MISCELLANEOUS CYBERSECURITY NEWS:

Third-party breaches persist: What you need to know - Third-party access to data remains a serious security concern for enterprise IT executives. This, according to research from CyberRisk Alliance showing that in many cases, companies simply cannot keep track of who can access their data and what they can do with it. https://www.scmagazine.com/resource/third-party-breaches-persist-what-you-need-to-know

CrowdStrike outage renews supply chain concerns, federal officials say - The White House and the U.S. Government Accountability Office are raising questions about the resilience of the software supply chain and memory safety vulnerabilities. https://www.cybersecuritydive.com/news/crowdstrike-outage-supply-chain/723198/

SolarWinds legal ruling expected to narrow, but maintain SEC oversight on cyber transparency - The dismissal of most charges in a closely watched civil fraud case will test the ability of federal authorities to regulate risk disclosure. https://www.cybersecuritydive.com/news/solarwinds-legal-narrow-sec-oversight/722644/

California digitizes car titles, putting 42 million vehicles on the blockchain - Residents will be able to access or transfer their car titles in minutes, cutting down on trips to the DMV and post office. https://www.zdnet.com/article/california-digitizes-car-titles-putting-42-million-vehicles-on-the-blockchain/

Questions to ask before you shop for a consolidated security platform - It's not easy to overhaul your organization's cybersecurity tools to meet modern standards while also keeping costs in line. https://www.scmagazine.com/resource/questions-to-ask-yourself-before-you-shop-for-a-consolidated-security-platform

How could Microsoft let the CrowdStrike meltdown happen? - CrowdStrike bears the ultimate responsibility for the global IT disaster July 19, in which 8.5 million Windows machines worldwide failed to boot. https://www.scmagazine.com/perspective/how-could-microsoft-let-the-crowdstrike-meltdown-happen

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Ransomware attack on major US blood center prompts hundreds of hospitals to implement shortage protocols - One of the largest blood centers in the U.S. is operating at reduced capacity after ransomware hackers shut down parts of its system. https://therecord.media/ransomware-attack-blood-center-shortage-protocols-hospitals

Nearly 10-hour Azure outage caused by DDoS attack, says Microsoft - Microsoft reported that while the initial trigger on a recent, nearly 10-hour Azure outage that led to intermittent errors, timeouts and latency spikes on many of its services was a distributed-denial-of-service (DDoS) attack, the company found that a configuration error in its DDoS defenses "amplified" the attack. https://www.scmagazine.com/news/nearly-10-hour-azure-outage-caused-by-ddos-attack-says-microsoft

Bitdefender Patches Critical Vulnerability in GravityZone Update Server - Bitdefender, a leading cybersecurity solutions provider, has issued an urgent patch for a critical vulnerability (CVE-2024-6980) in its GravityZone Update Server. https://securityonline.info/bitdefender-patches-critical-vulnerability-in-gravityzone-update-server/

Attacks on Blood Suppliers Trigger Supply Chain Warning - A ransomware attack last week against a Florida-based blood center, compounded by a hurricane making landfall on Monday, are shining the spotlight on the fragility of the U.S. medical supply chains. https://www.govinfosecurity.com/attacks-on-blood-suppliers-trigger-supply-chain-warning-a-25944

Singapore police wrest back $41 million stolen from commodities firm in BEC scam - Authorities have seized more than $41 million stolen from a Singaporean commodities firm in a business email compromise scam (BEC), Interpol announced Monday. https://therecord.media/singapore-police-business-email-compromise-scam

Microsoft Azure outage takes down services across North America - ​Microsoft has mitigated an Azure outage that lasted more than two hours and took down multiple services for customers across North and Latin America. https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-outage-takes-down-services-across-north-america/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (5 of 12)
  
  Notification Procedures
  
  An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.
  
  Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.
  
  Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Packet Filter Firewalls
  
  Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.
  
  Weaknesses associated with packet filtering firewalls include the following:
  
  ! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.
  
  ! Logging functionality is limited to the same information used to make access control decisions.
  
  ! Most do not support advanced user authentication schemes.
  
  ! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.
  
  ! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.
  
  Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.
  
  Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.1.3 Filling the Position -- Screening and Selecting
 
 Once a position's sensitivity has been determined, the position is ready to be staffed. In the federal government, this typically includes publishing a formal vacancy announcement and identifying which applicants meet the position requirements. More sensitive positions typically require preemployment background screening; screening after employment has commenced (post-entry-on-duty) may suffice for less sensitive positions.
 
 Background screening helps determine whether a particular individual is suitable for a given position. For example, in positions with high-level fiduciary responsibility, the screening process will attempt to ascertain the person's trustworthiness and appropriateness for a particular position. In the federal government, the screening process is formalized through a series of background checks conducted through a central investigative office within the organization or through another organization (e.g., the Office of Personnel Management).
 
 Within the Federal Government, the most basic screening technique involves a check for a criminal history, checking FBI fingerprint records, and other federal indices.78 More extensive background checks examine other factors, such as a person's work and educational history, personal interview, history of possession or use of illegal substances, and interviews with current and former colleagues, neighbors, and friends. The exact type of screening that takes place depends upon the sensitivity of the position and applicable agency implementing regulations. Screening is not conducted by the prospective employee's manager; rather, agency security and personnel officers should be consulted for agency-specific guidance.
  
 Outside of the Federal Government, employee screening is accomplished in many ways. Policies vary considerably among organizations due to the sensitivity of examining an individual's background and qualifications. Organizational policies and procedures normally try to balance fears of invasiveness and slander against the need to develop confidence in the integrity of employees. One technique may be to place the individual in a less sensitive position initially.
 
 For both the Federal Government and private sector, finding something compromising in a person's background does not necessarily mean they are unsuitable for a particular job. A determination should be made based on the type of job, the type of finding or incident, and other relevant factors. In the federal government, this process is referred to as adjudication.
 
 In general, it is more effective to use separation of duties and least privilege to limit the sensitivity of the position, rather than relying on screening to reduce the risk to the organization.