MISCELLANEOUS CYBERSECURITY NEWS:

CIOs reporting to CISOs? Security teams dissolved? Companies reconsider leadership structure - Should the CIO report to the CISO? Should security teams disappear? These are bold moves currently on the table as companies continue to struggle with leadership structure. https://www.scmagazine.com/analysis/leadership/cios-reporting-to-cisos-security-teams-dissolved-companies-reconsider-leadership-structure

Since 2004, the average American has had at least 7 data breaches - U.S. citizens face the greatest number of cyber threats as compared with people in other nations worldwide, according to a recent study. https://www.scmagazine.com/analysis/breach/since-2004-the-average-american-has-had-at-least-7-data-breaches

Financial services saw a 35% increase in ransomware attacks in Q1 2022 - The Anti-Phishing Working Group (APWG) this week released its Q1 2022 report that found while most sectors saw a decreased in the overall number of ransomware attacks, the financial services industry experienced a 35% increase in attacks. https://www.scmagazine.com/news/rsac/financial-services-saw-a-35-increase-in-ransomware-attacks-in-q1-2022

THE CONTRACTOR DILEMMA: HOW TO ADDRESS FEDERAL SUPPLY CHAIN RISK – JON CHECK – RSA22 #4 - Government will always be deemed a high value target among adversaries, but so are their contractors – deemed another avenue in for cyberespionage among enemy nation states and cybercriminals. https://www.scmagazine.com/podcast-segment/the-contractor-dilemma-how-to-address-federal-supply-chain-risk-jon-check-rsa22-4

HHS releases new guidance on audio-only telehealth to support rural patients - Newly released guidance from the Department of Health and Human Services Office for Civil Rights targets audio-only telehealth services in compliance with the Health Insurance Portability and Accountability Act to support covered entities caring for rural health patients and those with disabilities. https://www.scmagazine.com/analysis/remote-access/hhs-releases-new-guidance-on-audio-only-telehealth-to-support-rural-patients

Feds Forced Travel Firms to Share Surveillance Data on Hacker - The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed. https://threatpost.com/feds-forced-travel-firms-to-share-surveillance-data-on-hacker/179929/

24 billion username, password combinations can be found on cybercriminal forums - On Wednesday it was reported that more than 24 billion username and password combinations in circulation in cybercriminal marketplaces, many on the dark web - a number that represents a 65% increase from a previous report in 2020. https://www.scmagazine.com/news/identity-and-access/24-billion-username-password-combinations-can-be-found-on-cybercriminal-forums

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Eye Care Leaders Hack Impacts Hundreds of Thousands of Patients - Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. https://www.hipaajournal.com/eye-care-leaders-hack-impacts-tens-of-thousands-of-patients/

Chinese-linked threat actor has been quietly spying for nearly 10 years - Researchers on Thursday reported that a Chinese-linked threat actor - Aogin Dragon - has operated espionage activities since 2013, targeting government, education and telecommunications organizations in Southeast Asia and Australia. https://www.scmagazine.com/news/cybercrime/chinese-linked-threat-actor-has-been-quietly-spying-for-nearly-10-years

Kaiser Permanente Breach Exposes Data on 70K Patients - Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services. https://www.darkreading.com/attacks-breaches/kaiser-permanente-breach-exposes-70k-patients-data

Conti's Attack Against Costa Rica Sparks a New Ransomware Era - FOR THE LAST two months, Costa Rica has been under siege. Two major ransomware attacks have crippled many of the country’s essential services, plunging the government into chaos as it scrambles to respond. https://www.wired.com/story/costa-rica-ransomware-conti/

New backdoor cloning campaign sneaks into mobile wallets, steals cryptocurrency - A new malware campaign has just been uncovered that sends fraudulent versions of legitimate sites to mobile wallets, in order to ultimately steal users’ cryptocurrency. https://www.scmagazine.com/analysis/malware/new-backdoor-cloning-campaign-sneaks-into-mobile-wallets-steals-cryptocurrency.

Ransomware attack on Yuma Regional Medical leads to data theft for 700K patients - Yuma Regional Medical Center in Arizona recently notified 700,000 patients that their personal and health data was stolen ahead of an April ransomware attack. https://www.scmagazine.com/analysis/breach/ransomware-attack-on-yuma-regional-medical-leads-to-data-theft-for-700k-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)
  
  PROCEDURES TO ADDRESS SPOOFING - Detection
  
  Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks.  The following is a list of possible indicators of Web-site spoofing:
  
  *  E-mail messages returned to bank mail servers that were not originally sent by the bank.  In some cases, these e-mails may contain links to spoofed Web sites;
  *  Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
  *  An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.
  
  Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank.  Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name.  The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site.  Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.
  
  Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.
  
  Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  CONTROLS TO PROTECT AGAINST MALICIOUS CODE
  
  Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.
  
  Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.
  
  Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.
  
  Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.
  
  Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.
  
  Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."
  
  Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.
  
  An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.3 Electronic Signatures

Today's computer systems store and process increasing numbers of paper-

based documents in electronic form. Having documents in electronic form permits rapid processing and transmission and improves overall efficiency. However, approval of a paper document has traditionally been indicated by a written signature. What is needed, therefore, is the electronic equivalent of a written signature that can be recognized as having the same legal status as a written signature. In addition to the integrity protections, discussed above, cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures can use either secret key or public key cryptography; however, public key methods are generally easier to use.

Cryptographic signatures provide extremely strong proof that a message has not been altered and was signed by a specific key. However, there are other mechanisms besides cryptographic-based electronic signatures that perform a similar function. These mechanisms provide some assurance of the origin of a message, some verification of the message's integrity, or both.

• Examination of the transmission path of a message. When messages are sent across a network, such as the Internet, the message source and the physical path of the message are recorded as a part of the message. These can be examined electronically or manually to help ascertain the origin of a message.
  
• Use of a value-added network provider. If two or more parties are communicating via a third party network, the network provider may be able to provide assurance that messages originate from a given source and have not been modified.
  
• Acknowledgment statements. The recipient of an electronic message may confirm the message's origin and contents by sending back an acknowledgment statement.
  
• Use of audit trails. Audit trails can track the sending of messages and their contents for later reference.

Simply taking a digital picture of a written signature does not provide adequate security. Such a digitized written signature could easily be copied from one electronic document to another with no way to determine whether it is legitimate. Electronic signatures, on the other hand, are unique to the message being signed and will not verify if they are copied to another document.