MISCELLANEOUS CYBERSECURITY NEWS:

HIPAA privacy violations enforcement a priority for feds after abortion ruling - The Department of Health and Human Services Office for Civil Rights issued new guidance targeting patient privacy risks posed by the recent Supreme Court ruling overturning Roe v. Wade, taking away “the right to safe and legal abortion.” https://www.scmagazine.com/analysis/application-security/hipaa-privacy-violations-enforcement-a-priority-for-feds-after-abortion-ruling

Three technical challenges that keep CISOs up at night - The CISO has had to learn a plethora of executive skills related to communication, interaction, negotiation, sales, budgeting, and people. https://www.scmagazine.com/perspective/leadership/three-technical-challenges-that-keep-cisos-up-at-night-%ef%bf%bc

Moody’s says Costa Rican response shows ‘resilience’ of sovereign governments to ransomware - A pair of ransomware attacks targeting the Costa Rican government in April and May crippled computer networks and brought essential services to a standstill, but a prominent U.S. credit ratings firm is saying the episodes actually demonstrate some of the inherent resilience of sovereign governments against such hacks. https://www.scmagazine.com/analysis/ransomware/moodys-says-costa-rican-response-shows-resilience-of-sovereign-governments-to-ransomware

University recovers 2019 ransom to find value of cryptocurrency skyrocketed - Cryptocurrency volatility worked out in a victim's favor as Maastricht University. The school paid a ransom worth €200,000 in 2019 and is set to receive recovered funds from the criminals' account now worth €500,000. https://www.scmagazine.com/analysis/ransomware/university-recovers-2019-ransom-to-find-value-of-cryptocurrency-skyrocketed

Defense Department testing paid bug bounty program this week - The Chief Digital and Artificial Intelligence Office Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) this week are piloting monetary rewards for ethical hackers who provide critical and high severity vulnerability information to the DoD Vulnerability Disclosure Program. https://www.scmagazine.com/news/vulnerability-management/defense-department-testing-paid-bug-bounty-program-this-week

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Georgia hospital recovering from cyberattack with EHR downtime procedures - A cyberattack on Jack Hughston Memorial Hospital has led the Georgia hospital to pull certain systems offline and operate under electronic health record procedures, local news outlets reported Wednesday. It’s unclear the type of attack behind the network outage. https://www.scmagazine.com/analysis/ransomware/georgia-hospital-recovering-from-cyberattack-with-ehr-downtime-procedures

Wegmans’ $400,000 fine for exposed customer data should leave all retailers on high alert - Retail chains operate on thin margins with very tight IT and security budgets, so news on Thursday that Wegmans agreed to pay the state of New York $400,000 and upgrade its cybersecurity operations for a cloud misconfiguration was hardly a shocker to security industry insiders. https://www.scmagazine.com/news/cloud-security/wegmans-cloud-misconfiguration-leads-to-400000-fine-for-exposed-customer-data

Flagstar Bank breach another example of hacker threat to financial sector - Cybersecurity risks to financial institutions, such as banks and financial services, have grown in recent years despite the industry being heavily regulated to protect customers' data. https://www.scmagazine.com/analysis/breach/flagstar-bank-breach-another-example-of-hacker-threat-to-financial-sector

Accounts receivable provider discloses network breach to potentially affected customers - Financial institutions have long become accustomed to the fact that it can often take a long time to not only remove but even to discover the most damaging malware in their systems - and even longer to determine the overall impact on their networks and their customers' data. https://www.scmagazine.com/analysis/ransomware/accounts-receivable-provider-discloses-network-breach-to-potentially-affected-customers

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes. 
    
    PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities
    
    If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.
    
    In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.
    
    In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Development and Support
  
  Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:
  
  ! Restricting changes to authorized users,
  ! Reviewing the impact changes will have on security controls,
  ! Identifying all system components that are impacted by the changes,
  ! Ensuring the application or system owner has authorized changes in advance,
  ! Maintaining strict version control of all software updates, and
  ! Maintaining an audit trail of all changes.
  
  Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.
  
  When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.2 Deciding on Hardware vs. Software Implementations

The trade-offs among security, cost, simplicity, efficiency, and ease of implementation need to be studied by managers acquiring various security products meeting a standard. Cryptography can be implemented in either hardware or software. Each has its related costs and benefits.

In general, software is less expensive and slower than hardware, although for large applications, hardware may be less expensive. In addition, software may be less secure, since it is more easily modified or bypassed than equivalent hardware products. Tamper resistance is usually considered better in hardware.

In many cases, cryptography is implemented in a hardware device (e.g., electronic chip, ROM-protected processor) but is controlled by software. This software requires integrity protection to ensure that the hardware device is provided with correct information (i.e., controls, data) and is not bypassed. Thus, a hybrid solution is generally provided, even when the basic cryptography is implemented in hardware. Effective security requires the correct management of the entire hybrid solution.

19.3.3 Managing Keys

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends upon the protection afforded to keys.

All keys need to be protected against modification, and secret keys and private keys need protection against unauthorized disclosure. Key management involves the procedures and protocols, both manual and automated, used throughout the entire life cycle of the keys. This includes the generation, distribution, storage, entry, use, destruction, and archiving of cryptographic keys.

With secret key cryptography, the secret key(s) should be securely distributed (i.e., safeguarded against unauthorized replacement, modification, and disclosure) to the parties wishing to communicate. Depending upon the number and location of users, this task may not be trivial. Automated techniques for generating and distributing cryptographic keys can ease overhead costs of key management, but some resources have to be devoted to this task. FIPS 171, Key Management Using ANSI X9.17, provides key management solutions for a variety of operational environments.

Public key cryptography users also have to satisfy certain key management requirements. For example, since a private-public key pair is associated with (i.e., generated or held by) a specific user, it is necessary to bind the public part of the key pair to the user.

In a small community of users, public keys and their "owners" can be strongly bound by simply exchanging public keys (e.g., putting them on a CD-ROM or other media). However, conducting electronic business on a larger scale, potentially involving geographically and organizationally distributed users, necessitates a means for obtaining public keys electronically with a high degree of confidence in their integrity and binding to individuals. The support for the binding between a key and its owner is generally referred to as a public key infrastructure.

Users also need to be able enter the community of key holders, generate keys (or have them generated on their behalf), disseminate public keys, revoke keys (in case, for example, of compromise of the private key), and change keys. In addition, it may be necessary to build in time/date stamping and to archive keys for verification of old signatures.