MISCELLANEOUS CYBERSECURITY NEWS:

SEC delays final rule on proposed four-day breach notification for public companies until October - The Securities and Exchange Commission (SEC) this week pushed back its timeline for finalizing new regulations that would require public companies to notify the agency within four days of a cybersecurity breach.https://www.scmagazine.com/news/compliance/sec-delays-final-rule-on-proposed-four-day-breach-notification-for-public-companies-until-october

CISA Instructs Federal Agencies to Secure Internet-Exposed Devices - CISA’s ‘Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces’ provides federal agencies with guidelines on securing device interfaces that are accessible remotely, and which are often targeted by threat actors. https://www.securityweek.com/cisa-instructs-federal-agencies-to-secure-internet-exposed-devices/

New FCC privacy task force takes aim at data breaches, SIM-swaps - The Federal Communications Commission task force will also examine how carriers collect and share geolocation data. e Federal Communications Commission will launch its first-ever privacy and data protection task force to crack down on SIM swapping and address broader data privacy concerns. https://cyberscoop.com/fcc-privacy-task-force/

If multi-factor authentication works so well, why doesn’t everyone use it? - In 1904, a German physicist named Christian Hülsmeyer patented the telemobiloscope, an early precursor to what we now call radar. https://www.scmagazine.com/perspective/identity-and-access/if-multi-factor-authentication-works-so-well-why-doesnt-everyone-use-it

FTC accuses genetic testing company of exposing sensitive health data - The Federal Trade Commission on Friday accused the genetic health testing firm 1health.io of failing to protect sensitive genetic and health data, the latest in a series of FTC enforcement actions focused on health data privacy and the first involving genetic information. https://cyberscoop.com/ftc-1healthio-health-data-privacy/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

MOVEit exploit used against ‘several’ federal government agencies - “Several” government agencies fell victim to attackers exploiting a vulnerability in the MOVEit Transfer file transfer application that has plagued the public and private sectors since its disclosure in late May. https://www.scmagazine.com/news/vulnerability-management/moveit-exploit-used-against-several-federal-government-agencies

IL Rural Hospital Cites Cyberattack As Factor in Closing Doors - St. Margaret’s Health in Spring Valley and Peru, Illinois will close its doors, citing a 2021 cyberattack, the COVID-19 pandemic, and ongoing staffing shortages as key factors in the decision. https://healthitsecurity.com/news/il-rural-hospital-cites-cyberattack-as-factor-in-closing-doors

With dead-time dump, Microsoft revealed DDoS as cause of recent cloud outages - In the murky world of political and corporate spin, announcing bad news on Friday afternoon - a time when few media outlets are watching, and audiences are at a low ebb - is called "taking out the trash." And that’s what Microsoft appears to have done last Friday. https://www.theregister.com/2023/06/19/microsoft_365_outage_ddos_cause/

Johns Hopkins Health System Suffers Cyberattack - June 16, 2023 - Johns Hopkins University and Johns Hopkins Health are actively investigating a cyberattack and data breach that occurred on May 31. Johns Hopkins said that the attack involved a “widely used software tool” and impacted “thousands of other large organizations across the world.” https://healthitsecurity.com/news/johns-hopkins-health-system-suffers-cyberattack

Iowa’s largest school district confirms ransomware attack, data theft - Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. https://www.bleepingcomputer.com/news/security/iowas-largest-school-district-confirms-ransomware-attack-data-theft/

Return to the top of the newsletter

WEB SITE COMPLIANCE - he Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:
   
   When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
   
   The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    SECURITY MEASURES
    
    Certificate Authorities and Digital Certificates 
    
    Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management.  A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted.  Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand.  Digital certificates are messages that are signed with the CA's private key.  They identify the CA, the represented party, and could even include the represented party's public key. 
    
    The responsibilities of CAs and their position among emerging technologies continue to develop.  They are likely to play an important role in key management by issuing, retaining, or distributing  public/private key pairs. 
    
    Implementation 
    
    The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary.  The technologies and methods can be used individually, or in combination with one another.  Some techniques may merely encrypt data in transit from one location to another.  While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation.  Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers.  Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored. 
    
    The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized.  Care should be taken to ensure the techniques  utilized are sufficient to meet the required needs of the institution.  All of the technical and  implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  Tools to Implement Policy - Standards, Guidelines, and Procedures:
  
  Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish particular security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.
  
  Organizational standards (not to be confused with American National Standards, FIPS, Federal Standards, or other national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization.
  
  Guidelines assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way.
  
  Procedures normally assist in complying with applicable security policies, standards, and guidelines. They are detailed steps to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges).
  
  Some organizations issue overall computer security manuals, regulations, handbooks, or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, it is often useful if they clearly distinguish between policy and its implementation. This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals.