MISCELLANEOUS CYBERSECURITY NEWS:

Delta expects $380M revenue hit due to CrowdStrike outage - The company said it canceled 7,000 flights in five days due to the IT outage, according to a Thursday filing with the Securities and Exchange Commission. https://www.cybersecuritydive.com/news/delta-crowdstrike-microsoft-lawsuit/723837/

Consumer Reports study finds data removal services are often ineffective - A new investigation of data removal services - companies that say they will strip consumer information from people-search data broker sites - found that they are for the most part worthless. https://therecord.media/data-removal-services-mostly-worthless-study

Insured loss impact could reach $1B following CrowdStrike outage - The insured losses connected to a global IT outage July 19, which a faulty CrowdStrike Falcon software update triggered, are expected to range between $300 million and $1 billion. https://www.cybersecuritydive.com/news/insured-losses-crowdstrike-1-billion/723315/

Microsoft Deputy CISO recounts responding to the CrowdStrike outage - The industry’s collective response to the massive outage underscored for Ms. Johnson its ability to come together and put competitive interests aside. https://www.cybersecuritydive.com/news/microsoft-ciso-recounts-crowdstrike-response/723954/

United Kingdom moves to tamper down cybersecurity row - The idea of an international standard for “cyber deception” has turned into a contentious subject, and recently the UK government has taken up the challenge to settle the issue for the rest of the world. https://www.scmagazine.com/news/britain-moves-to-tamper-down-cybersecurity-row

Texas sues General Motors over collection, sale of driver data - The Texas Attorney General's Office sued General Motors, alleging the automaker is illegally collecting customer driving data from 1.5 million Texans and selling the information to insurance companies without the car owners' consent. https://www.scmagazine.com/news/texas-sues-general-motors-over-collection-sale-of-driver-data

Social engineering attacks continue to evolve – here’s how to keep up - Ever since email first rose in popularity as a business communication tool in the early 1990s, cybercriminals have leveraged it as a vector for social engineering attacks. https://www.scmagazine.com/perspective/social-engineering-attacks-continue-to-evolve-heres-how-to-keep-up

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

LoanDepot reports net loss as cyber-related settlement hit Q2 financial results - LoanDepot reported a net loss of $65.9 million during the second quarter, as its financial results were weighed down by the continuing impacts of a January ransomware attack. https://www.cybersecuritydive.com/news/loandepot-net-loss-cyber-settlement-q2/723838/

Implement MFA or Risk Non-Compliance With GDPR - The UK Information Commissioner’s Office (ICO, the data protection and information rights regulator) today announced its intention to fine the Advanced Computer Software Group £6.09 million. https://www.securityweek.com/implement-mfa-or-risk-non-compliance-with-gdpr/

MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices - UK-based mobile device management vendor Mobile Guardian has admitted that on August 4 it suffered a security incident that involved unauthorized access to iOS and ChromeOS devices managed by its tools, which are currently unavailable. https://www.theregister.com/2024/08/06/mobile_guardian_mdm_attack/

McLaren Health Hit With Ransomware for Second Time in a Year - Michigan-based McLaren Health Care is dealing with its second cyberattack in less than a year, disrupting IT systems and patient services at its 13 hospitals and other medical facilities. https://www.bankinfosecurity.com/mclaren-health-hit-ransomware-for-second-time-in-year-a-25988

Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption - The researchers analyzed photovoltaic system management platforms provided by companies that are used to operate millions of solar installations worldwide, generating 195 GW, or roughly 20% of the global solar power production. https://www.securityweek.com/vulnerabilities-exposed-widely-used-solar-power-systems-to-hacking-disruption/

Rhysida ransomware hits Sumter County Sheriff, threatens data leak - The Sumter County Sheriff’s Office is the latest victim claimed by the Rhysida ransomware group, which has threatened to leak data including scans of IDs and fingerprints. https://www.scmagazine.com/news/rhysida-ransomware-hits-sumter-county-sheriff-in-latest-ci-attack

Paris Olympics deals with ransomware attack - A ransomware attack against the Paris Grand Palais exhibition hall, where Olympic events are being held, is being investigated. https://www.scmagazine.com/news/paris-olympics-deals-with-ransomware-attack

Attacker steals personal data of 200K+ people with links to Arizona tech school - An Arizona tech school will send letters to 208,717 current and former students, staff, and parents whose data was exposed during a January break-in that allowed an attacker to steal nearly 50 types of personal info. https://www.theregister.com/2024/08/12/200k_with_links_to_arizona/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (6 of 12)
  
  Best Practices-Going Beyond the Minimum
  
  Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.
  
  Preparation
  
  Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.
  
  Establish an incident response team.
  
  A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Stateful Inspection Firewalls
  
  Stateful inspection firewalls are packet filters that monitor the state of the TCP connection.  Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.
  
  Proxy Server Firewalls
  
  Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.1.4 Employee Training and Awareness
 
 Even after a candidate has been hired, the staffing process cannot yet be considered complete -- employees still have to be trained to do their job, which includes computer security responsibilities and duties. Such security training can be very cost-effective in promoting security.
 
 Some computer security experts argue that employees must receive initial computer security training before they are granted any access to computer systems. Others argue that this must be a risk-based decision, perhaps granting only restricted access (or, perhaps, only access to their PC) until the required training is completed. Both approaches recognize that adequately trained employees are crucial to the effective functioning of computer systems and applications. Organizations may provide introductory training prior to granting any access with follow-up more extensive training. In addition, although training of new users is critical, it is important to recognize that security training and awareness activities should be ongoing during the time an individual is a system user.
 
 10.2 User Administration
 
 Effective administration of users' computer access is essential to maintaining system security. User account management focuses on identification, authentication, and access authorizations. This is augmented by the process of auditing and otherwise periodically verifying the legitimacy of current accounts and access authorizations. Finally, there are considerations involved in the timely modification or removal of access and associated issues for employees who are reassigned, promoted, or terminated, or who retire.