MISCELLANEOUS CYBERSECURITY NEWS:

Is cannabis business banking a new financial opportunity or a huge security risk? - As cannabis sales become legal in an increasing number of states, the prospect of offering financial and payments services to these businesses appears as both a rare greenfield opportunity for banks and credit unions, and also a potential risk management landmine. https://www.scmagazine.com/analysis/compliance/is-cannabis-business-banking-a-new-financial-opportunity-or-a-huge-security-risk

Succession planning isn’t only about executives - You have planned for earthquakes, power outages, and massive breaches. Have you planned for the level two analyst who is the only person who knows how to use the most jury-rigged depths of your security stack taking a job somewhere else? https://www.scmagazine.com/analysis/business-contunuity/succession-planning-isnt-only-about-executives

What are web-based attacks, and which industries are most vulnerable? - Web-based applications provide speedy and convenient services to businesses and the general public. https://www.scmagazine.com/resource/application-security/what-are-web-based-attacks-and-which-industries-are-most-vulnerable

HHS agrees to improve feedback process for healthcare data breach reporting - The Department of Health and Human Services' Office of Civil Rights (OCR) has agreed to implement a feedback mechanism by adding language and contact information to the confirmation email that healthcare entities receive. https://www.scmagazine.com/analysis/privacy/hhs-agrees-to-improve-feedback-process-for-healthcare-data-breach-reporting

GAO Pushes Energy Dept. to Boost Cyber Strategy, Grid Protection - Developing a cybersecurity risk management strategy would improve the Department of Energy’s (DOE) efforts to manage cybersecurity risks and protect the nation’s electric grid, the Government Accountability Office (GAO) said in its latest annual priority recommendations report to the agency. https://www.meritalk.com/articles/gao-pushes-energy-dept-to-boost-cyber-strategy-grid-protection/

FTC official vows to ‘crack down’ on companies misusing consumer health data - In response to the Supreme Court’s abortion ruling, the FTC is warning entities that it intends to “crack down” on companies misusing consumer data and “does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data,” according to a new FTC blog post. https://www.scmagazine.com/analysis/privacy/ftc-official-vows-to-crack-down-on-companies-misusing-consumer-health-data

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

FBI warning: Crooks are using deepfake videos in interviews for remote gigs - The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information. https://www.theregister.com/2022/06/29/fbi_deepfake_job_applicant_warning/

HHS agrees to improve feedback process for healthcare data breach reporting - The Department of Health and Human Services' Office of Civil Rights (OCR) has agreed to implement a feedback mechanism by adding language and contact information to the confirmation email that healthcare entities receive. https://www.scmagazine.com/analysis/privacy/hhs-agrees-to-improve-feedback-process-for-healthcare-data-breach-reporting

1.9M patients, 657 providers face data breach after debt collections firm attack - The data of 1.9 million patients tied to 657 healthcare providers was accessed during a “sophisticated” ransomware attack on debt collections firm Professional Finance Company in February. https://www.scmagazine.com/analysis/breach/1-9m-patients-657-providers-face-data-breach-after-debt-collections-firm-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)
    
    E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
    
    In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.
    
    The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
   
   Source Code Review and Testing
   
   Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.4 Security of Cryptography Modules

Cryptography is typically implemented in a module of software, firmware, hardware, or some combination thereof. This module contains the cryptographic algorithm(s), certain control parameters, and temporary storage facilities for the key(s) being used by the algorithm(s). The proper functioning of the cryptography requires the secure design, implementation, and use of the cryptographic module. This includes protecting the module against tampering.

19.3.5 Applying Cryptography to Networks

The use of cryptography within networking applications often requires special considerations. In these applications, the suitability of a cryptographic module may depend on its capability for handling special requirements imposed by locally attached communications equipment or by the network protocols and software.

Encrypted information, MACs, or digital signatures may require transparent communications protocols or equipment to avoid being misinterpreted by the communications equipment or software as control information. It may be necessary to format the encrypted information, MAC, or digital signature to ensure that it does not confuse the communications equipment or software. It is essential that cryptography satisfy the requirements imposed by the communications equipment and does not interfere with the proper and efficient operation of the network.

Data is encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. End-to-end encryption is generally performed by the end-user organization. Although data remains encrypted when being passed through a network, routing information remains visible. It is possible to combine both types of encryption.