MISCELLANEOUS CYBERSECURITY NEWS:

7-hour recovery: How an American business beat ransomware - At the CyberRisk Leadership Exchange in Cincinnati on June 7, the chief security officer of an Ohio bottling company used his lunchtime keynote address to recount how his company's eight-person IT team detected, remediated and recovered from a ransomware attack — within the space of seven hours, without losing any business and without paying a dime to the attackers. https://www.scmagazine.com/resource/leadership/24-hour-recovery-how-an-american-business-beat-ransomware

Cops told: Er, no, you need a wiretap order if you want real-time Facebook snooping - New Jersey cops must apply for a wiretap order - not just a warrant - for near-continual snooping on suspects' Facebook accounts, according to a unanimous ruling by that US state's Supreme Court. https://www.theregister.com/2023/06/30/new_jersey_cops_facebook_wiretap/

You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug - More than 338,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical bug Fortinet fixed last month that's being exploited in the wild. https://www.theregister.com/2023/07/03/338000_fortinet_firewalls_vulnerability/

Why CISOs need enhanced legal protections in the age of breach lawsuits - When I began my legal career, I spent countless hours defending corporate officers and directors accused of securities fraud — making false or misleading statements or omissions to deceive investors for financial gain. https://www.scmagazine.com/perspective/compliance/why-cisos-need-enhanced-legal-protections-in-the-age-of-breach-lawsuits

Cryptocurrency crime is down in 2023, but ransomware is up - A 2023 mid-year snapshot of cryptocurrency crimes found that money directed to wallets tied to known or suspected criminal activity have seen a revenue downtick in nearly every category of crime. https://www.scmagazine.com/news/ransomware/cryptocurrency-crime-down-2023-except-ransomware 

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Japan’s largest port stops operations after ransomware attack - The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals. https://www.bleepingcomputer.com/news/security/japans-largest-port-stops-operations-after-ransomware-attack/

Data for 11 million patients stolen in breach of HCA Healthcare - One of the largest healthcare providers in the country confirmed a data security incident Monday, saying at least 11 million patients across 20 states had their data stolen. https://www.scmagazine.com/news/privacy/personal-data-for-11-million-patients-stolen-from-nationwide-healthcare-chain

HCA Healthcare Reports Data Security Incident - HCA Healthcare, Inc. (NYSE:HCA) recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. https://hcahealthcare.com/about/privacy-update.dot

Critical Infrastructure Services Firm Ventia Takes Systems Offline Due to Cyberattack - Critical infrastructure services provider Ventia over the weekend announced that it has taken some of its systems offline to contain a cyberattack. https://www.securityweek.com/critical-infrastructure-services-firm-ventia-takes-systems-offline-due-to-cyberattack/

Still no specifics on this week’s JumpCloud security incident - In the two days since JumpCloud sent out a tweet to its customers that it was invalidating its API keys, there is still no word on what kind of security incident the cloud-based directory services company was experiencing. https://www.scmagazine.com/news/application-security/still-no-specifics-on-this-weeks-jumpcloud-security-incident

Microsoft blocks attack on cloud email accounts by Chinese APT group - Microsoft reported mitigating an attack on customer Outlook and Exchange Online email accounts by a China-based threat actor Microsoft tracks as Storm-0558. https://www.scmagazine.com/news/cloud-security/microsoft-blocks-attack-on-cloud-email-accounts-by-chinese-apt-group

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products
   
   Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    Data Transmission and Types of Firewalls 
    
    Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 
    
    There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.
    
    Implementation 
    
    When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.2.2 Basic Components of Issue-Specific Policy
 
 As suggested for program policy, a useful structure for issue-specific policy is to break the policy into its basic components.
 
 Issue Statement. To formulate a policy on an issue, managers first must define the issue with any relevant terms, distinctions, and conditions included. It is also often useful to specify the goal or justification for the policy - which can be helpful in gaining compliance with the policy. For example, an organization might want to develop an issue-specific policy on the use of "unofficial software," which might be defined to mean any software not approved, purchased, screened, managed, and owned by the organization. Additionally, the applicable distinctions and conditions might then need to be included, for instance, for software privately owned by employees but approved for use at work, and for software owned and used by other businesses under contract to the organization.
  
 Statement of the Organization's Position. Once the issue is stated and related terms and conditions are discussed, this section is used to clearly state the organization's position (i.e., management's decision) on the issue. To continue the previous example, this would mean stating whether use of unofficial software as defined is prohibited in all or some cases, whether there are further guidelines for approval and use, or whether case-by-case exceptions will be granted, by whom, and on what basis.
 
 Applicability. Issue-specific policies also need to include statements of applicability. This means clarifying where, how, when, to whom, and to what a particular policy applies. For example, it could be that the hypothetical policy on unofficial software is intended to apply only to the organization's own on-site resources and employees and not to contractors with offices at other locations. Additionally, the policy's applicability to employees traveling among different sites and/or working at home who need to transport and use disks at multiple sites might need to be clarified.
 
 Roles and Responsibilities. The assignment of roles and responsibilities is also usually included in issue-specific policies. For example, if the policy permits unofficial software privately owned by employees to be used at work with the appropriate approvals, then the approval authority granting such permission would need to be stated. (Policy would stipulate, who, by position, has such authority.) Likewise, it would need to be clarified who would be responsible for ensuring that only approved software is used on organizational computer resources and, perhaps, for monitoring users in regard to unofficial software.
 
 Compliance. For some types of policy, it may be appropriate to describe, in some detail, the infractions that are unacceptable, and the consequences of such behavior. Penalties may be explicitly stated and should be consistent with organizational personnel policies and practices. When used, they should be coordinated with appropriate officials and offices and, perhaps, employee bargaining units. It may also be desirable to task a specific office within the organization to monitor compliance.
 
 Points of Contact and Supplementary Information. For any issue-specific policy, the appropriate individuals in the organization to contact for further information, guidance, and compliance should be indicated. Since positions tend to change less often than the people occupying them, specific positions may be preferable as the point of contact. For example, for some issues the point of contact might be a line manager; for other issues it might be a facility manager, technical support person, system administrator, or security program representative. Using the above example once more, employees would need to know whether the point of contact for questions and procedural information would be their immediate superior, a system administrator, or a computer security official.
  
 Guidelines and procedures often accompany policy. The issue-specific policy on unofficial software, for example, might include procedural guidelines for checking disks brought to work that had been used by employees at other locations.
 
 Some Helpful Hints on Policy
 
 To be effective, policy requires visibility. Visibility aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. Management presentations, videos, panel discussions, guest speakers, question/answer forums, and newsletters increase visibility. The organization's computer security training and awareness program can effectively notify users of new policies. It also can be used to familiarize new employees with the organization's policies.
 
 Computer security policies should be introduced in a manner that ensures that management's unqualified support is clear, especially in environments where employees feel inundated with policies, directives, guidelines, and procedures. The organization's policy is the vehicle for emphasizing management's commitment to computer security and making clear their expectations for employee performance, behavior, and accountability.
 
 To be effective, policy should be consistent with other existing directives, laws, organizational culture, guidelines, procedures, and the organization's overall mission. It should also be integrated into and consistent with other organizational policies (e.g., personnel policies). One way to help ensure this is to coordinate policies during development with other organizational offices.