MISCELLANEOUS CYBERSECURITY NEWS:
Email hack prompts call for Microsoft to make security logs free -
Microsoft has been criticized for charging its cloud services
customers extra to access security logs after a China-based threat
group hacked email accounts from more than two dozen organizations,
including U.S. government agencies.
https://www.scmagazine.com/analysis/security-awareness/email-hack-prompts-call-for-microsoft-to-make-security-logs-free
The 5 Riskiest Connected Devices in 2023: IT, IoT, OT, IoMT - Since
2020, Forescout Research – Vedere Labs has been tracking the
riskiest devices on organizations’ networks. In 2020, we released
the first Enterprise of Things Security Report, followed in 2022
with the Riskiest Connected Devices in Enterprise Networks report.
https://www.forescout.com/blog/riskiest-connected-devices-it-iot-ot-iomt/
CISA shares free tools to help secure data in the cloud - The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has shared a
factsheet providing details on free tools and guidance for securing
digital assets after switching to the cloud from on-premises
environments.
https://www.bleepingcomputer.com/news/security/cisa-shares-free-tools-to-help-secure-data-in-the-cloud/
USB drive malware attacks spiking again in first half of 2023 -
What's old is new again, with researchers seeing a threefold
increase in malware distributed through USB drives in the first half
of 2023.
https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/
FCC launches ‘U.S. Cyber Trust Mark’ labeling for IoT devices - The
White House and the Federal Communications Commission introduced a
"U.S. Cyber Trust Mark" labeling program on Tuesday that aims to
push IoT device makers to better secure their gadgets and give
consumers reassurance that a product is secure before buying it.
https://www.scmagazine.com/news/device-security/biden-fcc-u-s-cyber-trust-mark-labeling
Why company executives should not post their home addresses online -
Most businesses employ extensive processes and technology to prevent
online attacks on their team members and IT systems – anti-virus,
anti-spam and phishing prevention tools have become ubiquitous, and
ongoing cybersecurity training for staff has become standard.
https://www.scmagazine.com/perspective/privacy/why-company-executives-should-not-post-their-home-addresses-online
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Dating app spills 340GB of steamy data and 260,000 user profiles -
Over 260,000 dating app account records and 340 gigabytes of images
and private chat logs were left open to the public on an Amazon Web
Services S3 storage bucket. Impacted was the dating service 419
Dating - Chat & Flirt, developed by Siling App based in Hong Kong.
https://www.scmagazine.com/news/privacy/dating-app-spills-340gb-of-steamy-data-and-260000-user-profiles
Lessons to learn from last week’s email breach on federal agencies
by a Chinese APT group - We learned early last week that a group of
Chinese hackers exploited a vulnerability in Microsoft’s cloud email
service to gain access to the cloud-based email accounts at 25
organizations.
https://www.scmagazine.com/perspective/cloud-security/lessons-to-learn-from-last-weeks-email-breach-on-federal-agencies-by-a-chinese-apt-group
Chinese hacking operation puts Microsoft in the crosshairs over
security failures - Revelations that hackers in China used a
Microsoft security flaw to execute a highly targeted, sophisticated
operation targeting some two dozen entities, including the U.S.
commerce secretary, have officials and researchers alike exasperated
that the company’s products have once again been used to pull off an
intelligence coup.
https://cyberscoop.com/microsoft-china-hacking-state/
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by
nation-state - JumpCloud, a cloud-based IT management service that
lists Cars.com, GoFundMe, and Foursquare among its 5,000 paying
customers, experienced a security breach carried out by hackers
working for a nation-state, the company said last week.
https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Internet."
Product Certification and Security Scanning Products
Several organizations exist which independently assess and
certify the adequacy of firewalls and other computer system related
products. Typically, certified products have been tested for their
ability to permit and sustain business functions while protecting
against both common and evolving attacks.
Security scanning tools should be run frequently by system
administrators to identify any new vulnerabilities or changes in the
system. Ideally, the scan should be run both with and without the
firewall in place so the firewall's protective capabilities can be
fully evaluated. Identifying the susceptibility of the system
without the firewall is useful for determining contingency
procedures should the firewall ever go down. Some scanning tools
have different versions with varying degrees of intrusion/attack
attempts.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
POLICY
5.3 System-Specific Policy
Program policy and issue-specific policy both address policy from
a broad level, usually encompassing the entire organization.
However, they do not provide sufficient information or direction,
for example, to be used in establishing an access control list or in
training users on what actions are permitted. System-specific policy
fills this need. It is much more focused, since it addresses only
one system.
Many security policy decisions may apply only at the system level
and may vary from system to system within the same organization.
While these decisions may appear to be too detailed to be policy,
they can be extremely important, with significant impacts on system
usage and security. These types of decisions can be made by a
management official, not by a technical system administrator. (The
impacts of these decisions, however, are often analyzed by technical
system administrators.)
To develop a cohesive and comprehensive set of security policies,
officials may use a management process that derives security rules
from security goals. It is helpful to consider a two-level model for
system security policy: security objectives and operational security
rules, which together comprise the system-specific policy. Closely
linked and often difficult to distinguish, however, is the
implementation of the policy in technology.
System-specific security policy includes two components: security
objectives and operational security rules. It is often accompanied
by implementing procedures and guidelines.
5.3.1 Security Objectives
The first step in the management process is to define security
objectives for the specific system. Although, this process may start
with an analysis of the need for integrity, availability, and
confidentiality, it should not stop there. A security objective
needs to more specific; it should be concrete and well defined. It
also should be stated so that it is clear that the objective is
achievable. This process will also draw upon other applicable
organization policies.
Security objectives consist of a series of statements that
describe meaningful actions about explicit resources. These
objectives should be based on system functional or mission
requirements, but should state the security actions that support the
requirements.
Development of system-specific policy will require management to
make trade-offs, since it is unlikely that all desired security
objectives will be able to be fully met. Management will face cost,
operational, technical, and other constraints.
Sample Security Objective: Only individuals in the
accounting and personnel departments are authorized to provide or
modify information used in payroll processing. |