MISCELLANEOUS CYBERSECURITY NEWS:

Security pros say mobile apps are ‘essential’ or ‘absolutely core’ to their business success - A report on Thursday that found some three out of four security pros say that mobile apps are now “essential” or “absolutely core” to their success - a number that’s three times higher than two years ago. https://www.scmagazine.com/news/application-security/security-pros-say-mobile-apps-are-essential-or-absolutely-core-to-their-business-success

Amazon finally admits giving cops Ring doorbell data without user consent - More than 10 million people rely on Ring video doorbells to monitor what's happening directly outside the front doors of their homes. https://arstechnica.com/tech-policy/2022/07/amazon-finally-admits-giving-cops-ring-doorbell-data-without-user-consent/

Now offering cryptocurrency, ATMs targeted for crypto-fraud - Automated teller machines have been a part of banking and financial services for more than half a century. But, until recently, they served mostly as a vehicle for receiving cash, depositing checks or reviewing balances. https://www.scmagazine.com/analysis/cybercrime/now-offering-cryptocurrency-atm-machines-targeted-for-crypto-fraud

White House to hold summit on addressing the thousands of unfilled cybersecurity jobs - The administration has already hosted expansive summits on ransomware and open-source software security. Now it’s taking a similar approach in an attempt to tackle problems in the cybersecurity workforce. https://www.scmagazine.com/analysis/careers/white-house-to-hold-summit-on-addressing-the-thousands-of-unfilled-cybersecurity-jobs

11 health providers settle HIPAA right of access failures with feds - The Department of Health and Human Services Office for Civil Rights announced settlements with 11 covered entities to resolve claims the providers’ failed to give patients timely access to their medical records, in violation of the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/analysis/compliance/11-health-providers-settle-hipaa-right-of-access-failures-with-feds

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Oklahoma State University health center pays $875K penalty for HIPAA violations - The Oklahoma State University - Center for Health Sciences paid the Department of Health and Human Services Office for Civil Rights a $875,000 civil monetary penalty to resolve possible violations of the Health Insurance Portability and Accountability Act, following a 2018 healthcare data breach. https://www.scmagazine.com/analysis/incident-response/oklahoma-state-university-health-center-pays-875k-penalty-for-hipaa-violations

Albanian government websites go dark after cyberattack - Citizen services only moved online in May. What could possibly go wrong? - Albania's online public services and websites have gone dark following what appears to be a cyberattack. https://www.theregister.com/2022/07/18/albania_down/

BJC Health to spend $2.7M on email MFA access to settle breach affecting 288K patients - BJC HealthCare reached a settlement with the 287,873 patients impacted by a 2020 protected health information breach of its email system brought on by a successful phishing attack. https://www.scmagazine.com/analysis/breach/bjc-health-to-spend-2-7m-on-email-mfa-access-to-settle-breach-affecting-288k-patients

Online skimming hammers restaurant payment platforms as attacker base widens - the major scamps of online skimming, Magecart campaigns have yet again emerged - this time exposing internet-based transactions at more than 300 restaurants - pointing out that this form of digital payments attack is likely to rise as online buying increases and the scope of perpetrators rises. https://www.scmagazine.com/analysis/third-party-risk/online-skimming-hammers-restaurant-payment-platforms-as-attacker-base-widens

Nearly half of organizations experienced a vishing or social engineering attack in the last year - Mutare on Wednesday released a report finding that 47% of organizations experienced a voice phishing (vishing) or social engineering attack in the past year. https://www.scmagazine.com/news/social-engineering/nearly-half-of-organizations-experienced-a-vishing-or-social-engineering-attack-in-the-last-year

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)
    
    Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
    Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.
    
    In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.
    
    Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
    Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:
    
    !  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
    !  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
    !  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
   
   Outsourced Development
   
   Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:
   
   ! Verifying credentials and contracting only with reputable providers;
   ! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
   ! Obtaining fidelity coverage;
   ! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
   ! Establishing security requirements, acceptance criterion, and test plans;
   ! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
   ! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
   ! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.6 Complying with Export Rules

The US government controls the export of cryptographic implementations. The rules governing export can be quite complex, since they consider multiple factors. In addition, cryptography is a rapidly changing field, and rules may change from time to time. Questions concerning the export of a particular implementation should be addressed to appropriate legal counsel.

19.4 Interdependencies

There are many interdependencies among cryptography and other security controls highlighted in this handbook. Cryptography both depends on other security safeguards and assists in providing them.

Physical Security. Physical protection of a cryptographic module is required to prevent -- or at least detect --- physical replacement or modification of the cryptographic system and the keys within it. In many environments (e.g., open offices, portable computers), the cryptographic module itself has to provide the desired levels of physical security. In other environments (e.g., closed communications facilities, steel-encased Cash-Issuing Terminals), a cryptographic module may be safely employed within a secured facility.

User Authentication. Cryptography can be used both to protect passwords that are stored in computer systems and to protect passwords that are communicated between computers. Furthermore, cryptographic-based authentication techniques may be used in conjunction with, or in place of, password-based techniques to provide stronger authentication of users.

Logical Access Control. In many cases, cryptographic software may be embedded within a host system, and it may not be feasible to provide extensive physical protection to the host system. In these cases, logical access control may provide a means of isolating the cryptographic software from other parts of the host system and for protecting the cryptographic software from tampering and the keys from replacement or disclosure. The use of such controls should provide the equivalent of physical protection.

Audit Trails. Cryptography may play a useful role in audit trails. For example, audit records may need to be signed. Cryptography may also be needed to protect audit records stored on computer systems from disclosure or modification. Audit trails are also used to help support electronic signatures.

Assurance. Assurance that a cryptographic module is properly and securely implemented is essential to the effective use of cryptography. NIST maintains validation programs for several of its standards for cryptography. Vendors can have their products validated for conformance to the standard through a rigorous set of tests. Such testing provides increased assurance that a module meets stated standards, and system designers, integrators, and users can have greater confidence that validated products conform to accepted standards.

A cryptographic system should be monitored and periodically audited to ensure that it is satisfying its security objectives. All parameters associated with correct operation of the cryptographic system should be reviewed, and operation of the system itself should be periodically tested and the results audited. Certain information, such as secret keys or private keys in public key systems, should not be subject to audit. However, nonsecret or nonprivate keys could be used in a simulated audit procedure.