MISCELLANEOUS CYBERSECURITY NEWS:

Malicious USB drives part of new self-propagating malware campaign - Researchers discovered a new variant of a self-propagating malware actively being spread via USB drives by what they say are China state-backed advanced persistent threat (APT) operation dubbed Camaro Dragon. https://www.scmagazine.com/news/threat-intelligence/usb-drives-self-propagating-malware

JP Morgan accidentally deletes evidence in multi-million record retention screwup - JP Morgan has been fined $4 million by America's securities watchdog, the SEC, for deleting millions of email records dating from 2018 relating to its Chase Bank subsidiary. https://www.theregister.com/2023/06/26/jp_morgan_fined_for_deleting/

SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws - The Austin, Texas-based IT infrastructure management vendor revealed late Friday that "certain current and former executive officers and employees" targeted by the SEC for their role in responding to the Russian hack of the Orion network monitoring product. https://www.govinfosecurity.com/sec-alleges-solarwinds-cfo-ciso-violated-us-securities-laws-a-22367

Hundreds of federal network devices fail new CISA security requirements - U.S. federal agencies are running hundreds of remotely accessible management interfaces that don’t meet recently mandated security requirements, according to Censys researchers. https://www.scmagazine.com/news/critical-infrastructure/federal-network-fail-cisa-security-requirements

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Oreo cookie maker says crooks gobbled up staff info - Mondelez International has warned 51,000 of its past and present employees that their personal information has been stolen from a law firm hired by the Oreo and Ritz cracker giant. https://www.theregister.com/2023/06/20/mondelez_third_party_breach/

Data leak at major law firm sets Australia's government and elites scrambling - An infosec incident at a major Australian law firm has sparked fear among the nation's governments, banks and businesses – and a free speech debate. https://www.theregister.com/2023/06/20/hwl_ebsworth_cyber_incident/

Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack - Gen Digital, the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, has confirmed that employee’s personal information was compromised in the recent MOVEit ransomware attack. https://www.securityweek.com/norton-parent-says-employee-data-stolen-in-moveit-ransomware-attack/

SolarWinds CISO and CFO are focus of SEC’s Orion investigation - SolarWinds’ chief financial officer and chief information security officer have been told they—along with the company—could face civil enforcement action in the wake of the notorious 2020 Orion breach. https://www.scmagazine.com/news/leadership/solarwinds-ciso-and-cfo-are-focus-of-secs-orion-investigation

Suncor Energy cyberattack impacts Petro-Canada gas stations - Petro-Canada gas stations across Canada are impacted by technical problems preventing customers from paying with credit card or rewards points as its parent company, Suncor Energy, discloses they suffered a cyberattack.https://www.bleepingcomputer.com/news/security/suncor-energy-cyberattack-impacts-petro-canada-gas-stations/
 
American and Southwest Airlines pilot candidate data exposed - A vendor that operates a pilot recruitment platform used by major airlines exposed the personal files of more than 8,000 pilot and cadet applicants at American Airlines and Southwest Airlines. https://www.theregister.com/2023/06/26/american_southwest_airline_breach/

Biggest Healthcare Data Breaches Reported This Year, So Far - The biggest healthcare data breaches reported this year so far have impacted more than 39 million individuals collectively. https://healthitsecurity.com/features/biggest-healthcare-data-breaches-reported-this-year-so-far

Hackers steal data of 45,000 New York City students in MOVEit breach - The New York City Department of Education (NYC DOE) says hackers stole documents containing the sensitive personal information of up to 45,000 students from its MOVEit Transfer server. https://www.bleepingcomputer.com/news/security/hackers-steal-data-of-45-000-new-york-city-students-in-moveit-breach/

CISOs say they’re concerned with lawsuits, supply chain and API security in survey - The rapid adoption of digitization for online and mobile services has created unforeseen security risks, said nearly 90% of the 300 cybersecurity leaders surveyed worldwide in a new report. https://www.scmagazine.com/news/business-continuity/cisos-say-theyre-concerned-with-lawsuits-supply-chain-and-api-security-in-survey

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?
   
   The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 
   
   Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    SECURITY MEASURES
    
    System Architecture and Design 
    
    Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems. 
    
    Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks.  Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.1 Program Policy
 
 A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. This high-level policy defines the purpose of the program and its scope within the organization; assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization); and addresses compliance issues.
 
 Program policy sets organizational strategic directions for security and assigns resources for its implementation.
 
 5.1.1 Basic Components of Program Policy
 
 Components of program policy should address:
 
 Purpose. Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.
 
 Scope. Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope.
 
 Responsibilities. Once the computer security program is established, its management is normally assigned to either a newly-created or existing office.
 
 Program policy establishes the security program and assigns program management and supporting responsibilities
 
 The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing or IRM organizations. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability.
 
 At the program level, responsibilities should be specifically assigned to those organizational elements and officials responsible for the implementation and continuity of the computer security policy.
 
 Compliance. Program policy typically will address two compliance issues:
 
 1)  General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office (e.g., the Inspector General) is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.
 
 2)  The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary action(s).
 
 Those developing compliance policy should remember that violations of policy can be unintentional on the part of employees. For example, nonconformance can often be due to a lack of knowledge or training.