|
FCC pushes ISPs to fix security flaws
in Internet routing - The Federal Communications Commission
wants to verify that Internet service providers are
strengthening their networks against attacks that take
advantage of vulnerabilities in Border Gateway Protocol (BGP).
https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-to-fix-security-flaws-in-internet-routing/
FCC launches
$200 million program to bolster cybersecurity for schools
and libraries.
https://therecord.media/fcc-program-for-schools-libraries-cyber-launched
FBI Says It
Has 7,000 LockBit Ransomware Decryption Keys - At the 2024
Boston Conference on Cyber Security, Bryan Vorndran,
assistant director of the FBI�s Cyber Division, said the
agency can help victims recover data encrypted by the
LockBit ransomware.
https://www.securityweek.com/fbi-says-it-has-7000-lockbit-ransomware-decryption-keys/
FCC approves
$200M for cybersecurity in schools - The U.S. Federal
Communications Commission approved a $200 million program to
improve cybersecurity in schools and libraries.
https://www.scmagazine.com/news/fcc-approves-200m-for-cybersecurity-in-schools
Cyberattacks
are good for security vendors, and business is booming -
More secure technology could stem the tide of cyberattacks,
but digital threats are ever present.
https://www.cybersecuritydive.com/news/attacks-fuel-cyber-business/716782/
Multifactor
authentication is not all it�s cracked up to be - Text
message and email-based authentication aren�t just the
weakest variants of MFA. Cybersecurity professionals say
they are broken.
https://www.cybersecuritydive.com/news/multifactor-authentication-weaknesses/633399/
Microsoft,
Google pledge 'low cost' cybersecurity services to rural
hospitals - Rural hospitals will gain access to
cybersecurity services at reduced prices thanks to a new
initiative led by Microsoft, Google and the White House.
https://therecord.media/microsoft-google-rural-hospital-cybersecurity
What
cybersecurity can learn from the automotive industry - Henry
Ford was on to something with the Ford Motor Company. He
wanted to democratize vehicle ownership and enable the
masses to afford transportation.
https://www.scmagazine.com/perspective/what-cybersecurity-can-learn-from-the-automotive-industry
GAO - Urgent
Action Needed to Address Critical Cybersecurity Challenges
Facing the Nation.
https://www.gao.gov/products/gao-24-107231
CYBERSECURITY ATTACKS,
INTRUSIONS, DATA THEFT & LOSS:
London Hospitals Cancel Operations and Appointments After
Being Hit in Ransomware Attack - Several London hospitals
said Tuesday that they had to cancel operations and send
patients away because of a cyberattack on a company that
supplies pathology laboratory services.
https://www.securityweek.com/london-hospitals-cancel-operations-and-appointments-after-being-hit-in-ransomware-attack/
Live Nation
confirms jumbo breach, Ticketmaster customer data exposed -
The live concert and entertainment giant disclosed the
compromise days after reports began surfacing of a data
breach. The company said it detected the intrusion on May
20.
https://www.cybersecuritydive.com/news/live-nation-ticketmaster-cyberattack/717787/
London
hospitals face blood shortage after Synnovis ransomware
attack - Negative blood donors to book appointments and
donate after last week�s cyberattack on pathology provider
Synnovis impacted multiple hospitals in London.
https://www.bleepingcomputer.com/news/security/london-hospitals-face-blood-shortage-after-synnovis-ransomware-attack/
Two cuffed
over suspected smishing campaign using 'text message
blaster' - Thousands of dodgy SMSes bypassed network filters
in UK-first case, it is claimed - British police have
arrested two individuals following an investigation into an
SMS-based phishing campaign using some kind of homebrew
hardware.
https://www.theregister.com/2024/06/10/two_arrested_uk_smishing/
New York
Times Internal Data Nabbed From GitHub - The tranche of
data, lifted from underprotected GitHub repositories,
reportedly includes source code, though the country's paper
of record has not yet confirmed the nature of the data
accessed.
https://www.darkreading.com/cloud-security/new-york-times-internal-data-nabbed-from-github
LastPass
says 12-hour outage caused by bad Chrome extension update -
LastPass says its almost 12-hour outage yesterday was caused
by a bad update to its Google Chrome extension.
https://www.bleepingcomputer.com/news/security/lastpass-says-12-hour-outage-caused-by-bad-chrome-extension-update/
Cyber
incident forces Cleveland to shut down city hall - Cleveland
shut its city hall Monday as officials investigate a cyber
incident affecting some systems.
https://therecord.media/cyber-incident-cleveland-city-hall-shutdown
Return
to the top of the newsletter
WEB SITE
COMPLIANCE - We continue
covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by
the Basel Committee on Bank Supervision.
Sound Authorization Practices for E-Banking
Applications
1. Specific authorization and access privileges should
be assigned to all individuals, agents or systems, which
conduct e-banking activities.
