MISCELLANEOUS CYBERSECURITY NEWS:

FTC to take aim at health apps with updated breach notification rules - The Federal Trade Commission is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications. https://www.scmagazine.com/news/privacy/ftc-health-apps-breach-notification

CISA Releases Guidance For Securing Remote Access Software - CISA issued a guidance document to help organizations balance the functionality of remote access software with potential cyber risks.
https://healthitsecurity.com/news/cisa-releases-guidance-for-securing-remote-access-software
https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_508c.pdf

Hacker attempts to exploit old and new bugs up 55% - Threat actors attempted to exploit vulnerabilities at a greater clip in 2022, according to new research. https://www.scmagazine.com/news/vulnerability-management/hacker-attempts-bugs-up

FTC to take aim at health apps with updated breach notification rules - The Federal Trade Commission is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications. https://www.scmagazine.com/news/privacy/ftc-health-apps-breach-notification

Why security pros have to work more closely with cyber insurers - Cyber insurance must become an essential component of a company's cybersecurity strategy as it assists in mitigating financial losses resulting from cyber incidents, such as cyberattacks, data breaches, and ransomware attacks. https://www.scmagazine.com/perspective/strategy/why-security-pros-have-to-work-more-closely-with-cyber-insurers

The US Is Openly Stockpiling Dirt on All Its Citizens - A newly declassified report from the Office of the Director of National Intelligence reveals that the federal government is buying troves of data about Americans. https://www.wired.com/story/odni-commercially-available-information-report/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Japanese pharma giant Eisai discloses ransomware attack - Pharmaceutical company Eisai has disclosed it suffered a ransomware incident that impacted its operations, admitting that attackers encrypted some of its servers. https://www.bleepingcomputer.com/news/security/japanese-pharma-giant-eisai-discloses-ransomware-attack/

Azure Portal outage was caused by traffic “spike” - Microsoft revealed in an update to the Azure status page that the preliminary root cause behind an outage that impacted the Azure Portal worldwide on Friday was what it described as a traffic "spike." https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-portal-outage-was-caused-by-traffic-spike-/

Barracuda ESG zero-day exploit hits Australia’s ACT Government - The Australian Capital Territory Government is among an estimated 5% of Barracuda Networks’ Email Security Gateway customers who were told to rip-and-replace their appliance following a zero-day bug compromise. https://www.scmagazine.com/news/network-security/barracuda-esg-zero-day-exploit-hits-australias-act-government

Ex-Samsung executive alleged to have stolen tech to recreate chip plant in China - A former executive at Samsung Electronics has been arrested and indicted in South Korea for allegedly stealing the leading chipmaker’s technology in order to build a copycat plant in China. https://arstechnica.com/tech-policy/2023/06/ex-samsung-executive-alleged-to-have-stolen-tech-to-recreate-chip-plant-in-china/

Swiss Fear Government Data Stolen in Cyberattack - Switzerland said Thursday that government operational data might have been stolen in a cyberattack on the technology firm that provides software for several departments. https://www.securityweek.com/swiss-fear-government-data-stolen-in-cyberattack/

Zacks confirms hack, 9M accounts impacted - Zacks Investment Research confirmed Tuesday that an unconfirmed number of Zacks.com customers had their encrypted passwords stolen as part of a prior data breach by an unknown third party. https://www.scmagazine.com/news/data-security/zacks-confirms-iaccount-data-hacked

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)
   
   Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
   
   Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 
   
   Consumer Leasing Act (Regulation M)
   
   The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    SECURITY MEASURES
    
    Digital Signatures 
    
    Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 
    
    Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5
  
  COMPUTER SECURITY POLICY
  
  In discussions of computer security, the term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. 
  
  Policy means different things to different people. The term "policy" is used in this chapter in a broad manner to refer to important computer security-related decisions.
  
  In this chapter the term computer security policy is defined as the "documentation of computer security decisions"-which covers all the types of policy described above. In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority. In this chapter we use the term policy in a broad manner to encompass all of the types of policy described above-regardless of the level of manager who sets the particular policy.
  
  Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:
  
  1)  Program policy is used to create an organization's computer security program.
  2)  Issue-specific policies address specific issues of concern to the organization.
  3)  System-specific policies focus on decisions taken by management to protect a particular system.
  
  Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.
  
  Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.
  These types of policy are described to aid the reader's understanding. It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.