FYI - Why backups are not the panacea for recovery from a ransomware attack - The most pervasive wisdom about preventing damage from ransomware is to backup systems. https://www.scmagazine.com/home/security-news/ransomware/why-backups-are-not-the-panacea-for-recovery-from-a-ransomware-attack/

CISA - Rising Ransomware Threat To Operational Technology Assets - In recent months, ransomware attacks targeting critical infrastructure have demonstrated the rising threat of ransomware to operational technology (OT) assets and control systems. https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf

‘A CISO needs to bring business value to the company’ - In my opinion the number one requirement to be successful in any security position is passion - passion for protecting the company and its customers. https://www.scmagazine.com/home/from-the-collaborative/the-ascent/dawn-cappelli-a-ciso-needs-to-bring-business-value-to-the-company/

Notification no-nos: What to avoid when alerting customers of a breach - An important and often mandatory step in the incident response process is notifying your customers and the general public that an attack has transpired. There are important considerations when taking such an action. https://www.scmagazine.com/home/security-news/data-breach/notification-no-nos-what-to-avoid-when-alerting-customers-of-a-breach/

One of ransomware’s top negotiators would rather you not have to hire him - SC Media spoke to Minder about the ins and outs of negotiations, and the ins and outs of never needing a negotiator. https://www.scmagazine.com/home/security-news/ransomware/one-of-ransomwares-top-negotiators-would-rather-you-not-have-to-hire-him/

C-suites adapt to ransomware as a cost of doing business - In a May 5 earnings call for WestRock, Wall Street analysts got a rundown of losses resulting from a ransomware attack that hit the corrugated packaging company in January. https://www.scmagazine.com/home/security-news/ransomware/c-suites-adapt-to-ransomware-as-a-cost-of-doing-business/

State and local governments granted free access to timely, in-depth cyber intel - Much like with businesses, many state and municipal governments can afford to allocate only a relatively small portion of their tech budgets toward cybersecurity. https://www.scmagazine.com/home/government/state-and-local-governments-granted-free-access-to-timely-in-depth-cyber-intel/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Security company exec and founder charged with facilitating cyber attack on Georgia hospital - Organizations often look to cybersecurity companies to protect them, but the Department of Justice and prosecutors in Georgia are pursuing criminal charges against a Marietta executive of a security company for aiding an alleged cyberattack on a Georgia medical center in 2018. https://www.scmagazine.com/home/health-care/security-company-exec-and-founder-charged-with-facilitating-cyber-attack-on-georgia-hospital/

‘Nameless’ malware attacks 1.2TB database in the cloud - Researchers on Wednesday said a so-called “nameless” undetected malware stole a database in the cloud that contained some 1.2 terabytes of files, cookies, and credentials that came from 3.2 million Windows-based computers. https://www.scmagazine.com/home/security-news/cloud-security/nameless-malware-attacks-1-2tb-database-in-the-cloud/

JBS Ransomware Attack Started in March and Much Larger in Scope than Previously Identified - Using proprietary tools, our Investigations & Analysis (I&A) team observed the following: https://securityscorecard.com/blog/jbs-ransomware-attack-started-in-march

How an Obscure Company Took Down Big Chunks of the Internet - You may not have heard of Fastly, but you felt its impact when sites didn’t load around the world Tuesday morning. https://www.wired.com/story/fastly-cdn-internet-outages-2021/

Hackers Force Iowa College to Cancel Classes for Four Days - A “cyberattack” is disrupting classes at the Des Moines Area Community College, where the school has cancelled in-person classes for four days and counting. https://www.vice.com/en/article/3aqaa8/hackers-force-iowa-college-to-cancel-classes-for-four-days

REvil ransomware hits US nuclear weapons contractor - US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack. https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-us-nuclear-weapons-contractor/

Health care ransomware attacks: Oklahoma health system driven to EHR downtime - Stillwater Medical Center was hit with a ransomware attack on June 13 and is currently operating under electronic health record downtime as it attempts to bring its systems back online. https://www.scmagazine.com/home/health-care/health-care-ransomware-attacks-oklahoma-health-system-driven-to-ehr-downtime/

Vulnerability in Peloton bikes one example of a more widespread security issue - Researchers on Tuesday found a flaw (CVE-2021-33887) in the Android Verified Boot (AVB) process for the Peloton Bike+, leaving the system vulnerable. https://www.scmagazine.com/home/security-news/iot/vulnerability-in-peloton-bikes-one-example-of-a-more-widespread-security-issue/
 
Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   Host-Versus Network-Based Vulnerability Assessment Tools
   
   As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 
   
   Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.
   
   Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.
   
   Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY RISK ASSESSMENT
   
   KEY RISK ASSESSMENT PRACTICES (2 of 2)
   
   4)  Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.
   
   5)  Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.
   
   6)  Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.
   
   7)  Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
 
 This chapter first discusses the benefits of physical security measures, and then presents an overview of common physical and environmental security controls. Physical and environmental security measures result in many benefits, such as protecting employees. This chapter focuses on the protection of computer systems from the following:
 
 Interruptions in Providing Computer Services. An external threat may interrupt the scheduled operation of a system. The magnitude of the losses depends on the duration and timing of the service interruption and the characteristics of the operations end users perform.
 
 Physical Damage. If a system's hardware is damaged or destroyed, it usually has to be repaired or replaced. Data may be destroyed as an act of sabotage by a physical attack on data storage media (e.g., rendering the data unreadable or only partly readable). If data stored by a system for operational use is destroyed or corrupted, the data needs to be restored from back-up copies or from the original sources before the system can be used.  The magnitude of loss from physical damage depends on the cost to repair or replace the damaged hardware and data, as well as costs arising from service interruptions.
 
 Unauthorized Disclosure of Information. The physical characteristics of the facility housing a system may permit an intruder to gain access both to media external to system hardware (such as diskettes, tapes and printouts) and to media within system components (such as fixed disks), transmission lines or display screens. All may result in loss of disclosure-sensitive information.
 
 Loss of Control over System Integrity. If an intruder gains access to the central processing unit, it is usually possible to reboot the system and bypass logical access controls. This can lead to information disclosure, fraud, replacement of system and application software, introduction of a Trojan horse, and more. Moreover, if such access is gained, it may be very difficult to determine what has been modified, lost, or corrupted.
 
 Physical Theft. System hardware may be stolen. The magnitude of the loss is determined by the costs to replace the stolen hardware and restore data stored on stolen media. Theft may also result in service interruptions.
 
 This chapter discusses seven major areas of physical and environmental security controls:
 
 1)  physical access controls,
 2)  fire safety,
 3)  supporting utilities,
 4)  structural collapse,
 5)  plumbing leaks,
 6)  interception of data, and
 7)  mobile and portable systems.