2. All e-banking systems should be constructed to ensure
that they interact with a valid authorization database.
3. No individual agent or system should have the authority
to change his or her own authority or access privileges in
an e-banking authorization database.
4. Any addition of an individual, agent or system or
changes to access privileges in an e-banking authorization
database should be duly authorized by an authenticated
source empowered with the adequate authority and subject to
suitable and timely oversight and audit trails.
5. Appropriate measures should be in place in order to
make e-banking authorization databases reasonably resistant
to tampering. Any such tampering should be detectable
through ongoing monitoring processes. Sufficient audit
trails should exist to document any such tampering.
6. Any e-banking authorization database that has been
tampered with should not be used until replaced with a
validated database.
7. Controls should be in place to prevent changes to
authorization levels during e-banking transaction sessions
and any attempts to alter authorization should be logged and
brought to the attention of management.
Return
to the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC interagencyInformation
Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
Network Configuration
Computer networks often extend connectivity far beyond
the financial institution and its data center. Networks
provide system access and connectivity between business
units, affiliates, TSPs, business partners, customers, and
the public. This increased connectivity requires additional
controls to segregate and restrict access between various
groups and information users.
A typical approach to securing a large network involves
dividing the network into logical security domains. A
logical security domain is a distinct part of a network with
security policies that differ from other domains. The
differences may be far broader than network controls,
encompassing personnel, host, and other issues.
Typical network controls that distinguish security
domains include access control software permissions,
dedicated lines, filtering routers, firewalls, remote-access
servers, and virtual private networks. This booklet will
discuss additional access controls within the applications
and operating systems residing on the network in other
sections. Before selecting the appropriate controls,
financial institutions should map and configure the network
to identify and control all access control points. Network
configuration considerations could include the following
actions:
! Identifying the various applications and user-groups
accessed via the network;
! Identifying all access points to the network including
various telecommunications channels (e.g., wireless,
Ethernet, frame relay, dedicated lines, remote dial - up
access, extranets, Internet);
! Mapping the internal and external connectivity between
various network segments;
! Defining minimum access requirements for network
services (i.e., most often referenced as a network services
access policy); and
! Determining the most appropriate network configuration
to ensure adequate security and performance.
With a clear understanding of network connectivity, the
financial institution can avoid introducing security
vulnerabilities by minimizing access to less - trusted
domains and employing encryption for less secure
connections. Institutions can then determine the most
effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical
isolation to restrict access. Some applications and business
processes may require complete segregation from the
corporate network (e.g., no connectivity between corporate
network and wire transfer system). Others may restrict
access by placing the services that must be accessed by each
zone in their own security domain, commonly called a
"demilitarized zone" (DMZ).
Return
to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY
- We continue the series on the National Institute of
Standards and Technology (NIST) Handbook.
Chapter 9 - Assurance
9.4.1 Audit Methods and Tools
An audit conducted to support operational assurance
examines whether the system is meeting stated or implied
security requirements including system and organization
policies. Some audits also examine whether security
requirements are appropriate, but this is outside the scope
of operational assurance. Less formal audits are often
called security reviews.
Audits can be self-administered or independent (either
internal or external). Both types can provide excellent
information about technical, procedural, managerial, or
other aspects of security. The essential difference between
a self-audit and an independent audit is objectivity.
Reviews done by system management staff, often called
self-audits/ assessments, have an inherent conflict of
interest. The system management staff may have little
incentive to say that the computer system was poorly
designed or is sloppily operated. On the other hand, they
may be motivated by a strong desire to improve the security
of the system. In addition, they are knowledgeable about the
system and may be able to find hidden problems.
The independent auditor, by contrast, should have no
professional stake in the system. Independent audit may be
performed by a professional audit staff in accordance with
generally accepted auditing standards.
There are many methods and tools, some of which are
described here, that can be used to audit a system. Several
of them overlap.
A person who performs an independent audit should be free
from personal and external constraints, which may impair
their independence and should be organizationally
independent.
9.4.1.1 Automated Tools
Even for small multiuser computer systems, it is a big job
to manually review security features. Automated tools make
it feasible to review even large computer systems for a
variety of security flaws.
There are two types of automated tools: (1) active tools,
which find vulnerabilities by trying to exploit them, and
(2) passive tests, which only examine the system and infer
the existence of problems from the state of the system.
Automated tools can be used to help find a variety of
threats and vulnerabilities, such as improper access
controls or access control configurations, weak passwords,
lack of integrity of the system software, or not using all
relevant software updates and patches. These tools are often
very successful at finding vulnerabilities and are sometimes
used by hackers to break into systems. Not taking advantage
of these tools puts system administrators at a disadvantage.
Many of the tools are simple to use; however, some programs
(such as access-control auditing tools for large mainframe
systems) require specialized skill to use and interpret.
|
