MISCELLANEOUS CYBERSECURITY NEWS:

An experiment showed that the military must change Its cybersecurity approach - The Defense Department’s current “checklist” approach can’t keep its networks safe. Two years ago, a pair of Navy information leaders decided to attack their own networks—and not just once or twice a year during scheduled exercises, but far more frequently, and unannounced. https://fcw.com/security/2022/08/experiment-showed-military-must-change-its-cybersecurity-approach/375947/

Can healthcare keep pace with new cyber insurance security requirements? - In just the last two years alone, industries facing an onslaught of cyberattacks, like healthcare, began facing another problem: cyber insurance carriers were limiting coverage, increasing premiums, and added security requirements needed to obtain a policy. https://www.scmagazine.com/feature/policy/can-healthcare-keep-pace-with-new-cyber-insurance-security-requirements

PC store told it can't claim full cyber-crime insurance after social-engineering attack - Two different kinds of fraud, says judge while throwing out lawsuit against insurer - A Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses. https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/

Florida Orthopaedic reaches $4M settlement over 2020 health data theft - Florida Orthopaedic Institute reached a $4 million settlement with the 647,000 patients affected by a server hack and subsequent ransomware attack in 2020. https://www.scmagazine.com/analysis/ransomware/florida-orthopaedic-reaches-4m-settlement-over-2020-health-data-theft

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

LockBit ransomware group creates leak site after claiming June hack of Entrust - The LockBit ransomware gang has apparently created a leak site after claiming responsibility for a hack of Entrust in June. https://www.scmagazine.com/news/ransomware/lockbit-ransomware-group-creates-leak-site-after-claiming-june-hack-of-entrust

Hackers steal credentials by building phishing pages on AWS - Researchers late last week found that hackers have been taking advantage of their coding knowledge by building phishing pages on Amazon Web Services. https://www.scmagazine.com/news/cloud-security/hackers-steal-credentials-by-building-phishing-pages-on-aws

Hackers are using this sneaky exploit to bypass Microsoft's multi-factor authentication - Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victim's network. Cyber criminals are exploiting dormant Microsoft accounts to bypass multi-factor authentication (MFA) and gain access to cloud services and networks, researchers have warned. https://www.zdnet.com/article/hackers-are-using-this-sneaky-trick-to-exploit-dormant-microsoft-cloud-accounts-and-bypass-multi-factor-authentication/

Greek natural gas operator suffers ransomware-related data breach - Greece's largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack. https://www.bleepingcomputer.com/news/security/greek-natural-gas-operator-suffers-ransomware-related-data-breach/

Ransomware attack on billing vendor leads to data theft for 942K patients - Practice Resources recently notified 942,138 patients that their data was accessed or stolen ahead of a ransomware attack deployed in April. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-on-billing-vendor-leads-to-data-theft-for-942k-patients

Cyberattack, network outage on French hospital renews patient safety concerns - A cyberattack deployed on the French hospital Center Hospitalier Sud Francilien (CHSF) on Sunday, Aug. 21 has grabbed headlines, as the ransomware threat actors have issued a $10 million demand to unlock the impacted servers. https://www.scmagazine.com/analysis/ransomware/cyberattack-network-outage-on-french-hospital-renews-patient-safety-concerns

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)
    
    Service Provider Oversight
    
    Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.
    
    Summary
    
    The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   ELECTRONIC AND PAPER - BASED MEDIA HANDLING
   
   Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.
   
   HANDLING AND STORAGE
   
   IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.2.1 System Architecture

Most of HGA's staff (a mix of clerical, technical, and managerial staff) are provided with personal computers (PCs) located in their offices. Each PC includes hard-disk and floppy-disk drives.

The PCs are connected to a local area network (LAN) so that users can exchange and share information. The central component of the LAN is a LAN server, a more powerful computer that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information, including shared application programs. The server provides logical access controls on potentially sharable information via elementary access control lists. These access controls can be used to limit user access to various files and programs stored on the server. Some programs stored on the server can be retrieved via the LAN and executed on a PC; others can only be executed on the server.

To initiate a session on the network or execute programs on the server, users at a PC must log into the server and provide a user identifier and password known to the server. Then they may use files to which they have access.

One of the applications supported by the server is electronic mail (e-mail), which can be used by all PC users. Other programs that run on the server can only be executed by a limited set of PC users.

Several printers, distributed throughout HGA's building complex, are connected to the LAN. Users at PCs may direct printouts to whichever printer is most convenient for their use.

Since HGA must frequently communicate with industry, the LAN also provides a connection to the Internet via a router. The router is a network interface device that translates between the protocols and addresses associated with the LAN and the Internet. The router also performs network packet filtering, a form of network access control, and has recently been configured to disallow non-e-mail (e.g., file transfer, remote log-in) between LAN and Internet computers.

The LAN server also has connections to several other devices.