MISCELLANEOUS CYBERSECURITY NEWS:
Federally Insured Credit Unions Required to Report Cyber Incidents
Within 3 Days - The National Credit Union Administration (NCUA) is
updating cyberattack reporting rules, requiring all federally
insured credit unions to report incidents within 72 hours of
discovery.
https://www.securityweek.com/federally-insured-credit-unions-required-to-report-cyber-incidents-within-3-days/
These 3 teams just hacked a US Air Force satellite in space ... and
won big cash prizes - The issue of satellite cybersecurity has taken
center stage in recent years. The U.S. Air Force has announced the
winners of its first-of-its-kind satellite hacking contest.
https://www.space.com/satellite-hacking-hack-a-sat-competition-winners
CISA Releases Cyber Defense Plan to Reduce RMM Software Risks - The
Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday
announced the release of a strategic plan to help critical
infrastructure organizations reduce the risks associated with the
use of remote monitoring and management (RMM) solutions.
https://www.securityweek.com/cisa-releases-cyber-defense-plan-to-reduce-rmm-software-risks/
White House Orders Federal Agencies to Bolster Cyber Safeguards -
The White House has ordered federal agencies to get their
cybersecurity safeguards up to date as they lag in their ability to
implement President Biden's executive order, issued in 2021.
https://www.darkreading.com/attacks-breaches/white-house-orders-federal-agencies-to-bolster-cyber-safeguards
How third-party support can alleviate CISO concerns over security,
compliance, and interoperability - Many business leaders are already
familiar with the pitfalls of their vendor’s software support.
https://www.scmagazine.com/perspective/three-reasons-why-third-party-support-can-alleviate-ciso-concerns-over-security-compliance-and-interoperability
Cybersecurity challenges in 2023: evolution, not revolution - COVID-19
not only changed the way we work, it also created what Mimecast
co-founder and CEO Peter Bauer describes as the paradox of our
rapidly growing reliance on the digital workspace.
https://www.scmagazine.com/feature/cybersecurity-challenges-in-2023-evolution-not-revolution
CYBERSECURITY ATTACKS, INTRUSIONS,
DATA THEFT & LOSS:
LinkedIn accounts hacked in widespread hijacking campaign - LinkedIn
is being targeted in a wave of account hacks resulting in many
accounts being locked out for security reasons or ultimately
hijacked by attackers.
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/
Malicious QR Codes Used in Phishing Attack Targeting US Energy
Company - Aimed at harvesting the Microsoft account credentials of
the targeted organizations’ employees, the attacks rely on malicious
QR codes embedded inside PNG images or PDF documents. The phishing
links, Cofense explains, have been hidden in the QR codes.
https://www.securityweek.com/malicious-qr-codes-used-in-phishing-attack-targeting-us-energy-company/
Tesla says former employees leaked thousands of personal records to
German news outlet - Two former Tesla employees have been blamed for
leaking the personal data of tens of thousands of current and former
employees to a German newspaper earlier this year.
https://www.scmagazine.com/news/tesla-says-former-employees-leaked-thousands-of-personal-records-to-german-news-outlet
Hotmail email delivery fails after Microsoft misconfigures DNS -
Hotmail users worldwide have problems sending emails, with messages
flagged as spam or not delivered after Microsoft misconfigured the
domain's DNS SPF record.
https://www.bleepingcomputer.com/news/microsoft/hotmail-email-delivery-fails-after-microsoft-misconfigures-dns/
Energy One Investigates Cyberattack - Wholesale energy software
provider Energy One reported on Friday a cyberattack had affected
"certain corporate systems" in Australia and the UK.
https://www.darkreading.com/dr-global/energy-one-investigates-cyberattack
‘Audacious’ HiatusRAT campaign targets US military server -
Researchers from Lumen’s Black Lotus Labs believe an “audacious”
HiatusRAT malware attack against a U.S. Department of Defense server
may be aligned with other recent espionage-focused campaigns linked
to China.
https://www.scmagazine.com/news/brazen-hiatusrat-campaign-targets-u-s-military-server
North Korean hackers transferred $40 million in stolen
cryptocurrency funds in one day - Cryptocurrency companies should
already be on guard against North Korean hackers.
https://www.scmagazine.com/news/fbi-north-korean-hackers-have-looted-40-million-in-cryptocurrency-over-the-past-24-hours
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review
of the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
INFORMATION SECURITY PROGRAM
A financial institution's board of directors and senior
management should be aware of information security issues and be
involved in developing an appropriate information security program.
