MISCELLANEOUS CYBERSECURITY NEWS:

Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days - The National Credit Union Administration (NCUA) is updating cyberattack reporting rules, requiring all federally insured credit unions to report incidents within 72 hours of discovery. https://www.securityweek.com/federally-insured-credit-unions-required-to-report-cyber-incidents-within-3-days/

These 3 teams just hacked a US Air Force satellite in space ... and won big cash prizes - The issue of satellite cybersecurity has taken center stage in recent years. The U.S. Air Force has announced the winners of its first-of-its-kind satellite hacking contest. https://www.space.com/satellite-hacking-hack-a-sat-competition-winners

CISA Releases Cyber Defense Plan to Reduce RMM Software Risks - The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced the release of a strategic plan to help critical infrastructure organizations reduce the risks associated with the use of remote monitoring and management (RMM) solutions. https://www.securityweek.com/cisa-releases-cyber-defense-plan-to-reduce-rmm-software-risks/

White House Orders Federal Agencies to Bolster Cyber Safeguards - The White House has ordered federal agencies to get their cybersecurity safeguards up to date as they lag in their ability to implement President Biden's executive order, issued in 2021. https://www.darkreading.com/attacks-breaches/white-house-orders-federal-agencies-to-bolster-cyber-safeguards

How third-party support can alleviate CISO concerns over security, compliance, and interoperability - Many business leaders are already familiar with the pitfalls of their vendor’s software support. https://www.scmagazine.com/perspective/three-reasons-why-third-party-support-can-alleviate-ciso-concerns-over-security-compliance-and-interoperability

Cybersecurity challenges in 2023: evolution, not revolution - COVID-19 not only changed the way we work, it also created what Mimecast co-founder and CEO Peter Bauer describes as the paradox of our rapidly growing reliance on the digital workspace. https://www.scmagazine.com/feature/cybersecurity-challenges-in-2023-evolution-not-revolution

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

LinkedIn accounts hacked in widespread hijacking campaign - LinkedIn is being targeted in a wave of account hacks resulting in many accounts being locked out for security reasons or ultimately hijacked by attackers. https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/

Malicious QR Codes Used in Phishing Attack Targeting US Energy Company - Aimed at harvesting the Microsoft account credentials of the targeted organizations’ employees, the attacks rely on malicious QR codes embedded inside PNG images or PDF documents. The phishing links, Cofense explains, have been hidden in the QR codes. https://www.securityweek.com/malicious-qr-codes-used-in-phishing-attack-targeting-us-energy-company/

Tesla says former employees leaked thousands of personal records to German news outlet - Two former Tesla employees have been blamed for leaking the personal data of tens of thousands of current and former employees to a German newspaper earlier this year. https://www.scmagazine.com/news/tesla-says-former-employees-leaked-thousands-of-personal-records-to-german-news-outlet

Hotmail email delivery fails after Microsoft misconfigures DNS - Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record. https://www.bleepingcomputer.com/news/microsoft/hotmail-email-delivery-fails-after-microsoft-misconfigures-dns/

Energy One Investigates Cyberattack - Wholesale energy software provider Energy One reported on Friday a cyberattack had affected "certain corporate systems" in Australia and the UK. https://www.darkreading.com/dr-global/energy-one-investigates-cyberattack

‘Audacious’ HiatusRAT campaign targets US military server - Researchers from Lumen’s Black Lotus Labs believe an “audacious” HiatusRAT malware attack against a U.S. Department of Defense server may be aligned with other recent espionage-focused campaigns linked to China. https://www.scmagazine.com/news/brazen-hiatusrat-campaign-targets-u-s-military-server

North Korean hackers transferred $40 million in stolen cryptocurrency funds in one day - Cryptocurrency companies should already be on guard against North Korean hackers. https://www.scmagazine.com/news/fbi-north-korean-hackers-have-looted-40-million-in-cryptocurrency-over-the-past-24-hours

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
  
  INFORMATION SECURITY PROGRAM
  
  A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components: 
  
  1) Prevention 
  2) Detection 
  3) Response 
  
  Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. 
  
  Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.
  
  Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans. 
    
    Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.
    
    The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.
    
    The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  Computers and the information they process are critical to many organizations' ability to perform their mission and business functions. It therefore makes sense that executives view computer security as a management issue and seek to protect their organization's computer resources as they would any other valuable asset. To do this effectively requires developing of a comprehensive management approach.
  
  This chapter presents an organization wide approach to computer security and discusses its important management function. Because organizations differ vastly in size, complexity, management styles, and culture, it is not possible to describe one ideal computer security program. However, this chapter does describe some of the features and issues common to many federal organizations.
  
  6.1 Structure of a Computer Security Program
  
  Many computer security programs that are distributed throughout the organization have different elements performing various functions. While this approach has benefits, the distribution of the computer security function in many organizations is haphazard, usually based upon history (i.e., who was available in the organization to do what when the need arose). Ideally, the distribution of computer security functions should result from a planned and integrated management philosophy.
  
  Managing computer security at multiple levels brings many benefits. Each level contributes to the overall computer security program with different types of expertise, authority, and resources. In general, higher-level officials (such as those at the headquarters or unit levels in the agency described above) better understand the organization as a whole and have more authority. On the other hand, lower-level officials (at the computer facility and applications levels) are more familiar with the specific requirements, both technical and procedural, and problems of the systems and the users. The levels of computer security program management should be complementary; each can help the other be more effective.
  
  Since many organizations have at least two levels of computer security management, this chapter divides computer security program management into two levels: the central level and the system level. (Each organization, though, may have its own unique structure.) The central computer security program can be used to address the overall management of computer security within an organization or a major component of an organization. The system-level computer security program addresses the management of computer security for a particular system.