MISCELLANEOUS CYBERSECURITY NEWS:

Updated FFIEC IT Examination Handbook – Development, Acquisition, and Maintenance Booklet - The booklet replaces the Development and Acquisition booklet issued in April 2004.
Press Release: www.fdic.gov/news/financial-institution-letters/2024/updated-ffiec-it-examination-handbook-development 
Press Release: www.ncua.gov/newsroom/press-release/2024/financial-regulators-update-examiner-guidance-financial-institutions-information-technology 
Press release: https://www.occ.gov/news-issuances/bulletins/2024/bulletin-2024-25.html

CISA’s $524M headquarters slated for DHS campus in 2027 - Construction for the agency’s centralized facility is expected to break ground in the fall. CISA staffers are currently spread out across five office rentals. https://www.cybersecuritydive.com/news/cisa-heaquarters-dhs-campus/725103/

FAA proposes new cybersecurity rules for airplanes - The Federal Aviation Administration unveiled a proposal this week for new rules governing the cybersecurity of airplanes, engines and propellers as they are increasingly designed to be connected to both internal and external data networks that could make them vulnerable to cyber threats. https://therecord.media/faa-new-cybersecurity-rules-airplanes.

Why the 80-20 rule no longer works for cybersecurity - We’ve all heard about the Pareto Principle, the idea that approximately 80% of consequences result from 20% of causes. Organizations have long applied this "80-20 rule" to areas such as productivity, sales, quality assurance, and project management. https://www.scmagazine.com/perspective/why-the-80-20-rule-no-longer-works-for-cybersecurity

FBI Fails to Secure Sensitive Storage Media Destined for Destruction, Audit Reveals - The Federal Bureau of Investigation fails to properly label, store, and secure decommissioned electronic storage media containing sensitive information, a new report from the Department of Justice’s Office of the Inspector General (OIG) shows. https://www.securityweek.com/fbi-exposing-sensitive-data-via-improper-handling-of-storage-devices-audit/

Dutch data privacy regulator fines Uber $324 million for failing to adhere to GDPR - The Dutch Data Protection Authority (DPA) announced Monday that it has fined Uber €290 million ($324 million) for gathering sensitive data from European drivers and then transferring it to the U.S. without appropriate safeguards. https://therecord.media/uber-fined-324-million-netherlands-gdpr

State and local governments see decline in ransomware attacks but face rising costs and encryption rates - The latest annual report from Sophos on ransomware developments for state and local government paints a mixed picture: https://www.scmagazine.com/resource/state-and-local-governments-see-decline-in-ransomware-attacks-but-face-rising-costs-and-encryption-rates

Automakers meet growing data privacy challenges, experts say - A Federal Trade Commission crackdown and lawsuit against GM show automakers are navigating legal risks. https://www.cybersecuritydive.com/news/ftc-data-privacy-connected-cars/725434/

Preparing for ransomware threats in 2025: What you need to know - As ransomware continues to evolve, so must the strategies used to combat it. This was the central theme in a recent webcast discussion led by Dr. Dustin Sachs, Chief Technologist at Cyber Risk Collaborative, which featured cybersecurity experts Michael Farnum, Advisory CISO at Trace3, and James Blake, Global Security Strategy and Evangelist at Cohesity. https://www.scmagazine.com/resource/preparing-for-ransomware-threats-in-2025-what-you-need-to-know

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Halliburton hit by cyberattack, certain systems impacted - Federal officials said energy services have not been affected, however the company is still working on remediation. https://www.cybersecuritydive.com/news/halliburton-cyberattack/725065/

Halliburton confirms cyberattack on its systems - After two days of speculation, oil field services company Halliburton on Aug. 23 confirmed it was the victim of a cyberattack on its systems. https://www.scmagazine.com/news/halliburton-confirms-cyberattack-on-its-systems

Several Port of Seattle systems down following ‘possible cyberattack’ - IT systems at the port and Seattle-Tacoma International Airport remain offline. The port first reported system outages Saturday morning. https://www.cybersecuritydive.com/news/port-seattle-system-outages-cyberattack/725248/

