|
MISCELLANEOUS CYBERSECURITY NEWS:
How to achieve (real) passwordless authentication - Let's face it -
everyone hates passwords. The good ones are hard to remember, and
we've each got so many of them that some are bound to be bad. In
enterprises and on websites, help desks and tech-support staffers
spend far too much time resetting user passwords.
https://www.scmagazine.com/resource/identity-and-access/achieving-real-passwordless-authentication
Are passwords finally being pushed out by frictionless
authentication alternatives? - The cybersecurity industry may
finally be on the cusp of meaningfully moving beyond passwords, as
up-and-coming technologies promise a more secure authentication
experience without causing user friction, according to a
cybersecurity veteran.
https://www.scmagazine.com/analysis/identity-and-access/are-passwords-finally-being-pushed-out-by-frictionless-authentication-alternatives
The future of personal identity - Imagine a day in the near future
when you go to a bank to apply for a loan. Instead of providing a
driver's license, passport or birth certificate to verify your
identity, and then filling out forms providing your date of birth,
street address, email address, Social Security number and employment
status, you simply tap your phone and display a QR code that the
bank's loan office scans to get all that information.
https://www.scmagazine.com/resource/identity-and-access/the-future-of-personal-identity
Cloud Security Technical Reference Architecture - Executive Order
14028, “Improving the Nation’s Cybersecurity” marks a renewed
commitment to and prioritization of federal cybersecurity
modernization and strategy.
https://www.meritalk.com/articles/cisa-issues-revised-cloud-security-tra/
https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf
Pair of Brand-New Cybersecurity Bills Become Law - Bipartisan
legislation allows cybersecurity experts to work across multiple
agencies and provides federal support for local governments.
https://www.darkreading.com/careers-and-people/cybersecurity-bills-become-law
GAO - Electronic Health Information - HHS Needs to Improve
Communications for Breach Reporting - Health IT systems can enhance
health care delivery and empower providers to make informed
decisions about patient health. But these systems may be vulnerable
to breaches.
https://www.gao.gov/products/gao-22-105425
Job opening: Department of Energy is on the hunt for information
security chief - Greg Sisson, the Department of Energy’s chief
information security officer, will be leaving his post on July 11
for a job in the private sector.
https://www.scmagazine.com/analysis/careers/job-opening-department-of-energy-is-on-the-hunt-for-information-security-chief
CYBERSECURITY ATTACKS, INTRUSIONS,
DATA THEFT & LOSS:
Info on 1.5m people stolen from US bank in cyberattack - Time to
rethink that cybersecurity strategy? A US bank has said at least the
names and social security numbers of more than 1.5 million of its
customers were stolen from its computers in December.
https://www.msn.com/en-us/money/news/info-on-1-5m-people-stolen-from-us-bank-in-cyberattack/ar-AAYHUsa
5 more organizations added to Eye Care Leaders attack total, now
biggest PHI breach of 2022 - The impact from the Eye Care Leaders
ransomware attack continues to expand, with five more covered
entities reporting impacts to patient data in the last week.
https://www.scmagazine.com/analysis/breach/5-more-organizations-added-to-eye-care-leaders-attack-total-now-biggest-phi-breach-of-2022
2 Texas Hospitals Infected With Malicious Code May Face PHI Exposure
- Baptist Medical Center and Resolute Health Hospital informed
patients that their network was infected with malicious code in
April, potentially resulting in PHI exposure.
https://healthitsecurity.com/news/2-texas-hospitals-infected-with-malicious-code-face-potential-phi-exposure
Cloudflare Outage Whacks 19 Data Centers for Global Traffic - A
network configuration change that went awry resulted in a massive
Cloudflare outage that left many of the world's most popular
websites inaccessible for 75 minutes.
https://www.govinfosecurity.com/cloudflare-outage-whacks-19-data-centers-for-global-traffic-a-19429
TC Takes Action Against CafePress Over Massive Data Breach, Cover-Up
- The Federal Trade Commission (FTC) on Friday announced that it has
finalized an order against CafePress, requiring it to improve its
security posture following a cybersecurity incident that the company
attempted to cover up.
