MISCELLANEOUS CYBERSECURITY NEWS:

Email hack costs Salinas Valley Memorial Health $340K in breach settlement - Salinas Valley Memorial Healthcare System in California has reached a $340,000 settlement with the 2,384 patients impacted by the hack of its email systems in mid-2020. https://www.scmagazine.com/analysis/email-security/email-hack-costs-salinas-valley-memorial-health-340k-in-breach-settlement

US financial firms face growing regulatory fines for poor security management - It’s not just upfront financial losses and reputational damage that U.S. banks and investment firms need to worry about when it comes to cyber risk. https://www.scmagazine.com/analysis/identity-and-access/us-financial-firms-face-growing-regulatory-fines-for-poor-security-management

Eight topics to cover when selecting cyber insurance - Cyberattacks continue to set new records, prompting chief information security officers (CISOs) and business leaders to focus intently on how best to defend their businesses. https://www.scmagazine.com/perspective/third-party-risk/eight-topics-to-cover-when-selecting-cyber-insurance%EF%BF%BC

Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour - A late-stage candidate encryption algorithm that was meant to withstand decryption by powerful quantum computers in the future has been trivially cracked by using a computer running Intel Xeon CPU in an hour's time. https://thehackernews.com/2022/08/single-core-cpu-cracked-post-quantum.html

Why the health sector needs to secure IoT devices on their networks - A recent Department of Health and Human Service Cybersecurity Coordination analyst note urges healthcare entities to evaluate their current approach to securing Internet of Things (IoT) devices since DDoS and man-in-the-middle attacks have increased given that the rapid adoption of the devices. https://www.scmagazine.com/analysis/device-security/why-the-health-sector-needs-to-secure-iot-devices-on-their-networks

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Taiwan defense ministry hit by cyberattacks in Pelosi aftermath - The website of Taiwan’s Ministry of National Defense was hit with a cyberattack on Wednesday in the aftermath of House Speaker visiting the island. https://thehill.com/policy/international/3587859-taiwan-defense-ministry-hit-by-cyberattacks-in-pelosi-aftermath/

Cybersecurity agencies reveal last year’s top malware strains - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the topmost detected malware strains last year in a joint advisory with the Australian Cyber Security Centre (ACSC). https://www.bleepingcomputer.com/news/security/cybersecurity-agencies-reveal-last-year-s-top-malware-strains/

German Chambers of Industry and Commerce hit by 'massive' cyberattack - The Association of German Chambers of Industry and Commerce (DIHK) was forced to shut down all of its IT systems and switch off digital services, telephones, and email servers, in response to a cyberattack. https://www.bleepingcomputer.com/news/security/german-chambers-of-industry-and-commerce-hit-by-massive-cyberattack/

$3M settlement proposed for Dental Care Alliance healthcare breach lawsuit - A $3 million proposed settlement has been reached in a breach lawsuit filed against Dental Care Alliance after its December 2020 report of a monthslong system hack that led to the access of data tied to more than 1 million patients and employees. https://www.scmagazine.com/analysis/breach/3m-settlement-proposed-for-dental-care-alliance-healthcare-breach-lawsuit

Criminals steal $4 million from Solana as theft trend hits its crypto blockchain - Cryptocurrency exchanges and bridge sites have been suffering a spate of attacks aimed at stealing funds, personal credentials and account access. https://www.scmagazine.com/analysis/cybercrime/criminals-steal-4-million-from-solana-as-theft-trend-hits-its-crypto-blockchain

326K Aetna members involved in mailing vendor ransomware fallout - Connecticut-based Aetna ACE recently notified 326,278 plan members that their data was possibly accessed during a ransomware attack against their printing and mailing vendor OneTouchPoint. https://www.scmagazine.com/analysis/breach/326k-aetna-members-involved-in-mailing-vendor-ransomware-fallout

Cyberattack disrupts emergency services in UK, drives calls for healthcare continuity - The 111 emergency services of the U.K. National Health Services were disrupted over the weekend after a cyberattack against its managed service provider. https://www.scmagazine.com/analysis/business-continuity/cyberattack-disrupts-emergency-services-in-uk-drives-calls-for-healthcare-continuity

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   PERSONNEL SECURITY
   
   Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:
   
   ! Altering data,
   ! Deleting production and back up data,
   ! Crashing systems,
   ! Destroying systems,
   ! Misusing systems for personal gain or to damage the institution,
   ! Holding data hostage, and
   ! Stealing strategic or customer data for corporate espionage or fraud schemes.
   
   BACKGROUND CHECKS AND SCREENING
   
   Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:
   
   ! Character references;
   ! Confirmation of prior experience, academic record, and professional qualifications; and
   ! Confirmation of identity from government issued identification.
   
   After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.1 Initiating the Risk Assessment

HGA has information systems that comprise and are intertwined with several different kinds of assets valuable enough to merit protection. HGA's systems play a key role in transferring U.S. Government funds to individuals in the form of paychecks; hence, financial resources are among the assets associated with HGA's systems. The system components owned and operated by HGA are also assets, as are personnel information, contracting and procurement documents, draft regulations, internal correspondence, and a variety of other day-to-day business documents, memos, and reports. HGA's assets include intangible elements as well, such as reputation of the agency and the confidence of its employees that personal information will be handled properly and that the wages will be paid on time.

A recent change in the directorship of HGA has brought in a new management team. Among the new Chief Information Officer's first actions was appointing a Computer Security Program Manager who immediately initiated a comprehensive risk analysis to assess the soundness of HGA's computer security program in protecting the agency's assets and its compliance with federal directives. This analysis drew upon prior risk assessments, threat studies, and applicable internal control reports. The Computer Security Program Manager also established a timetable for periodic reassessments.

Since the wide-area network and mainframe used by HGA are owned and operated by other organizations, they were not treated in the risk assessment as HGA's assets. And although HGA's personnel, buildings, and facilities are essential assets, the Computer Security Program Manager considered them to be outside the scope of the risk analysis.

After examining HGA's computer system, the risk assessment team identified specific threats to HGA's assets, reviewed HGA's and national safeguards against those threats, identified the vulnerabilities of those policies, and recommended specific actions for mitigating the remaining risks to HGA's computer security. The following sections provide highlights from the risk assessment. The assessment addressed many other issues at the programmatic and system levels. However, this chapter focuses on security issues related to the time and attendance application.