MISCELLANEOUS CYBERSECURITY NEWS:

2023 SANS Security Awareness Report - Complimentary copy of the 2023 SANS Security Awareness Report®.  Read the report to gain an understanding of how to utilize data-driven actions to manage your human risk and push your program into the future of security. https://go.sans.org/lp-wp-2023-security-awareness-report-thank-you

1,000 CISOs strong: How cross-company collaboration strengthens enterprise cybersecurity - More than 1,000 chief information security officers (CISOs) have joined the Cybersecurity Collaboration Forum and the Cybersecurity Collaborative, two organizations dedicated to fostering communication, cooperation and information-sharing among top cybersecurity executives across a wide range of industries in the United States. https://www.scmagazine.com/news/leadership/1000-cisos-strong-how-cross-company-collaboration-strengthens-enterprise-cybersecurity

The Cyber Trust Mark is a voluntary IoT label coming in 2024. What does it mean? - The goal of the new US Cyber Trust Mark, coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor. https://arstechnica.com/information-technology/2023/07/the-cyber-trust-mark-is-a-voluntary-iot-label-coming-in-2024-what-does-it-mean/

Orgs Face Record $4.5M Per Data Breach Incident - The average cost per data breach for business in 2023 jumped to $4.45 million, a 15% increase over three years. But instead of investing in cybersecurity, 57% of breached organizations told IBM they were inclined to just pass those costs onto consumers. https://www.darkreading.com/attacks-breaches/orgs-record-4.5m-data-breach-incident

10 steps to choose and deploy a network-security solution - The process of selecting and implementing a network-security solution involves three types of activities: gathering information about both your own organization and potential security vendors; obtaining approval from decision-makers; and properly deploying and maintaining your choice solution. https://www.scmagazine.com/resource/10-steps-to-choose-and-deploy-a-network-security-solution

SEC approves new cyber reporting regulations for public companies - The Securities and Exchange Commission voted 3-2 to adopt new regulations that would require publicly traded companies to notify the government when their IT systems are hacked and periodically disclose details around their cybersecurity risk governance in public filings. https://www.scmagazine.com/news/sec-approves-new-cyber-reporting-regulations-for-public-companies

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Recycling giant TOMRA pulls systems offline following 'extensive cyberattack' - Norwegian mining and recycling giant TOMRA says it has isolated tech systems as it deals with an "extensive cyberattack." https://www.theregister.com/2023/07/18/tomra_cyberattack/

Microsoft key stolen by Chinese hackers provided access far beyond Outlook - The private encryption key used by Chinese hackers to break into the email accounts of high-level U.S. government officials disclosed last week also gave them access to a vast array of other Microsoft products, according to new research from cloud security firm Wiz. https://www.scmagazine.com/news/threat-intelligence/microsoft-key-stolen-by-chinese-hackers-provided-access-far-beyond-outlook

Norwegian government IT systems hacked using zero-day flaw - The Norwegian government is warning that its ICT platform used by 12 ministries has suffered a cyberattack after hackers exploited a zero-day vulnerability in third-party software. https://www.bleepingcomputer.com/news/security/norwegian-government-it-systems-hacked-using-zero-day-flaw/

Florida Hospital Says Data Theft Attack Affects 1.2 Million - A Florida hospital is notifying 1.2 million patients that their information was stolen by hackers in a cybersecurity incident that spanned for nearly three weeks in May as attackers tried to encrypt the entity's systems with ransomware. https://www.govinfosecurity.com/florida-hospital-says-data-theft-attack-affects-12-million-a-22616

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)
   
   In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    Logical Access Controls (Part 1 of 2)
    
    If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 
    
    Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 
    
    Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 
    
    When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.3.2 Operational Security Rules
  
  After management determines the security objectives, the rules for operating a system can be laid out, for example, to define authorized and unauthorized modification. Who (by job category, organization placement, or name) can do what (e.g., modify, delete) to which specific classes and records of data, and under what conditions.
  
  The degree of specificity needed for operational security rules varies greatly. The more detailed the rules are, up to a point, the easier it is to know when one has been violated. It is also, up to a point, easier to automate policy enforcement. However, overly detailed rules may make the job of instructing a computer to implement them difficult or computationally complex.
  
  In addition to deciding the level of detail, management should decide the degree of formality in documenting the system-specific policy. Once again, the more formal the documentation, the easier it is to enforce and to follow policy. On the other hand, policy at the system level that is too detailed and formal can also be an administrative burden. In general, good practice suggests a reasonably detailed formal statement of the access privileges for a system. Documenting access controls policy will make it substantially easier to follow and to enforce.  Another area that normally requires a detailed and formal statement is the assignment of security responsibilities. Other areas that should be addressed are the rules for system usage and the consequences of noncompliance.
  
  Policy decisions in other areas of computer security, such as those described in this handbook, are often documented in the risk analysis, accreditation statements, or procedural manuals. However, any controversial, atypical, or uncommon policies will also need formal statements. Atypical policies would include any areas where the system policy is different from organizational policy or from normal practice within the organization, either more or less stringent. The documentation for a typical policy contains a statement explaining the reason for deviation from the organization's standard policy.
  
  Sample Operational Security Rule:
   
  Personnel clerks may update fields for weekly attendance, charges to annual leave, employee addresses, and telephone numbers. Personnel specialists may update salary information. No employees may update their own records.