MISCELLANEOUS CYBERSECURITY NEWS:

Supreme Court ruling on Chevron doctrine may upend future cybersecurity regulation - Experts expect new legal challenges against numerous agency cybersecurity requirements, including incident reporting mandates and rules governing critical infrastructure sectors. https://www.cybersecuritydive.com/news/supreme-court-chevron-doctrine-cybersecurity/720449/

Grassley wants more details on breach of CISA system - An influential U.S. senator wants to grill the Cybersecurity and Infrastructure Security Agency (CISA) on its response to a January data breach on its network. https://www.scmagazine.com/news/grassley-grills-cisa-on-incident-response

One-Time Passwords: The good, the bad, and how to avoid the ugly - One-time passwords (OTPs) are everywhere – we have all experienced them in our daily lives. https://www.scmagazine.com/perspective/one-time-passwords-the-good-bad-and-how-to-avoid-the-ugly

UK government advises best practices for embedded device security - The UK government’s cybersecurity arm has issued a new guide to help companies around the world better secure their operational technology (OT) and industrial control system (ICS) hardware. https://www.scmagazine.com/news/uk-government-advises-best-practices-for-embedded-device-security

What to tell the board about malware analysis - In cybersecurity, many security teams today have come rely on malware analysis to examine malicious software so they can better understand its behavior, origin, and impact. https://www.scmagazine.com/perspective/what-to-tell-the-board-about-malware-analysis

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Baddies hijack Korean ERP vendor's update systems to spew malware - A South Korean ERP vendor's product update server has been attacked and used to deliver malware instead of product updates, according to local infosec outfit AhnLab. https://www.theregister.com/2024/07/02/korean_erp_backdoor_malware_attack/

South Africa national lab says ransomware recovery to last until mid-July - South Africa’s National Health Laboratory Service (NHLS) is pledging to have some systems back online by the middle of this month following a ransomware attack in June. https://therecord.media/south-africa-national-health-laboratory-service-ransomware-recovery

‘Serious hacker attack’ forces Frankfurt university to shut down IT systems - The Frankfurt University of Applied Sciences announced on Monday it was targeted by “a serious hacker attack” that has led to a total shutdown of its IT systems. https://therecord.media/serious-hacker-attack-shutdown-frankfurt

“Everything’s frozen”: Ransomware locks credit union users out of bank accounts - A California-based credit union with over 450,000 members said it suffered a ransomware attack that is disrupting account services and could take weeks to recover from. https://arstechnica.com/tech-policy/2024/07/everythings-frozen-ransomware-locks-credit-union-users-out-of-bank-accounts/

Alabama Department of Education stops ransomware attack but confirms data stolen - The Alabama State Department of Education said it stopped a ransomware attack last month but hackers were still able to access some data and disrupt services. https://therecord.media/alabama-education-department-data-breach

Hacker Stole Secrets From OpenAI - The NYT notes that the attacker did not access the systems housing and building the AI, but did steal discussions from an employee forum. https://www.securityweek.com/hackers-stole-secrets-from-openai/

Ticketmaster shakes off claims that hackers nicked Taylor Swift tix - Ticketmaster said there is no risk to its systems following hackers claiming to have stolen ticket barcodes for upcoming Taylor Swift concert dates. https://www.scmagazine.com/news/ticketmaster-shakes-off-claims-that-hackers-nicked-taylor-swift-tix

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)
  
  Incident Response Programs:  Don't Get Caught Without One
  
  Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.
  
  Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.
  
  To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 TCP/IP Packets
 
 TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0  -  10.255.255.255, 172.16.0.0  -  172.31.255.255, and 192.168.0.0  -  192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.
 
 If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.
 
 Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.4.2.3 Configuration Management
 
 From a security point of view, configuration management provides assurance that the system in operation is the correct version (configuration) of the system and that any changes to be made are reviewed for security implications. Configuration management can be used to help ensure that changes take place in an identifiable and controlled environment and that they do not unintentionally harm any of the system's properties, including its security. Some organizations, particularly those with very large systems (such as the federal government), use a configuration control board for configuration management. When such a board exists, it is helpful to have a computer security expert participate. In any case, it is useful to have computer security officers participate in system management decision-making.
 
 Changes to the system can have security implications because they may introduce or remove vulnerabilities and because significant changes may require updating the contingency plan, risk analysis, or accreditation.
 
 9.4.2.4 Trade Literature/Publications/Electronic News
 
 In addition to monitoring the system, it is useful to monitor external sources for information. Such sources as trade literature, both printed and electronic, have information about security vulnerabilities, patches, and other areas that impact security. The Forum of Incident Response Teams (FIRST) has an electronic mailing list that receives information on threats, vulnerabilities, and patches.
 
 9.5 Interdependencies
 
 Assurance is an issue for every control and safeguard discussed in this Handbook. Are user ID and access privileges kept up to date? Has the contingency plan been tested? Can the audit trail be tampered with? One important point to be reemphasized here is that assurance is not only for technical controls, but for operational controls as well. Although the chapter focused on information systems assurance, it is also important to have assurance that management controls are working well. Is the security program effective? Are policies understood and followed? As noted in the introduction to this chapter, the need for assurance is more widespread than people often realize.
 
 Life Cycle. Assurance is closely linked to the planning for security in the system life cycle. Systems can be designed to facilitate various kinds of testing against specified security requirements. By planning for such testing early in the process, costs can be reduced; in some cases, without proper planning, some kinds of assurance cannot be otherwise obtained.
 
 9.6 Cost Considerations
 
 There are many methods of obtaining assurance that security features work as anticipated. Since assurance methods tend to be qualitative rather than quantitative, they will need to be evaluated. Assurance can also be quite expensive, especially if extensive testing is done. It is useful to evaluate the amount of assurance received for the cost to make a best-value decision. In general, personnel costs drive up the cost of assurance. Automated tools are generally limited to addressing specific problems, but they tend to be less expensive.