https://www.securityweek.com/ftc-takes-action-against-cafepress-over-massive-data-breach-cover
More than $100m in cryptocurrency stolen from blockchain biz - 'A
humbling and unfortunate reminder' that monsters lurk under bridges
- Blockchain venture Harmony offers bridge services for transferring
crypto coins across different blockchains, but something has gone
badly wrong.
https://www.theregister.com/2022/06/24/harmony_100m_cryptocurrency_theft/
Chinese APT Group Likely Using Ransomware Attacks as Cover for IP
Theft - A China-based advanced persistent threat (APT) actor, active
since early 2021, appears to be using ransomware and
double-extortion attacks as camouflage for systematic,
government-sponsored cyberespionage and intellectual property theft.
https://www.darkreading.com/attacks-breaches/chinese-apt-ransomware-attacks-cover-ip-theft
‘Money mule’ accounts have transferred $3 billion in the first half
of 2022 - hybrid bot technology to open the accounts on a wider
basis, according to BioCatch, a behavioral biometrics company.
https://www.scmagazine.com/analysis/identity-and-access/money-mule-accounts-have-transferred-3-billion-in-the-first-half-of-2022
Return to the top
of the newsletter
WEB SITE COMPLIANCE - OCC
- Threats from Fraudulent Bank Web Sites - Risk Mitigation and
Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)
PROCEDURES TO ADDRESS SPOOFING - Spoofing
Incident Response
To respond to spoofing incidents effectively, bank management
should establish structured and consistent procedures. These
procedures should be designed to close fraudulent Web sites, obtain
identifying information from the spoofed Web site to protect
customers, and preserve evidence that may be helpful in connection
with any subsequent law enforcement investigations.
Banks can take the following steps to disable a spoofed Web site
and recover customer information. Some of these steps will
require the assistance of legal counsel.
* Communicate promptly, including through written
communications, with the Internet service provider (ISP) responsible
for hosting the fraudulent Web site and demand that the suspect Web
site be shutdown;
* Contact the domain name registrars promptly, for any
domain name involved in the scheme, and demand the disablement of
the domain names;
* Obtain a subpoena from the clerk of a U.S. District
Court directing the ISP to identify the owners of the spoofed Web
site and to recover customer information in accordance with the
Digital Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected
spoofing activity.
The following are other actions and types of legal documents
that banks can use to respond to a spoofing incident:
* Banks can write letters to domain name registrars
demanding that the incorrect use of their names or trademarks cease
immediately;
* If these demand letters are not effective, companies
with registered Internet names can use the Uniform Domain Name
Dispute Resolution Process (UDRP) to resolve disputes in which they
suspect that their names or trademarks have been illegally infringed
upon. This process allows banks to take action against domain
name registrars to stop a spoofing incident. However, banks
must bear in mind that the UDRP can be relatively time-consuming.
For more details on this process see
http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
* Additional remedies may be available under the federal
Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank
to initiate immediate action in federal district court under section
43(d) of the Lanham Act, 15 USC 1125(d). Specifically, the
ACCPA can provide for rapid injunctive relief without the need to
demonstrate a similarity or likelihood of confusion between the
goods or services of the parties.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Controls in Application Software
Application development should incorporate appropriate security
controls, audit trails, and activity logs. Typical application
access controls are addressed in earlier sections. Application
security controls should also include validation controls for data
entry and data processing. Data entry validation controls include
access controls over entry and changes to data, error checks, review
of suspicious or unusual data, and dual entry or additional review
and authorization for highly sensitive transactions or data. Data
processing controls include: batch control totals; hash totals of
data for comparison after processing; identification of any changes
made to data outside the application (e.g., data-altering
utilities); and job control checks to ensure programs run in correct
sequence (see the booklet "Computer Operations" for additional
considerations).
Some applications will require the integration of additional
authentication and encryption controls to ensure integrity and
confidentiality of the data. As customers and merchants originate an
increasing number of transactions, authentication and encryption
become increasingly important to ensure non-repudiation of
transactions.
|