A comprehensive information security policy should outline a
proactive and ongoing program incorporating three components:
1) Prevention
2) Detection
3) Response
Prevention measures include sound security policies,
well-designed system architecture, properly configured firewalls,
and strong authentication programs. This paper discusses two
additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally
involve running scans on a system to proactively detect known
vulnerabilities such as security flaws and bugs in software and
hardware. These tools can also detect holes allowing unauthorized
access to a network, or insiders to misuse the system. Penetration
analysis involves an independent party (internal or external)
testing an institution's information system security to identify
(and possibly exploit) vulnerabilities in the system and surrounding
processes. Using vulnerability assessment tools and performing
regular penetration analyses will assist an institution in
determining what security weaknesses exist in its information
systems.
Detection measures involve analyzing available information
to determine if an information system has been compromised, misused,
or accessed by unauthorized individuals. Detection measures may be
enhanced by the use of intrusion detection systems (IDSs) that act
as a burglar alarm, alerting the bank or service provider to
potential external break-ins or internal misuse of the system(s)
being monitored.
Another key area involves preparing a response program to
handle suspected intrusions and system misuse once they are
detected. Institutions should have an effective incident response
program outlined in a security policy that prioritizes incidents,
discusses appropriate responses to incidents, and establishes
reporting requirements.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
security strategies and plans.
Senior management and the board of directors are responsible for
overseeing the development and implementation of their bank's
security strategy and plan. Key elements to be included in those
strategies and plans are an intrusion risk assessment plan, risk
mitigation controls, intrusion response policies and procedures, and
testing processes. These elements are needed for both internal and
outsourced operations.
The first step in managing the risks of intrusions is to assess
the effects that intrusions could have on the institution. Effects
may include direct dollar loss, damaged reputation, improper
disclosure, lawsuits, or regulatory sanctions. In assessing the
risks, management should gather information from multiple sources,
including (1) the value and sensitivity of the data and processes to
be protected, (2) current and planned protection strategies, (3)
potential threats, and (4) the vulnerabilities present in the
network environment. Once information is collected, management
should identify threats and the likelihood of those threats
materializing, rank critical information assets and operations, and
estimate potential damage.
The analysis should be used to develop an intrusion protection
strategy and risk management plan. The intrusion protection strategy
and risk management plan should be consistent with the bank's
information security objectives. It also should balance the cost of
implementing adequate security controls with the bank's risk
tolerance and profile. The plan should be implemented within a
reasonable time. Management should document this information, its
analysis of the information, and decisions in forming the protection
strategy and risk management plan. By documenting this information,
management can better control the assessment process and facilitate
future risk assessments.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Computers and the information
they process are critical to many organizations' ability to perform
their mission and business functions. It therefore makes sense that
executives view computer security as a management issue and seek to
protect their organization's computer resources as they would any
other valuable asset. To do this effectively requires developing of
a comprehensive management approach.
This chapter presents an organization wide approach to computer
security and discusses its important management function. Because
organizations differ vastly in size, complexity, management styles,
and culture, it is not possible to describe one ideal computer
security program. However, this chapter does describe some of the
features and issues common to many federal organizations.
6.1 Structure of a Computer Security Program
Many computer security programs that are distributed throughout
the organization have different elements performing various
functions. While this approach has benefits, the distribution of the
computer security function in many organizations is haphazard,
usually based upon history (i.e., who was available in the
organization to do what when the need arose). Ideally, the
distribution of computer security functions should result from a
planned and integrated management philosophy.
Managing computer security at multiple levels brings many
benefits. Each level contributes to the overall computer security
program with different types of expertise, authority, and resources.
In general, higher-level officials (such as those at the
headquarters or unit levels in the agency described above) better
understand the organization as a whole and have more authority. On
the other hand, lower-level officials (at the computer facility and
applications levels) are more familiar with the specific
requirements, both technical and procedural, and problems of the
systems and the users. The levels of computer security program
management should be complementary; each can help the other be more
effective.
Since many organizations have at least two levels of computer
security management, this chapter divides computer security program
management into two levels: the central level and the system level.
(Each organization, though, may have its own unique structure.) The
central computer security program can be used to address the overall
management of computer security within an organization or a major
component of an organization. The system-level computer security
program addresses the management of computer security for a
particular system.
|