Arrest of Telegram CEO sparks cyberattacks against French websites - The arrest of Telegram CEO Pavel Durov in France over the weekend sparked a series of cyberattacks against French websites by hacktivists protesting Durov’s detention. https://www.scmagazine.com/news/arrest-of-telegram-ceo-sparks-cyberattacks-against-french-websites

Texas Dow Employees Credit Union notifies 500,000 of MOVEit breach - The Texas Dow Employees Credit Union (TDECU) on Aug. 23 sent letters to more than 500,000 people saying their personal data was compromised during last year’s MOVEit attacks carried out by the Clop ransomware gang. https://www.scmagazine.com/news/texas-dow-employees-credit-union-notifies-500000-of-moveit-breach

Seattle airport confronts 4th day of cyberattack outages - Most flights are departing and arriving as scheduled, but the Port of Seattle’s websites, phone, email and Wi-Fi are down. Manual processes at check-in counters are causing delays. https://www.cybersecuritydive.com/news/seattle-airport-cyberattack-widespread-outages/725342/

ARRL Confirms $1 Million Ransom Payment Following May Attack - The American Radio Relay League (ARRL) recently confirmed the payment of a $1 million ransom to restore its systems following a ransomware attack that occurred in May. https://securityonline.info/arrl-confirms-1-million-ransom-payment-following-may-attack/

Seattle-Tacoma Airport IT systems down due to a cyberattack - The Seattle-Tacoma International Airport has confirmed that a cyberattack is likely behind the ongoing IT systems outage that disrupted reservation check-in systems and delayed flights over the weekend. https://www.bleepingcomputer.com/news/security/seattle-tacoma-airport-it-systems-down-due-to-a-cyberattack/

Hunters International ransomware gang threatens to leak US Marshals data - The Hunters International ransomware group is threatening to leak what it claims to be 386 GB of data from the U.S. Marshals Service (USMS), more than a year after the federal law enforcement agency suffered a major ransomware attack. https://www.scmagazine.com/news/hunters-international-ransomware-gang-threatens-to-leak-us-marshals-data

McLaren Health Care restores network weeks after ransomware attack - Still, it may take several weeks to input patient information manually collected during the outage into its electronic health record, the Michigan-based health system said. https://www.cybersecuritydive.com/news/mclaren-ransomware-recovery/725562/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (8 of 12)
  
  Containment
  
  During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.
  
  Establish notification escalation procedures.
  
  If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.
  
  Document details, conversations, and actions.
  
  Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Firewall Services and Configuration
  
  Firewalls may provide some additional services:
  
  ! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.
  
  ! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.
  
  ! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines.  Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.
  
  One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet. 
  
  Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.2 Audit and Management Reviews
 
 From time to time, it is necessary to review user account management on a system. Within the area of user access issues, such reviews may examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth.
 
 These reviews can be conducted on at least two levels:80 (1) on an application-by-application basis or (2) on a systemwide basis. Both kinds of reviews can be conducted by, among others, in-house systems personnel (a self-audit), the organization's internal audit staff, or external auditors. For example, a good practice is for application managers (and data owners, if different) to review all access levels of all application users every month -- and sign a formal access approval list, which will provide a written record of the approvals. While it may initially appear that such reviews should be conducted by systems personnel, they usually are not fully effective. System personnel can verify that users only have those accesses that their managers have specified. However because access requirements may change over time, it is important to involve the application manager, who is often the only individual in a position to know current access requirements.
 
 Outside audit organizations (e.g., the Inspector General [IG] or the General Accounting Office) may also conduct audits. For example, the IG may direct a more extensive review of permissions. This may involve discussing the need for particular access levels for specific individuals or the number of users with sensitive access. For example, how many employees should really have authorization to the check-printing function? (Auditors will also examine non-computer access by reviewing, for example, who should have physical access to the check printer or blank-check stock.)