MISCELLANEOUS CYBERSECURITY NEWS:

New guidance by cloud group, federal agency target HIPAA compliance and vendor risk - The Cloud Security Alliance released new guidance aiming to support healthcare delivery organizations with managing third-party vendor risk, while NIST has updated its healthcare cybersecurity insights to support compliance with the Health Insurance Portability and Accountability Act Security Rule. https://www.scmagazine.com/analysis/third-party-risk/new-guidance-by-cloud-group-federal-agency-target-hipaa-compliance-and-vendor-risk

Many security pros ‘not confident’ in their organization’s ability to ensure secure cloud access - Appgate this week released independent research from the Ponemon Institute that found 60% of IT and security leaders are not confident in their organization’s ability to ensure secure cloud access. https://www.scmagazine.com/news/cloud-security/many-security-pros-not-confident-in-their-organizations-ability-to-ensure-secure-cloud-access

Web Application Attacks Threaten Healthcare Cybersecurity, HC3 Says - Web application attacks are becoming an increasingly popular cyberattack method and continue to threaten healthcare cybersecurity. https://healthitsecurity.com/news/web-application-attacks-threaten-healthcare-cybersecurity-hc3-says

Updated TSA Pipeline Cybersecurity Requirements Offer More Flexibility - The Transportation Security Administration (TSA) has updated its directive for oil and natural gas pipeline cybersecurity, providing owners and operators more flexibility in achieving the outlined goals. https://www.securityweek.com/updated-tsa-pipeline-cybersecurity-requirements-offer-more-flexibility

NCUA wants credit unions to join the cyber incident reporting game - Another arm of the federal government is moving to require organizations under their regulatory purview to notify and report when they are hacked. https://www.scmagazine.com/analysis/incident-response/ncua-wants-credit-unions-to-join-the-cyber-incident-reporting-game

Inside the Energy Department’s 10-year plan to reshape cybersecurity in the sector - Everybody loves the idea of modernizing IT and cybersecurity. Few industries or sectors have the money, resources, patience or follow through to carry it out in more than a piecemeal fashion. https://www.scmagazine.com/feature/critical-infrastructure/inside-the-energy-departments-10-year-plan-to-reshape-cybersecurity-in-the-sector

A majority of companies have raised prices because of a data breach - IBM Security on Wednesday released its annual Cost of a Data Breach Report, which found that the cost of a breach reached an all-time high of $4.35 million in 2022. https://www.scmagazine.com/news/breach/a-majority-of-companies-have-raised-prices-because-of-a-data-breach

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants - Threat actors infect e-commerce websites with Magecart e-skimmers to steal online shoppers’ payment card data, billing information, and personally identifiable information (PII). https://www.recordedfuture.com/amid-rising-magecart-attacks-online-ordering-platforms

DoJ, FBI recover $500,000 in ransomware payments to Maui gang - Federal law enforcement officials this week said they seized about $500,000 that healthcare facilities in the United States paid to the Maui ransomware group. https://www.theregister.com/2022/07/20/doj-maui-ransomware-payments/

Settlements Reached In 2 Large Healthcare Hack Lawsuits - Settlements in class action lawsuits filed in the aftermath of two separate major breaches serve as the latest examples of threats and risks involving email hacks - as well as underlining the threat of litigation in the wake of such incidents. https://www.govinfosecurity.com/settlements-reached-in-2-large-healthcare-hack-lawsuits-a-19617

Tenet Health cyberattack, monthlong outage led to $100M in ‘unfavorable impact’ - The April “cybersecurity incident” that led to several weeks of downtime and service delays at Tenet Healthcare facilities caused $100 million in unfavorable impact. https://www.scmagazine.com/analysis/incident-response/tenet-health-cyberattack-monthlong-outage-led-to-100m-in-unfavorable-impact

T-Mobile to pay $500M for one of the largest data breaches in US history - When T-Mobile compromised the sensitive personal information of more than 76 million current, former, and prospective customers in 2021, plaintiffs involved in a class action lawsuit complained that the company continued profiting off their data while attempting to cover up “one of the largest and most consequential data breaches in US history.” https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/

Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution - The November 2016 breach involved hackers stealing legitimate credentials, using them to access Uber's private source code repository and stealing information on numerous drivers and riders. In total, the hackers obtained records on approximately 57 million users, as well as 600,000 drivers' license numbers. https://www.govinfosecurity.com/uber-admits-covering-up-2016-data-breach-avoids-prosecution-a-19633

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)
    
    Responding to E-Mail and Internet-Related Fraudulent Schemes
    Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:
    
    !  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
    !  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
    !  Increasing suspicious activity monitoring and employing additional identity verification controls;
    !  Offering customers assistance when fraud is detected in connection with customer accounts;
    !  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
    !  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.
    
    Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
    To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:
    
    !  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
    !  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
    !  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
    !  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
    !  Monitoring for fraudulent Web sites using variations of the financial institution's name;
    !  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
    !  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
   
   Hardening Systems
   
   Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.
   
   When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:
   
   ! Determining the purpose of the system and minimum software and hardware requirements;
   ! Documenting the minimum hardware, software and services to be included on the system;
   ! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
   ! Installing necessary patches;
   ! Installing the most secure and up-to-date versions of applications;
   ! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
   ! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
   ! Enabling logging;
   ! Creating cryptographic hashes of key files;
   ! Archiving the configuration and checksums in secure storage prior to system deployment;
   ! Testing the system to ensure a secure configuration;
   ! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
   ! Changing all default passwords; and
   ! Testing the resulting systems.
   
   After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.5 Cost Considerations

Using cryptography to protect information has both direct and indirect costs. Cost is determined in part by product availability; a wide variety of products exist for implementing cryptography in integrated circuits, add-on boards or adapters, and stand-alone units.

19.5.1 Direct Costs

The direct costs of cryptography include:

• Acquiring or implementing the cryptographic module and integrating it into the computer system. The medium (i.e., hardware, software, firmware, or combination) and various other issues such as level of security, logical and physical configuration, and special processing requirements will have an impact on cost.
  
  
• Managing the cryptography and, in particular, managing the cryptographic keys, which includes key generation, distribution, archiving, and disposition, as well as security measures to protect the keys, as appropriate