MISCELLANEOUS CYBERSECURITY NEWS:

Let’s put an end to data leaks - As cyber threats evolve, businesses have remained primarily focused on perimeter security, often overlooking potential vulnerabilities within their web application programming interfaces (APIs). https://www.scmagazine.com/perspective/lets-put-an-end-to-data-leaks

Medical Device Makers Taking a New Approach to Cybersecurity - New regulations, including those coming into effect in the U.S., are pushing many medical device makers to radically reconsider how they approach cybersecurity for their products, said Phil Englert of the Health Information Sharing and Analysis Center. https://www.govinfosecurity.com/medical-device-makers-taking-new-approach-to-cybersecurity-a-22859

Joint Commission Releases Guidance on Preserving Patient Safety After Cyberattack - The healthcare accreditation organization urged healthcare organizations to form a downtime planning committee and take other actions to prioritize patient safety after a cyberattack. https://healthitsecurity.com/news/joint-commission-releases-guidance-on-preserving-patient-safety-after-cyberattack

What businesses need to know to comply with SEC’s new cyber disclosure rules - New rules for publicly traded companies went into effect Sept. 5, with the Securities and Exchange Commission requiring businesses to begin regularly reporting on their cybersecurity risk management strategies, board-level cybersecurity governance and oversight and, of course, reporting rules for material cyber incidents. https://www.scmagazine.com/news/what-businesses-need-to-know-to-comply-with-secs-new-cyber-disclosure-rules

FTC investigates OpenAI over data leak and ChatGPT’s inaccuracy - The Federal Trade Commission has opened an expansive investigation into OpenAI, probing whether the maker of the popular ChatGPT bot has run afoul of consumer protection laws by putting personal reputations and data at risk. https://www.washingtonpost.com/technology/2023/07/13/ftc-openai-chatgpt-sam-altman-lina-khan/

Insurance Costs Rise, Coverage Shrinks, but Policies Remain Essential - Companies need to reassess their cyber insurance policies as significant breaches and growing payouts have led insurers to demand higher premiums while granting less coverage, leaving many organizations unprepared in the event of a breach or security incident. https://www.darkreading.com/risk/insurance-costs-rise-coverage-shrinks-but-policies-remain-essential

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Rhysida claims responsibility for ransomware attacks on Prospect Medical Holdings - The ever-evolving Rhysida ransomware group has reportedly claimed responsibility for the cyberattack on Prospect Medical Holdings, which earlier this month experienced attacks at hospitals and medical facilities in four states that forced the company to take their systems down. https://www.scmagazine.com/news/rhysida-claims-responsibility-for-ransomware-attacks-on-prospect-medical-holdings

Okta customers targeted in social engineering scam - Customers of Okta’s identity and access management solution have been hit by a social engineering campaign that abuses Okta “super administrator” accounts to compromise target organizations. https://www.scmagazine.com/news/okta-customers-targeted-in-social-engineering-scam

Rhysida claims responsibility for ransomware attacks on Prospect Medical Holdings - The ever-evolving Rhysida ransomware group has reportedly claimed responsibility for the cyberattack on Prospect Medical Holdings, which earlier this month experienced attacks at hospitals and medical facilities in four states that forced the company to take their systems down. https://www.scmagazine.com/news/rhysida-claims-responsibility-for-ransomware-attacks-on-prospect-medical-holdings

NYC Subway Disables Trip-History Feature Over Tap-and-Go Privacy Concerns - The move by New York's Metropolitan Transit Authority (MTA) follows a report that showed how easy it is for someone to pull up another individual's seven-day ride history through the One Metro New York (OMNY) website. https://www.darkreading.com/risk/new-york-subway-disables-trip-history-feature-tap-and-go-privacy-concerns

Sourcegraph website breached using leaked admin access token - AI-powered coding platform Sourcegraph revealed that its website was breached this week using a site-admin access token accidentally leaked online on July 14th. https://www.bleepingcomputer.com/news/security/sourcegraph-website-breached-using-leaked-admin-access-token/

New Chaes malware variant targets banking and logistics industries - A new variant of the Chaes malware identified as "Chae$4" was found targeting the banking and logistics industries, as well as major content management platforms. https://www.scmagazine.com/news/new-chae-4-variant-of-chaes-malware-targets-banking-and-logistics-industries

University of Michigan shuts down network after cyberattack - The University of Michigan has taken all of its systems and services offline to deal with a cybersecurity incident, causing a widespread impact on online services the night before classes started. https://www.bleepingcomputer.com/news/security/university-of-michigan-shuts-down-network-after-cyberattack/

LockBit breaches fence company’s weakest link: a Windows 7 PC - The LockBit ransomware gang stole 10GB of data from a security fencing company by compromising a “rogue” Windows 7 PC connected to an otherwise secure network. https://www.scmagazine.com/news/lockbit-breaches-fence-companys-weakest-link-a-windows-7-pc

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    Performing the Risk Assessment and Determining Vulnerabilities 
    
    Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.
    
    When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.
    
    4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.
    
    5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.
    
    6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.
    
    7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification and encryption.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 6.2.2 Efficient, Economic Coordination of Information
 
 A central computer security program helps to coordinate and manage effective use of security-related resources throughout the organization. The most important of these resources are normally information and financial resources.
 
 Sound and timely information is necessary for managers to accomplish their tasks effectively. However, most organizations have trouble collecting information from myriad sources and effectively processing and distributing it within the organization. This section discusses some of the sources and efficient uses of computer security information.
 
 Within the federal government, many organizations such as the Office of Management and Budget, the General Services Administration, the National Institute of Standards and Technology, and the National Telecommunications and Information Administration, provide information on computer, telecommunications, or information resources. This information includes security-related policy, regulations, standards, and guidance. A portion of the information is channeled through the senior designated official for each agency.  Agencies are expected to have mechanisms in place to distribute the information the senior designated official receives.
 
 Computer security-related information is also available from private and federal professional societies and groups. These groups will often provide the information as a public service, although some private groups charge a fee for it. However, even for information that is free or inexpensive, the costs associated with personnel gathering the information can be high.
  
 Internal security-related information, such as which procedures were effective, virus infections, security problems, and solutions, need to be shared within an organization. Often this information is specific to the operating environment and culture of the organization.
 
 A computer security program administered at the organization level can provide a way to collect the internal security-related information and distribute it as needed throughout the organization. Sometimes an organization can also share this information with external groups.
 
 Another use of an effective conduit of information is to increase the central computer security program's ability to influence external and internal policy decisions. If the central computer security program office can represent the entire organization, then its advice is more likely to be heeded by upper management and external organizations. However, to be effective, there should be excellent communication between the system-level computer security programs and the organization level. For example, if an organization were considering consolidating its mainframes into one site (or considering distributing the processing currently done at one site), personnel at the central program could provide initial opinions about the security implications. However, to speak authoritatively, central program personnel would have to actually know the security impacts of the proposed change -- information that would have to be obtained from the system-level computer security program.
 
 An organization's components may develop specialized expertise, which can be shared among components. For example, one operating unit may primarily use UNIX and have developed skills in UNIX security. A second operating unit (with only one UNIX machine), may concentrate on MVS security and rely on the first unit's knowledge and skills for its UNIX machine.
 
 Besides being able to help an organization use information more cost effectively, a computer security program can also help an organization better spend its scarce security dollars. Organizations can develop expertise and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing.
 
 Personnel at the central computer security program level can also develop their own areas of expertise. For example, they could sharpen their skills could in contingency planning and risk analysis to help the entire organization perform these vital security functions.
 Some Principal Security Program Interactions
 
 Besides allowing an organization to share expertise and, therefore, save money, a central computer security program can use its position to consolidate requirements so the organization can negotiate discounts based on volume purchasing of security hardware and software. It also facilitates such activities as strategic planning and organization-wide incident handling and security trend analysis.