBI
issued an alert to the educational institutions warning that
cybercriminal forums are worryingly full of their network
credentials.
https://www.scmagazine.com/analysis/cybercrime/fbi-warns-of-education-credentials-awash-on-dark-web
Financial sector most likely to address security risks for
incompatible systems - Trying to reduce IT security risk is made
much more difficult when managing systems that do not work well with
each other, an issue faced by a majority of large organizations.
https://www.scmagazine.com/analysis/architecture/financial-sector-most-likely-to-address-security-risks-for-incompatible-systems
Commerce Dept. Issues Rule to Restrict Cyber Hacking Tools - The
Commerce Department’s Bureau of Industry and Security (BIS) has
published a final rule in the Federal Register that restricts
cybersecurity export controls in an effort to prevent foreign
adversaries from accessing hacking tools.
https://www.meritalk.com/articles/commerce-dept-issues-rule-to-restrict-cyber-hacking-tools/
Cyber experts lay out the path to a national data protection law -
For years, experts have been predicting that Congress would act on
national privacy and data protection law.
https://www.scmagazine.com/analysis/privacy/cyber-experts-lay-out-the-path-to-a-national-data-protection-law
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Verizon: Ransomware sees biggest jump in five years - The
cybersecurity landscape continues to expand and evolve rapidly,
fueled in large part by the cat-and-mouse game between miscreants
trying to get into corporate IT environments and those hired by
enterprises and security vendors to keep them out.
https://www.theregister.com/2022/05/26/verizon-cybersecurity-report-ransomware/
SpiceJet airline passengers stranded after ransomware attack -
Low-cost Indian airline SpiceJet has informed its customers today of
an attempted ransomware attack that has impacted some of its systems
and caused delays on flight departures.
https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/
UK privacy watchdog fines Clearview AI £7.5m and orders UK data to
be deleted - The Information Commissioner's Office (ICO) has fined
controversial facial recognition company Clearview AI £7.5 million
($9.4 million) for breaching UK data protection laws and has issued
an enforcement notice ordering the company to stop obtaining and
using data of UK residents, and to delete the data from its systems.
https://www.zdnet.com/article/uk-privacy-watchdog-fines-clearview-ai-lb7-5m-and-orders-uk-data-to-be-deleted/
GitHub: Attackers stole login details of 100K npm user accounts -
GitHub revealed today that an attacker stole the login details of
roughly 100,000 npm accounts during a mid-April security breach with
the help of stolen OAuth app tokens issued to Heroku and Travis-CI.
https://www.bleepingcomputer.com/news/security/github-attackers-stole-login-details-of-100k-npm-user-accounts/
After Hive cyberattack, Partnership HealthPlan confirms data theft
affecting 855K - Following reports of network downtime after a
cyberattack in March, Partnership HealthPlan of California has since
confirmed the Hive ransomware group stole a trove of health
information ahead of the ransomware deployment. Reports show 854,913
patients were impacted.
https://www.scmagazine.com/analysis/breach/after-hive-cyberattack-partnership-healthplan-confirms-data-theft-affecting-855k
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We
conclude the series regarding FDIC Supervisory Insights regarding
Incident
Response Programs. (12 of 12)
What the Future Holds
In addition to meeting regulatory requirements and addressing
applicable industry best practices, several characteristics tend to
differentiate banks. The most successful banks will find a way to
integrate incident response planning into normal operations and
business processes. Assimilation efforts may include expanding
security awareness and training initiatives to reinforce incident
response actions, revising business continuity plans to incorporate
security incident responses, and implementing additional security
monitoring systems and procedures to provide timely incident
notification. Ultimately, the adequacy of a bank's IRP reflects on
the condition of the information security program along with
management's willingness and ability to manage information
technology risks. In essence, incident response planning is a
management process, the comprehensiveness and success of which
provide insight into the quality and attentiveness of management. In
this respect, the condition of a bank's IRP, and the results of
examiner review of the incident response planning process, fit well
within the objectives of the information technology examination as
described in the Information Technology-Risk Management Program.
An IRP is a critical component of a well-formed and effective
information security program and has the potential to provide
tangible value and benefit to a bank. Similar to the importance of a
business continuity planning program as it relates to the threat of
natural and man-made disasters, sound IRPs will be necessary to
combat new and existing data security threats facing the banking
community. Given the high value placed on the confidential customer
information held within the financial services industry, coupled
with the publicized success of known compromises, one can reasonably
assume that criminals will continue to probe an organization's
defenses in search of weak points. The need for response programs is
real and has been recognized as such by not only state and Federal
regulatory agencies (through passage of a variety of legal
requirements), but by the banking industry itself. The challenges
each bank faces are to develop a reasonable IRP providing
protections for the bank and the consumer and to
incorporate the IRP into a comprehensive, enterprise-wide
information security program. The most successful banks will exceed
regulatory requirements to leverage the IRP for business advantages
and, in turn, improved protection for the banking industry as a
whole.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly computed
hash to the one sent by A. If the new hash is the same as the one
sent by A, B knows that the message was not changed since the
original hash was created (integrity). Since B obtained A's public
key from the trusted CA and that key produced a matching hash, B is
assured that the message came from A and not someone else
(authentication).
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
|
