MISCELLANEOUS CYBERSECURITY NEWS:

NIST Expands Cybersecurity Framework with New Pillar - The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. https://www.infosecurity-magazine.com/news/nist-expands-cybersecurity/

Shift in CISO duties include sales pitch support - Chief information security officers (CISOs) are increasingly finding themselves pulled into sales engagements to vouch for their company's product or service cybersecurity. https://www.scmagazine.com/news/shift-in-ciso-duties-include-sales-pitch-support

Gootloader SEO watering hole malware targets law firms - A search engine optimization (SEO) water hole technique called Gootloader has been observed targeting legal-related search terms and has been identified as a threat to law firms and people doing searches for legal information online. https://www.scmagazine.com/news/gootloader-seo-watering-hole-malware-targets-law-firms

New York Introduces First-Ever Statewide Cybersecurity Strategy - Governor Kathy Hochul has introduced New York's first-ever statewide cybersecurity strategy, reinforced by a $600m commitment. https://www.infosecurity-magazine.com/news/new-york-first-cybersecurity/

Federal board investigating Microsoft email hacks by Chinese group - Recent Chinese state-sponsored hacking of Microsoft email users, including leading U.S. officials, will be the focus of a review by the Department of Homeland Security’s Cyber Safety Review Board (CSRB). https://www.scmagazine.com/news/federal-board-investigating-microsoft-email-hacks-by-chinese-group

Why detection and response technology won’t solve all ransomware attacks - Ransomware has become prolific, with a new ransomware attack striking on average every 10 seconds. That figure may shrink to just two seconds by 2031. https://www.scmagazine.com/perspective/why-detection-and-response-technology-wont-solve-all-ransomware-attacks

More hardcoded credentials than ever, and sloppy coding is to blame - Access credentials, security keys and other "secrets" are all too frequently found embedded in web and mobile apps, and poor security practices are the reason why. https://www.scmagazine.com/news/more-hardcoded-credentials-than-ever-and-sloppy-coding-is-to-blame

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

UK voter data within reach of miscreants who hacked Electoral Commission - The IT infrastructure of the UK's Electoral Commission was broken into by miscreants, who will have had access to names and addresses of voters, as well as the election oversight body's email and unspecified other systems. https://www.theregister.com/2023/08/08/uk_electoral_commission_hacked_voter/

4M Coloradans notified their medical data was exposed in MOVEit incident - The Colorado Department of Health Care Policy and Financing (HCPF) on Friday notified more than four million people that their personal healthcare data was exposed in a breach of Progress Software’s MOVEit transfer application.
https://www.scmagazine.com/news/colorado-notifies-4-million-people-that-their-medical-data-was-exposed-in-third-party-moveit-incident
https://www.securityweek.com/colorado-health-agency-says-4-million-impacted-by-moveit-hack/

Southern African power generator targeted with DroxiDat malware - Researchers have uncovered a suspected cyberattack targeting a power generator in southern Africa with a new variant of the SystemBC malware. https://therecord.media/southern-africa-utility-targeted-cyberattack

Alberta dental firm pays ransomware gang after attack - Nearly 1.5 million Albertans personal information was recently compromised in a dental data breach as Alberta Dental Service Corporation of Canada announced that it was hacked on July 26, with the attacker encrypting some of its IT systems and data, SiliconAngle reports. https://www.scmagazine.com/brief/alberta-dental-firm-pays-ransomware-gang-after-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks. 
     
     This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.
     
     The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC. 
     
     Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.5 Cost Considerations
  
  A number of potential costs are associated with developing and implementing computer security policies. Overall, the major cost of policy is the cost of implementing the policy and its impacts upon the organization. For example, establishing a computer security program, accomplished through policy, does not come at negligible cost.
  
  Other costs may be those incurred through the policy development process. Numerous administrative and management activities may be required for drafting, reviewing, coordinating, clearing, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staffing and training - and can take time. In general, the costs to an organization for computer security policy development and implementation will depend upon how extensive the change needed to achieve a level of risk acceptable to management.