MISCELLANEOUS CYBERSECURITY NEWS:

Most organizations that paid a ransom were hit with a second ransomware attack - Cybereason on Tuesday released a report that found some 80% of organizations that paid a ransom were hit by ransomware a second time - and 68% said the second attack came less than one month later and the threat actors demanded a higher ransom amount. https://www.scmagazine.com/news/rsac/most-organizations-that-paid-a-ransom-were-hit-with-a-second-ransomware-attack

A third of organizations hit by ransomware were forced to close temporarily or permanently - A recent survey reveals many organizations close either temporarily or permanently after a ransomware attack. Learn more about how you can protect your business ransomware attacks. https://www.techrepublic.com/article/organizations-hit-by-ransomware-shut-down

Ransomware attack recovery costs top $1.85M in healthcare - It costs about $1.85 million to recover systems after a ransomware attack in healthcare, the second highest across all sectors. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-recovery-costs-top-1-85m-in-healthcare

Banking trojans follow the money to mobile - Just as more financial account access and payments activity are moving to mobile devices, so too are greedy scammers shifting their attacks here, especially mobile financial trojans, according to research released Thursday. https://www.scmagazine.com/analysis/cybercrime/banking-trojans-follow-the-money-to-mobile

How to get departments resistant to security controls to say ‘what took you so long?’ - If people are blocking your effort to install a security control for the business, try changing your approach. https://www.scmagazine.com/perspective/leadership/how-to-get-departments-resistant-to-security-controls-to-say-what-took-you-so-long

Singapore mandates 'kill switch' for banks as safeguard against online scams - Singapore banks must provide a self-service kill switch that enables consumers to suspend their accounts in a suspected breach and beef up their fraud surveillance systems, as part of new security measures to safeguard against increasing online scams. https://www.zdnet.com/article/singapore-mandates-kill-switch-for-banks-as-safeguard-against-online-scams/

Accountability unclear as cybersecurity for federal dams falls short - As geopolitical fallout from the Russian invasion of Ukraine creates new potential risk, cybersecurity officials within the federal government have publicly fretted about the vulnerability of U.S. critical infrastructure to retaliatory cyberattacks from Moscow or ransomware groups. https://www.scmagazine.com/analysis/critical-infrastructure/accountability-unclear-as-cybersecurity-for-federal-dams-falls-short

What financial firms can learn about IT security from gaming companies - Despite being constantly under the gun from attackers, financial institutions on the whole are arguably doing better than companies in other sectors when it comes to IT security. https://www.scmagazine.com/analysis/identity-and-access/what-financial-firms-can-learn-about-it-security-from-gaming-companies

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

FBI thwarted cyberattack against Boston Children’s Hospital - FBI Director Christopher Wray said his agency thwarted a cyberattack last summer that aimed to disrupt the network of the Boston Children’s Hospital. https://thehill.com/policy/cybersecurity/3508249-fbi-thwarted-cyberattack-against-boston-childrens-hospital/

Foxconn confirms ransomware attack disrupted production in Mexico - Foxconn electronics manufacturer has confirmed that one of its Mexico-based production plants has been impacted by a ransomware attack in late May. https://www.bleepingcomputer.com/news/security/foxconn-confirms-ransomware-attack-disrupted-production-in-mexico/

Italian city of Palermo shuts down all systems to fend off cyberattack - The municipality of Palermo in Southern Italy suffered a cyberattack on Friday, which appears to have had a massive impact on a broad range of operations and services to both citizens and visiting tourists. https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/

Data for 2 million patients stolen in largest healthcare breach so far of 2022 - Two million patients from nearly 60 healthcare providers were recently informed that their data was stolen after the hack of a third-party vendor, Shields Health Care Group. Shields Health provides MRI, PET/CT, and outpatient surgical services for covered entities. https://www.scmagazine.com/analysis/breach/data-for-2-million-patients-stolen-in-largest-healthcare-breach-so-far-of-2022

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)
  
  BACKGROUND
  
  Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.
  
  PROCEDURES TO ADDRESS SPOOFING
  
  Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.
  
  Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.
  
  Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  MALICIOUS CODE
  
  Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.
  
  Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.
  
  Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2 Uses of Cryptography

Cryptography is used to protect data both inside and outside the boundaries of a computer system. Outside the computer system, cryptography is sometimes the only way to protect data. While in a computer system, data is normally protected with logical and physical access controls (perhaps supplemented by cryptography). However, when in transit across communications lines or resident on someone else's computer, data cannot be protected by the originator's logical or physical access controls. Cryptography provides a solution by protecting data even when the data is no longer in the control of the originator.

19.2.1 Data Encryption

One of the best ways to obtain cost-effective data confidentiality is through the use of encryption. Encryption transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext. This process is reversed through the process of decryption. Once data is encrypted, the ciphertext does not have to be protected against disclosure. However, if ciphertext is modified, it will not decrypt correctly.

Both secret key and public key cryptography can be used for data encryption although not all public key algorithms provide for data encryption.

To use a secret key algorithm, data is encrypted using a key. The same key must be used to decrypt the data.

When public key cryptography is used for encryption, any party may use any other party's public key to encrypt a message; however, only the party with the corresponding private key can decrypt, and thus read, the message.

Since secret key encryption is typically much faster, it is normally used for encrypting larger amounts of data.

19.2.2 Integrity

In computer systems, it is not always possible for humans to scan information to determine if data has been erased, added, or modified. Even if scanning were possible, the individual may have no way of knowing what the correct data should be. For example, "do" may be changed to "do not," or $1,000 may be changed to $10,000. It is therefore desirable to have an automated means of detecting both intentional and unintentional modifications of data.

While error detecting codes have long been used in communications protocols (e.g., parity bits), these are more effective in detecting (and correcting) unintentional modifications. They can be defeated by adversaries. Cryptography can effectively detect both intentional and unintentional modification; however, cryptography does not protect files from being modified. Both secret key and public key cryptography can be used to ensure integrity. Although newer public key methods may offer more flexibility than the older secret key method, secret key integrity verification systems have been successfully integrated into many applications.

When secret key cryptography is used, a message authentication code (MAC) is calculated from and appended to the data. To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if they are identical, the verifier has confidence that the data has not been modified by an unauthorized party. FIPS 113, Computer Data Authentication, specifies a standard technique for calculating a MAC for integrity verification.

Public key cryptography verifies integrity by using of public key signatures and secure hashes. A secure hash algorithm is used to create a message digest. The message digest, called a hash, is a short form of the message that changes if the message is modified. The hash is then signed with a private key. Anyone can recalculate the hash and use the corresponding public key to verify the integrity of the message.