FYI - NIST Asks for Input on Building Secure Software - The draft framework is intended to both instruct developers on building safe tech and help IT buyers, like the government, know which companies they can trust. https://www.nextgov.com/cybersecurity/2019/06/nist-asks-input-building-secure-software/157648/

Securing multi-cloud environments: assurance through consistency - Meeting the security and compliance needs across different cloud service providers (CSP), and an organization’s own data center, remains a thorny challenge. https://www.scmagazine.com/home/opinion/executive-insight/securing-multi-cloud-environments-assurance-through-consistency/

Lake City recovering from ransomware attack - Lake City, Fla. has started to recover from a June 10 ransomware attack that knocked out its email and online payment systems. https://www.scmagazine.com/home/security-news/ransomware/lake-city-recovering-from-ransomware-attack/

Medical cybersecurity execs may have priorities misplaced, study - A recent study sought out how the healthcare industry is dealing with the increasing number of cyberattacks targeting patient data found those charged with securing the data may have their priorities misplaced. https://www.scmagazine.com/home/health-care/medical-cybersecurity-execs-may-have-priorities-misplaced-study/

Information on Airline IT Outages - Airline information technology systems help keep people moving. An IT outage, however, can lead to delayed flights, long lines, lost baggage, and more. We looked into how often airline IT outages occur, their effects, and what causes them. https://www.gao.gov/products/GAO-19-514?

SEC security alert warns about misconfigured NAS, DBs, and cloud storage servers - A security risk alert sent out by the US Securities and Exchange Commission warns companies, especially broker-dealers and investment firms, about the dangers of storing customer information on network storage solutions -- such as NAS devices, database servers, and cloud storage accounts. https://www.zdnet.com/article/sec-security-alert-warns-about-misconfigured-nas-dbs-and-cloud-storage-servers/

Federal agencies still using insecure knowledge-based verification for online services - A performance audit of six U.S. government agencies found that four of them are still using knowledge-based questions to verify the identities of individuals applying for federal benefits or services, even though this practice is considered outdated and insecure, especially in light of the 2017 Equifax breach. https://www.scmagazine.com/web-services-security-e-commerce-security/tktktkttktktk-federal-agencies-still-using-insecure-knowledge-based-verification-for-online-services/

Equifax breach impacted the online ID verification process at many US govt agencies - Impacted agencies include the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA). https://www.zdnet.com/article/equifax-breach-impacted-the-online-id-verification-process-at-many-us-govt-agencies/

Data breach forces AMCA’s parent firm to file Chapter 11 bankruptcy - The medical bill collection firm Retrieval-Masters Creditors Bureau Inc. has filed for Chapter 11 bankruptcy protection citing the fallout from a massive data breach that exposed the information of millions of patients. https://www.scmagazine.com/home/security-news/data-breach/data-breach-forces-amcas-parent-firm-to-file-chapter-11-bankruptcy/

ACLU tells Ga. Supreme Court Fourth Amendment should apply to personal data stored by cars - Fourth Amendment protections should apply to personal data in a car’s Event Data Recorder, the American Civil Liberties Union (ACLU) will argue before the Georgia Supreme Court today. https://www.scmagazine.com/home/security-news/privacy-compliance/aclu-tells-ga-supreme-court-fourth-amendment-should-apply-to-personal-data-stored-by-cars/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Spirit AeroSystems confirms ASCO Industries cyberattack - Reports that Belgian aerospace manufacturer ASCO Industries has shuttered several factories due to a ransomware attack on June 7 is certainly news, but what is causing even more raised eyebrows is the company’s almost complete silence on the issue. https://www.scmagazine.com/home/security-news/ransomware/asco-industries-silent-on-ransomware-attack/

Evite hit with data breach - Online invitation company Evite announced it was affected by a data breach involving the unauthorized access of customer information. https://www.scmagazine.com/home/security-news/data-breach/online-invitation-company-evite-announced-it-was-affected-by-a-data-breach-involving-the-unauthorized-access-of-customer-information/

Exposed database reveals personal information of 1.6 million job seekers - An unsecured database of personal information, including phone numbers, salary expectations and openness to new job opportunities, of about 1.6 million job seekers from around the world has been discovered online, according to research published Monday. https://www.cnet.com/news/exposed-database-reveals-information-of-1-6-million-job-seekers/

EatStreet data breach affecting diners, restaurants and delivery firms - The online food ordering and delivery service EatStreet informed its customers and partners that it suffered a data breach exposing a variety of personal data including payment card information. https://www.scmagazine.com/home/security-news/data-breach/eatstreet-data-breach-affecting-diners-restaurants-and-delivery-firms/

A. Duie Pyle knocked offline by ransomware, goes extra mile to keep customers informed - The Pennsylvania trucking firm A. Duie Pyle was hit with a ransomware attack over the weekend and even though the majority of its online communications capabilities were knocked offline, the company made sure to post updates for customers on its homepage. https://www.scmagazine.com/home/security-news/ransomware/a-duie-pyle-knocked-offline-by-ransomware-goes-extra-mile-to-keep-customers-informed/

Ransomware attack on software company ResiDex may have exposed data on assisted-living residents, workers - Personal information belonging to residents and employees of multiple assisted living facilities were potentially exposed in an April 2019 cyberattack that infected third-party software company Tenx Systems, LLC with ransomware. https://www.scmagazine.com/home/security-news/data-breach/ransomware-attack-on-software-company-residex-may-have-exposed-data-on-assisted-living-residents-workers/

645,000 Oregonians affected in previously disclosed Dept. of Human Services breach - Oregon’s Department of Human Services (DHS) is in the process of mailing notifications to roughly 645,000 of its reportedly 1.6 million clients, following a data breach incident last January that resulted from a phishing scam. https://www.scmagazine.com/home/security-news/data-breach/645000-oregonians-affected-in-previously-disclosed-dept-of-human-services-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 Board and Management Oversight - Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.
   
   Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
   
   To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
   
   1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
   
   2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
   
   3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
   
   4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
  
  Additional operating system access controls include the following actions:
  
  ! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
  ! Ensure effective authentication methods are used to restrict system access to both users and applications.
  ! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
  ! Restrict operating system access to specific terminals in physically secure and monitored locations.
  ! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
  ! Restrict and log access to system utilities, especially those with data altering capabilities.
  ! Restrict access to operating system parameters.
  ! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
  ! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
  ! Segregate operating system access, where possible, to limit full or root - level access to the system.
  ! Monitor operating system access by user, terminal, date, and time of access.
  ! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.6 Other Threats

HGA's systems also are exposed to several other threats that, for reasons of space, cannot be fully enumerated here. Examples of threats and HGA's assessment of their probabilities and impacts include those listed in the table below.

20.4 Current Security Measures

HGA has numerous policies and procedures for protecting its assets against the above threats. These are articulated in HGA's Computer Security Manual, which implements and synthesizes the requirements of many federal directives, such as Appendix III to OMB Circular A-130, the Computer Security Act of 1987, and the Privacy Act. The manual also includes policies for automated financial systems, such as those based on OMB Circulars A-123 and A-127, as well as the Federal Manager's Financial Integrity Act.

Several examples of those policies follow, as they apply generally to the use of administration of HGA's computer system and specifically to security issues related to time and attendance, payroll, and continuity of operations.