MISCELLANEOUS CYBERSECURITY NEWS:

In the wake of the CrowdStrike outage, here’s a workable four-step patching strategy - The recent CrowdStrike incident in which an auto-update took down airports and medical facilities around the world highlights one of the huge risks companies face today relying on vendor-enabled auto-updates.https://www.scmagazine.com/perspective/in-the-wake-of-the-crowdstrike-outage-heres-a-workable-four-step-patching-strategy

Post-Quantum Cryptography Standards Officially Announced by NIST - NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption. https://www.securityweek.com/post-quantum-cryptography-standards-officially-announced-by-nist-a-history-and-explanation/

White House details $11M plan to help secure open source - The Department of Homeland Security plans to invest $11 million toward improving security in open source software, a key area of focus under the administration’s national cybersecurity strategy. https://www.cybersecuritydive.com/news/white-house-11-million-secure-open-source/724223/

Five novel email phishing attacks - and what to do about them - Email volume has surged, and so too have phishing attacks. And it’s not just the volume or frequency of attacks that’s a concern: it’s their evolving, AI-fueled sophistication that’s so troubling. https://www.scmagazine.com/perspective/five-novel-email-phishing-attacks-and-what-to-do-about-them

Social engineering attacks continue to evolve - here’s how to keep up - Ever since email first rose in popularity as a business communication tool in the early 1990s, cybercriminals have leveraged it as a vector for social engineering attacks. https://www.scmagazine.com/perspective/social-engineering-attacks-continue-to-evolve-heres-how-to-keep-up

Insurance coverage drives cyber risk reduction for companies, researchers say - Companies with cyber coverage are better able to detect and respond to attacks, according to a report. https://www.cybersecuritydive.com/news/insurance-cyber-risk-reduction/724852/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Thousands of Oracle NetSuite sites said to be exposing customer data - A misconfiguration in Oracle’s NetSuite SuiteCommerce offering could put customer data at risk of exposure. https://www.scmagazine.com/news/thousands-of-oracle-netsuite-sites-said-to-be-exposing-customer-data

National Public Data Hacked: 2.9 Billion Users Personal Data Stolen - In one of the largest data breaches in history, the personal information of nearly 3 billion individuals has been stolen from National Public Data, a background check and fraud prevention service provider. https://cybersecuritynews.com/national-public-data-hacked/

Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster - Biotech biz Enzo Biochem is being forced to pay three state attorneys general a $4.5 million penalty following a 2023 ransomware attack that compromised the data of more than 2.4 million people. https://www.theregister.com/2024/08/14/enzo_biochem_ransomware_fine/

National Public Data tells officials 'only' 1.3M people affected by intrusion - The data broker at the center of what may become one of the more significant breaches of the year is telling officials that just 1.3 million people were affected. https://www.theregister.com/2024/08/19/national_public_data_breach/

Columbus officials warn victims, witnesses after ransomware leak of prosecutor files - City leaders in Columbus warned victims and witnesses of crimes to stay alert about potential threats after a ransomware gang published information stolen from the local prosecutors office on the dark web. https://therecord.media/columbus-ransomware-officials-warn-victims-after-data-leak

City of Flint Scrambling to Restore Services Following Ransomware Attack - The City of Flint, Michigan, has been struggling with network and online service disruptions after being hit by ransomware last week. https://www.securityweek.com/city-of-flint-scrambling-to-restore-services-following-ransomware-attack/

Oregon Zoo Ticketing Service Hack Impacts 118,000 - The Oregon Zoo is notifying roughly 118,000 individuals that their names and payment card information was stolen from its online ticketing service. https://www.securityweek.com/oregon-zoo-ticketing-service-hack-impacts-118000/

Carespring Data Breach Exposes Personal and Medical Information of Nearly 77,000 Patients - Ohio nursing home Carespring Healthcare Management is notifying approximately 77,000 individuals that their personal and medical information was compromised in a data breach that dates back to October 2023. https://www.securityweek.com/carespring-data-breach-exposes-personal-and-medical-information-of-nearly-77000-patients/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)
  
  Define what constitutes an incident.
  
  An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.
  
  Detection
  
  The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.
  
  Identify indicators of unauthorized system access.
  
  Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Application - Level Firewalls
  
  Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.
  
  The primary disadvantages of application - level firewalls are:
  
  ! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.
  
  ! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.1 User Account Management
 
 User account management involves (1) the process of requesting, establishing, issuing, and closing user accounts; (2) tracking users and their respective access authorizations; and (3) managing these functions.
 
 User account management typically begins with a request from the user's supervisor to the system manager for a system account. If a user is to have access to a particular application, this request may be sent through the application manager to the system manager. This will ensure that the systems office receives formal approval from the "application manager" for the employee to be given access. The request will normally state the level of access to be granted, perhaps by function or by specifying a particular user profile. (Often when more than one employee is doing the same job, a "profile" of permitted authorizations is created.)
 
 Systems operations staff will normally then use the account request to create an account for the new user. The access levels of the account will be consistent with those requested by the supervisor. This account will normally be assigned selected access authorizations. These are sometimes built directly into applications, and other times rely upon the operating system. "Add-on" access applications are also used. These access levels and authorizations are often tied to specific access levels within an application.
 
 Next, employees will be given their account information, including the account identifier (e.g., user ID) and a means of authentication (e.g., password or smart card/PIN). One issue that may arise at this stage is whether the user ID is to be tied to the particular position an employee holds (e.g., ACC5 for an accountant) or the individual employee (e.g., BSMITH for Brenda Smith). Tying user IDs to positions may simplify administrative overhead in some cases; however, it may make auditing more difficult as one tries to trace the actions of a particular individual. It is normally more advantageous to tie the user ID to the individual employee. However, if the user ID is created and tied to a position, procedures will have to be established to change them if employees switch jobs or are otherwise reassigned.
 
 When employees are given their account, it is often convenient to provide initial or refresher training and awareness on computer security issues. Users should be asked to review a set of rules and regulations for system access. To indicate their understanding of these rules, many organizations require employees to sign an "acknowledgment statement," which may also state causes for dismissal or prosecution under the Computer Fraud and Abuse Act and other applicable state and local laws.
 
 When user accounts are no longer required, the supervisor should inform the application manager and system management office so accounts can be removed in a timely manner. One useful secondary check is to work with the local organization's personnel officer to establish a procedure for routine notification of employee departures to the systems office.
 
 It is essential to realize that access and authorization administration is a continuing process. New user accounts are added while others are deleted. Permissions change: sometimes permanently, sometimes temporarily. New applications are added, upgraded, and removed. Tracking this information to keep it up to date is not easy, but is necessary to allow users access to only those functions necessary to accomplish their assigned responsibilities -- thereby helping to maintain the principle of least privilege. In managing these accounts, there is a need to balance timeliness of service and record keeping. While sound record keeping practices are necessary, delays in processing requests (e.g., change requests) may lead to requests for more access than is really necessary -- just to avoid delays should such access ever be required.
 
 Managing this process of user access is also one that, particularly for larger systems, is often decentralized. Regional offices may be granted the authority to create accounts and change user access authorizations or to submit forms requesting that the centralized access control function make the necessary changes. Approval of these changes is important -- it may require the approval of the file owner and the supervisor of the employee whose access is being changed.
 
 Example of Access Levels Within an Application
 
 Level                 Function
 1                        Create Records
 2                        Edit Group A records
 3                        Edit Group B records
 4                        Edit all records
 
 Sample User Account and Password Acknowledgment Form:
 "I hereby acknowledge personal receipt of the system password(s) associated with the user Ids listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised."