MISCELLANEOUS CYBERSECURITY NEWS:

FFIEC Information Technology Examination Handbook: New Development, Acquisition, and Maintenance Booklet - The Federal Financial Institutions Examination Council issued the “Development, Acquisition, and Maintenance” booklet, which is part of the FFIEC Information Technology Examination Handbook. www.occ.treas.gov/news-issuances/bulletins/2024/bulletin-2024-26.html

White House launches cybersecurity hiring sprint to help fill 500,000 job openings - National Cyber Director Harry Coker Jr. unveiled the program as part of an effort to fill a continued gap in cyber, technology and AI positions. https://www.cybersecuritydive.com/news/white-house-cybersecurity-500000-job/726162/

Schools, colleges faced record-breaking year of ransomware attacks in 2023 - There were 121 incidents found last year alone, according to an analysis, but researchers noted their findings “only scratch the surface.” https://www.cybersecuritydive.com/news/ransomware-schools-2023/725808/

CISA launches cyber incident reporting portal to streamline breach disclosure - The secure portal is designed to encourage faster and more robust information sharing about malicious attacks and critical vulnerabilities. https://www.cybersecuritydive.com/news/cisa-cyber-incident-portal/725770/

CISA officials credit Microsoft security log expansion for improved threat visibility - CISA officials say they plan to hold Microsoft accountable to ensure the company lives up to its commitments. https://www.cybersecuritydive.com/news/cisa-microsoft-security-log-expansion/725358/

FTC calls out security camera vendor Verkada over data exposure - The U.S. Federal Trade Commission said it will fine a security camera vendor nearly $3 million for exposing customer data. https://www.scmagazine.com/news/ftc-calls-out-security-camera-vendor-verkada-over-data-exposure

City of Columbus sues researcher for sharing leaked ransomware data - The City of Columbus, Ohio, has taken legal action against a security researcher who shared leaked data from a ransomware attack against the city with members of the news media. https://www.scmagazine.com/news/city-of-columbus-sues-researcher-for-sharing-leaked-ransomware-data

Colorado tops list of cyberattacks per capita in the US - Colorado is most likely state to fall victim to cyberattacks, according to security provider, who placed the Centennial state atop its per capita victim losses tally over the last three years. https://www.scmagazine.com/news/colorado-tops-list-of-cyberattacks-per-capita-in-the-us

City of Columbus sues researcher for sharing leaked ransomware data - The City of Columbus, Ohio, has taken legal action against a security researcher who shared leaked data from a ransomware attack against the city with members of the news media. https://www.scmagazine.com/news/city-of-columbus-sues-researcher-for-sharing-leaked-ransomware-data

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Halliburton confirms data stolen in August cyberattack - The company continues to incur expenses related to the attack, but does not expect a material impact. https://www.cybersecuritydive.com/news/halliburton-confirms-data-stolen-in-august-cyberattack/725886/

Texas Dow Employees Credit Union notifies 500,000 of MOVEit breach - The Texas Dow Employees Credit Union (TDECU) on Aug. 23 sent letters to more than 500,000 people saying their personal data was compromised during last year’s MOVEit attacks carried out by the Clop ransomware gang. https://www.scmagazine.com/news/texas-dow-employees-credit-union-notifies-500000-of-moveit-breach

Seattle airport cyberattack outages persist heading into Labor Day travel rush - Airport staff began turning on and testing systems for international and low-volume carriers, which are the most heavily impacted by the outage. https://www.cybersecuritydive.com/news/seattle-airport-cyberattack-labor-day/725772/

Seattle airport confronts 4th day of cyberattack outages - Most flights are departing and arriving as scheduled, but the Port of Seattle’s websites, phone, email and Wi-Fi are down. Manual processes at check-in counters are causing delays. https://www.cybersecuritydive.com/news/seattle-airport-cyberattack-widespread-outages/725342/

'Malfunction' at Dutch defense ministry datacenter causing mass disruption - A currently unidentified “malfunction” at a datacenter used by the Ministry of Defence (MoD) in the Netherlands is causing widespread disruption across the country. https://therecord.media/netherlands-defense-ministry-data-center-malfunction-outages

Dick's Sporting Goods discloses cyberattack - Authorities probing unwanted intrusion; hard questions ahead - Dick's Sporting Goods, America's largest retail chain for outdoorsy types, has admitted that it suffered a cyberattack last week. https://www.theregister.com/2024/08/28/dickssporting_goods_runs_into_problems/

Several Port of Seattle systems down following ‘possible cyberattack’ - IT systems at the port and Seattle-Tacoma International Airport remain offline. The port first reported system outages Saturday morning. https://www.cybersecuritydive.com/news/port-seattle-system-outages-cyberattack/725248/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (9 of 12)
 
 Organize a public relations program.
 
 Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.
 
 Recovery
 
 Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.
 
 Determine whether configurations or processes should be changed.
 
 If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Firewall Policy (Part 1 of 3)
 
 A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:
 
 ! Firewall topology and architecture,
 ! Type of firewall(s) being utilized,
 ! Physical placement of the firewall components,
 ! Monitoring firewall traffic,
 ! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
 ! Firewall updating,
 ! Coordination with intrusion detection and response mechanisms,
 ! Responsibility for monitoring and enforcing the firewall policy,
 ! Protocols and applications permitted,
 ! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
 ! Contingency planning.
 
 Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.3 Detecting Unauthorized/Illegal Activities
 
 Several mechanisms are used besides auditing and analysis of audit trails to detect unauthorized and illegal acts. For example, fraudulent activities may require the regular physical presence of the perpetrator(s). In such cases, the fraud may be detected during the employee's absence. Mandatory vacations for critical systems and applications personnel can help detect such activity (however, this is not a guarantee, for example, if problems are saved for the employees to handle upon their return). It is useful to avoid creating an excessive dependence upon any single individual, since the system will have to function during periods of absence. Particularly within the government, periodic rescreening of personnel is used to identify possible indications of illegal activity (e.g., living a lifestyle in excess of known income level).
 
 10.2.4 Temporary Assignments and In-house Transfers
 
 One significant aspect of managing a system involves keeping user access authorizations up to date. Access authorizations are typically changed under two types of circumstances: (1) change in job role, either temporarily (e.g., while covering for an employee on sick leave) or permanently (e.g., after an in-house transfer) and (2) termination discussed in the following section.
 
 Users often are required to perform duties outside their normal scope during the absence of others. This requires additional access authorizations. Although necessary, such extra access authorizations should be granted sparingly and monitored carefully, consistent with the need to maintain separation of duties for internal control purposes. Also, they should be removed promptly when no longer required.
 
 Permanent changes are usually necessary when employees change positions within an organization. In this case, the process of granting account authorizations (described in Section 10.2.1) will occur again. At this time, however, is it also important that access authorizations of the prior position be removed. Many instances of "authorization creep" have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege.