FYI - Ignorance is not a legal excuse for paying sanctioned ransomware groups - The emergence of Grief, a new ransomware program with a possible connection to a U.S. government-sanctioned cybercriminal outfit, raises an interesting question: If you make a ransom payment to an unknown adversary that only later is confirmed to be a cyber terrorist group, can you still face penalties? https://www.scmagazine.com/home/security-news/ransomware/ignorance-is-not-a-legal-excuse-for-paying-sanctioned-ransomware-groups/

FFIEC Architecture, Infrastructure, and Operations Examination Handbook - The Federal Financial Institutions Examination Council has published the "Architecture, Infrastructure, and Operations" booklet.
Press Release: www.federalreserve.gov/supervisionreg/srletters/SR2111.htm
Press Release: www.fdic.gov/news/financial-institution-letters/2021/fil21047.html
Press Release: www.ffiec.gov/press/pr063021.htm
Press Release: www.occ.treas.gov/news-issuances/bulletins/2021/bulletin-2021-30.html
Press Release: www.ncua.gov/newsroom/press-release/2021/financial-regulators-update-examiner-guidance-financial-institutions-information-technology

Security pros struggle to balance monitoring of remote workforces with privacy expectations - The work-from-home revolution ushered in by COVID-19 has created new challenges for businesses looking to monitor their employees’ productivity and behavior without violating their privacy. https://www.scmagazine.com/home/security-news/privacy-compliance/security-pros-struggle-to-balance-monitoring-of-remote-workforces-with-privacy-expectations/

OIG: CMS lacks protocol to assess networked medical device cybersecurity in hospitals - The Centers for Medicare & Medicaid Services’ protocol for assessing the cybersecurity of networked medical devices in hospital environments fails to impose required standards and lacks consistent oversight, according to a U.S. Department of Health and Human Services Office of the Inspector General report. https://www.scmagazine.com/home/health-care/oig-cms-lacks-protocol-to-assess-networked-medical-device-cybersecurity-in-hospitals/

Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers - Allowing organisations to claim back ransom payments could be making the problem of ransomware worse - but cyber insurance could be used to help improve security, says RUSI research paper. https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/

NIST Releases 'Critical Software' Definition for US Agencies - The National Institute of Standards and Technology has published its definition of what "critical software" means for the U.S. federal government, as the standards agency begins fulfilling some of the requirements laid out in President Joe Biden's executive order on cybersecurity. https://www.govinfosecurity.com/nist-releases-critical-software-definition-for-us-agencies-a-16952

Vendor incidents lead the 10 biggest health care data breaches of 2021 so far - In 2021, the 10 largest reported health care data breaches, so far, have compromised the protected health information of nearly 16 million patients. https://www.scmagazine.com/home/health-care/vendor-incidents-lead-the-10-biggest-health-care-data-breaches-of-2021-so-far/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware Attack on Eye Clinic Chain Affects 500,000 - Wolfe Eye Clinic, which operates diagnostic and surgical centers in 40 Iowa communities, is notifying 500,000 current and former patients that their data may have been inappropriately accessed during a recent ransomware attack. But the organization refused to pay a ransom. https://www.govinfosecurity.com/ransomware-attack-on-eye-clinic-chain-affects-500000-a-16933

Tulsa warns residents that police citations and reports leaked to Dark Web after Conti ransomware attack - The City of Tulsa has notified residents that some of their personal information may be on the dark web thanks to a ransomware attack last month by prolific cybercriminal group Conti. https://www.zdnet.com/article/tulsa-warns-residents-that-police-citations-and-reports-leaked-to-dark-web-after-conti-ransomware-attack/

Data of 500K patients accessed, stolen after eye clinic ransomware attack - A ransomware attack on Iowa-based Wolfe Eye Clinic earlier this year led to the access and possible theft of data belonging to 500,000 patients. https://www.scmagazine.com/home/security-news/data-breach/actors-steal-data-of-500k-patients-during-eye-clinic-ransomware-attack/

Costs from ransomware attack against Ireland health system reach $600M - The Ireland Health Service Executive (HSE) is continuing to operate under electronic health record (EHR) downtime procedures and experiencing continued care disruptions, after suffering a ransomware attack more than six weeks ago. https://www.scmagazine.com/home/security-news/ransomware/costs-from-ransomware-attack-against-ireland-health-system-reach-600m/

NewsBlur restores service in 10 hours after ransomware attack - Turns out the recent story about the personal news reader NewsBlur being down for several hours last week following a data exposure has a happy ending: the owner retained an original copy of the database that was compromised and restored the service in 10 hours. https://www.scmagazine.com/home/security-news/ransomware/newsblur-hit-by-ransomware-because-of-docker-glitch-but-restores-service-in-10-hours/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   PENETRATION ANALYSIS (Part 2 of 2)
   
   A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:
   
   1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.
   
