MISCELLANEOUS CYBERSECURITY NEWS:

CISA strategic plan aligns with National Cybersecurity Strategy - The Cybersecurity and Infrastructure Security Agency (CISA) on Friday released an update to its comprehensive strategic plan. https://www.scmagazine.com/news/cisa-strategic-plan-aligns-with-national-cybersecurity-strategy

Ransomware payouts and recovery costs went way up in 2023 - For every ransomware attack that makes the headline news, there’s likely hundreds more that never see the light of day. https://www.scmagazine.com/resource/report-ransomware-payouts-and-recovery-costs-went-way-up-in-2023

As cars hoover up more and more driver data, is it time to regulate the industry? - Cars are “connected computers on wheels” and should be treated as such. That's according to the California Privacy Protection Agency (CPPA), which recently announced its enforcement division will review the data privacy practices of connected vehicle manufacturers. https://therecord.media/connected-cars-hoover-up-data

CISA Unveils Cybersecurity Strategic Plan for Next 3 Years - The Cybersecurity Strategic Plan for fiscal years 2024-2026 outlines the agency’s plans for achieving a future where damaging cyberattacks are rare, organizations are resilient, and technology is secure by design. https://www.securityweek.com/cisa-unveils-cybersecurity-strategic-plan-for-next-3-years/

US Government Lagging on Border Gateway Protocol Security - The U.S. federal government acknowledged that it is lagging behind on border gateway protocol security practices. Officials from several government agencies, ISPs and cloud content providers organized a workshop to understand the latest security improvements underway. https://www.govinfosecurity.com/us-government-lagging-on-border-gateway-protocol-security-a-22744

Schools and governments slammed by ransomware attacks, but root causes vary by industry - No industry is invulnerable to ransomware, but some sectors are much more equipped than others when it comes to foiling ransomware attacks and recovering during the aftermath. https://www.scmagazine.com/resource/report-schools-and-governments-slammed-by-ransomware-attacks-but-root-causes-vary-by-industry

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Canon warns printer users to manually wipe Wi-Fi settings before discarding - Printer manufacturer Canon is warning that sensitive Wi-Fi settings don’t automatically get wiped during resets, so customers should manually delete them before selling, discarding, or getting them repaired to prevent the settings from falling into the wrong hands. https://arstechnica.com/security/2023/08/canon-warns-printer-users-to-manually-wipe-wi-fi-settings-before-discarding/

US govt contractor Serco discloses data breach after MoveIT attacks - Serco Inc, the Americas division of multinational outsourcing company Serco Group, has disclosed a data breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor's MoveIT managed file transfer (MFT) server. https://www.bleepingcomputer.com/news/security/us-govt-contractor-serco-discloses-data-breach-after-moveit-attacks/

Hawai'i's Gemini North observatory suspends operations following cyberattack - A U.S. national center for astronomy was struck with a cyberattack this week that hindered the operations of an observatory in Hawai'i. https://therecord.media/gemini-north-observatory-cyberattack

Data breach hits Mondee - TechCrunch reports that major travel technology firm Mondee has leaked sensitive customer data through an exposed Oracle cloud-based database, which it has since secured. https://www.scmagazine.com/brief/data-breach-hits-mondee

Ransomware attack on Prospect Medical Holdings takes down hospital systems in 4 states - A ransomware attack late last week on Los Angeles-based Prospect Medical Holdings spread to hospitals in at least four other states before the healthcare group took its systems offline to prevent any further spread. https://www.scmagazine.com/news/ransomware-attack-on-prospect-medical-holdings-takes-down-hospital-systems-in-4-states

Colorado Department of Higher Education warns of massive data breach - The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. https://www.bleepingcomputer.com/news/security/colorado-department-of-higher-education-warns-of-massive-data-breach/

A Cyberattack Has Disrupted Hospitals and Health Care in Five States - A cyberattack has disrupted hospital computer systems in several states, forcing some emergency rooms to close and ambulances to be diverted, and many primary care services remained closed on Friday as security experts worked to determine the extent of the problem and resolve it. https://www.securityweek.com/a-cyberattack-has-disrupted-hospitals-and-health-care-in-five-states/

Ransomware victims clobbered by repeat attacks - In fact, organizations hit by a ransomware attack are almost six times more likely to be attacked again over the next three months, according to new research by a cloud computing and security company. https://www.scmagazine.com/news/ransomware-victims-clobbered-by-repeat-attacks

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks we will cover the FDIC's paper "Risk Assessment Tools and Practices or Information System Security" dated July 7, 1999. This is our first selection for your reading.
   
   Whether financial institutions contract with third-party providers for computer services such as Internet banking, or maintain computer services in-house, bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technologies and computer networks. If a bank is relying on a third-party provider, management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data.
   
   The FDIC has previously issued guidance on information security concerns such as data privacy and confidentiality, data integrity, authentication, non-repudiation, and access control/system design. This paper is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," dated December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet."  Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.
    
    V. Security Flaws and Bugs 
    
    Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued. 
    
    Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org.  Many other resources are freely available on the Internet. 
    
    Active Content Languages 
    
    Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus. 
    
    Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology. 
    
    VI. Viruses 
    
    Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.4 Interdependencies
  
  Policy is related to many of the topics covered in this handbook:
  
  Program Management. Policy is used to establish an organization's computer security program, and is therefore closely tied to program management and administration. Both program and system-specific policy may be established in any of the areas covered in this handbook. For example, an organization may wish to have a consistent approach to incident handling for all its systems - and would issue appropriate program policy to do so. On the other hand, it may decide that its applications are sufficiently independent of each other that application managers should deal with incidents on an individual basis.
  
  Access Controls. System-specific policy is often implemented through the use of access controls. For example, it may be a policy decision that only two individuals in an organization are authorized to run a check-printing program. Access controls are used by the system to implement (or enforce) this policy.
  
  Links to Broader Organizational Policies. This chapter has focused on the types and components of computer security policy. However, it is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms (e.g., paper documents). For example, an organization's e-mail policy would probably be tied to its broader policy on privacy. Computer security policies may also be extensions of other policies, such as those about appropriate use of equipment and facilities.