MISCELLANEOUS CYBERSECURITY NEWS:

For the SEC, the fraud case against SolarWinds is a cybersecurity warning shot - Legal, risk management and cybersecurity experts say companies are now on notice to prioritize internal controls, investor transparency and material disclosure requirements. https://www.cybersecuritydive.com/news/sec-fraud-solarwinds-cybersecurity-warning/698613/

Weak credentials behind nearly half of all cloud-based attacks, research finds - Credential mismanagement was the top initial access vector for cloud environment attacks during the first half of 2024, a Google Cloud report found. https://www.cybersecuritydive.com/news/cloud-attacks-weak-credentials/721573/

Cyber insurance: How to achieve the right coverage - In its latest report, Cyber Insurance and Cyber Defenses in 2024, Sophos provides several key insights into cybersecurity. https://www.scmagazine.com/resource/cyber-insurance-how-to-achieve-the-right-coverage

Seven tips that offer short-term and long-term fixes following the CrowdStrike outage - The recent CrowdStrike outage serves as a reminder for cybersecurity defenders about the importance of robust testing and incident response strategies. https://www.scmagazine.com/perspective/heres-seven-tips-that-offer-short-term-and-long-term-fixes-following-the-crowdstrike-outage

Fallout from the CrowdStrike outage: Time to regulate EDR software - Is antivirus software critical infrastructure? What about endpoint detection and response software? https://www.scmagazine.com/perspective/fallout-from-the-crowdstrike-outage-time-to-regulate-edr-software

Why the AT&T breach matters – and how to respond - In the latest major cybersecurity incident, AT&T has revealed a significant data breach affecting nearly all its wireless customers. https://www.scmagazine.com/perspective/why-the-att-breach-matters-and-how-to-respond

CrowdStrike says flawed update was live for 78 minutes - Though CrowdStrike pulled the update, companies across sectors were already dealing with the cascading consequences that required manual remediations. https://www.cybersecuritydive.com/news/crowdstrike-flawed-update-78-minutes/722070/

Ransomware attack shuts down three dozen Los Angeles courts - Los Angeles County closed down 36 local superior court offices due to an ongoing ransomware attack. https://www.scmagazine.com/news/ransomware-attack-shuts-down-three-dozen-los-angeles-courts

CrowdStrike Says Logic Error Caused Windows BSOD Chaos - CrowdStrike late Friday said ​a routine sensor configuration update pushed to Windows systems on July 19, 2024 at 04:09 UTC triggered a logic error that blue-screened critical computer systems around the world. https://www.securityweek.com/crowdstrike-says-logic-error-caused-windows-bsod-chaos/

What does your CEO need to know about cybersecurity? - CEOs can no longer skim over their cybersecurity plans. When big incidents occur, they risk shareholder lawsuits, regulatory charges or even job loss. https://www.cybersecuritydive.com/news/ceo-cyber-security-strategy-CISO/721102/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

CrowdStrike confirms faulty update is tied to massive global IT outage: ‘Fix has been deployed’ - A massive IT outage has caused multiple services to be taken offline, while planes and trains were grounded as a result.
https://www.scmagazine.com/news/crowdstrike-confirms-faulty-update-is-tied-to-massive-global-it-outage-fix-has-been-deployed
https://www.theregister.com/2024/07/19/crowdstrike_falcon_sensor_bsod_incident/

VA unable to collect over $665M in revenue because of tool suspension, OIG says - VA paused its use of a tool that consolidates community care data in February 2023 “after becoming aware of issues with its database code logic and of compromised stored data.” https://www.nextgov.com/digital-government/2024/07/va-unable-collect-over-665m-revenue-because-tool-suspension-oig-says/398092/

Snowflake-linked attack on Advance Auto Parts exposes 2.3 million people - One of the few customers to publicly link Snowflake to a third-party intrusion said its database was breached for 40 days. https://www.cybersecuritydive.com/news/advance-auto-parts-snowflake-data-breach/721353/

UnitedHealth’s cyberattack response costs to surpass $2.3B this year - The healthcare giant’s new estimate is roughly $1 billion higher than previous forecasts as the cyberattack on subsidiary Change Healthcare continues to hamper its profit outlook. https://www.cybersecuritydive.com/news/unitedhealths-cyberattack-costs-23b/721579/

DHS watchdog rebukes CISA and law enforcement training center for failing to protect data - The Department of Homeland Security’s (DHS) inspector general released a blistering report Wednesday, slamming the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Law Enforcement Training Centers (FLETC) for failing to protect sensitive data by flouting a direct order from DHS leadership to stop working with a “high risk” contractor. https://therecord.media/dhs-inspector-general-report-cisa-data-security

Safety Equipment Giant Cadre Holdings Hit by Cyberattack - Cadre provides safety and survivability products for first responders, federal agencies, outdoor recreation, and personal protection in over 100 countries. Its products include body armor, bomb squad equipment, duty gear, and nuclear safety solutions. https://www.securityweek.com/safety-equipment-giant-cadre-holdings-hit-by-cyberattack/

Ransomware targeting FinServ: What you need to know - Despite the reputation of having among the highest levels of cybersecurity maturity, ransomware gangs still successfully target financial services companies in significant numbers. https://www.scmagazine.com/resource/ransomware-targeting-finserv-what-you-need-to-know

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)
  
  Elements of an Incident Response Program
  
  Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.
  
  Minimum Requirements
  
  The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.
  
  Develop reaction procedures for:
  
  1) assessing security incidents that have occurred;
  2) identifying the customer information and information systems that have been accessed or misused; and
  3)containing and controlling the security incident.
  
  Establish notification procedures for:
  
  1) the institution's primary Federal regulator;
  2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
  3) affected customers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Routing (Part 2 of 2)
  
  Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.
  
  DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.
  
  Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.1.1 Groundbreaking -- Position Definition
 
 Early in the process of defining a position, security issues should be identified and dealt with. Once a position has been broadly defined, the responsible supervisor should determine the type of computer access needed for the position. There are two general principles to apply when granting access: separation of duties and least privilege.
 
 Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. For example, in financial systems, no single individual should normally be given authority to issue checks. Rather, one person initiates a request for a payment and another authorizes that same payment. In effect, checks and balances need to be designed into both the process as well as the specific, individual positions of personnel who will implement the process. Ensuring that such duties are well defined is the responsibility of management.
 
 Least privilege refers to the security objective of granting users only those accesses they need to perform their official duties. Data entry clerks, for example, may not have any need to run analysis reports of their database. However, least privilege does not mean that all users will have extremely little functional access; some employees will have significant access if it is required for their position. However, applying this principle may limit the damage resulting from accidents, errors, or unauthorized use of system resources. It is important to make certain that the implementation of least privilege does not interfere with the ability to have personnel substitute for each other without undue delay. Without careful planning, access control can interfere with contingency plans.