   2) If using internal testers, the independence of the testers from system administrators.
   
   3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
   
   4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.
   
   FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your compnay a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY STRATEGY (2 of 2)
   
   Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.
   
   For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.
   
   Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.
   
   Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:
   
   1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;
   
   2)  Enforcing policy through security tools and sanctions;
   
   3)  Delineating the areas of responsibility for users, administrators, and managers;
   
   4)  Communicating in a clear, understandable manner to all concerned;
   
   5)  Obtaining employee certification that they have read and understood the policy;
   
   6)  Providing flexibility to address changes in the environment; and
   
   7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
 
 15.2 Fire Safety Factors
 
 Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. Smoke, corrosive gases, and high humidity from a localized fire can damage systems throughout an entire building. Consequently, it is important to evaluate the fire safety of buildings that house systems. Following are important factors in determining the risks from fire.
 
 Ignition Sources. Fires begin because something supplies enough heat to cause other materials to burn. Typical ignition sources are failures of electric devices and wiring, carelessly discarded cigarettes, improper storage of materials subject to spontaneous combustion, improper operation of heating devices, and, of course, arson.
 
 Fuel Sources. If a fire is to grow, it must have a supply of fuel, material that will burn to support its growth, and an adequate supply of oxygen. Once a fire becomes established, it depends on the combustible materials in the building (referred to as the fire load) to support its further growth. The more fuel per square meter, the more intense the fire will be.
 
 Building Operation. If a building is well maintained and operated so as to minimize the accumulation of fuel (such as maintaining the integrity of fire barriers), the fire risk will be minimized.
 
 Building Occupancy. Some occupancies are inherently more dangerous than others because of an above-average number of potential ignition sources. For example, a chemical warehouse may contain an above-average fuel load.
 
 Fire Detection. The more quickly a fire is detected, all other things being equal, the more easily it can be extinguished, minimizing damage. It is also important to accurately pinpoint the location of the fire.
 
 Fire Extinguishment. A fire will burn until it consumes all of the fuel in the building or until it is extinguished. Fire extinguishment may be automatic, as with an automatic sprinkler system or a HALON discharge system, or it may be performed by people using portable extinguishers, cooling the fire site with a stream of water, by limiting the supply of oxygen with a blanket of foam or powder, or by breaking the combustion chemical reaction chain.
 
 When properly installed, maintained, and provided with an adequate supply of water, automatic sprinkler systems are highly effective in protecting buildings and their contents. Nonetheless, one often hears uninformed persons speak of the water damage done by sprinkler systems as a disadvantage. Fires that trigger sprinkler systems cause the water damage. In short, sprinkler systems reduce fire damage, protect the lives of building occupants, and limit the fire damage to the building itself. All these factors contribute to more rapid recovery of systems following a fire.
 
 Halons have been identified as harmful to the Earth's protective ozone layer. So, under an international agreement (known as the Montreal Protocol), production of halons ended January 1, 1994. In September 1992, the General Services Administration issued a moratorium on halon use by federal agencies.
 
 Each of these factors is important when estimating the occurrence rate of fires and the amount of damage that will result. The objective of a fire-safety program is to optimize these factors to minimize the risk of fire.
 
 Types of Building Construction
 
 There are four basic kinds of building construction: (a) light frame, (b) heavy timber, (c) incombustible, and (d) fire resistant. Note that the term fireproof is not used because no structure can resist a fire indefinitely. Most houses are light frame, and cannot survive more than about thirty minutes in a fire. Heavy timber means that the basic structural elements have a minimum thickness of four inches. When such structures burn, the char that forms tends to insulate the interior of the timber and the structure may survive for an hour or more depending on the details. Incombustible means that the structure members will not burn. This almost always means that the members are steel. Note, however, that steel loses it strength at high temperatures, at which point the structure collapses. Fire resistant means that the structural members are incombustible and are insulated. Typically, the insulation is either concrete that encases steel members, or is a mineral wool that is sprayed onto the members. Of course, the heavier the insulation, the longer the structure will resist a fire.
 
 Note that a building constructed of reinforced concrete can still be destroyed in a fire if there is sufficient fuel present and fire fighting is ineffective. The prolonged heat of a fire can cause differential expansion of the concrete, which causes spalling. Portions of the concrete split off, exposing the reinforcing, and the interior of the concrete is subject to additional spalling. Furthermore, as heated floor slabs expand outward, they deform supporting columns. Thus, a reinforced concrete parking garage with open exterior walls and a relatively low fire load has a low fire risk, but a similar archival record storage facility with closed exterior walls and a high fire load has a higher risk even though the basic building material is incombustible.