MISCELLANEOUS CYBERSECURITY NEWS:

The Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s Signing Key - After leaving many questions unanswered, Microsoft explains in a new postmortem the series of slipups that allowed attackers to steal and abuse a valuable cryptographic key. https://www.wired.com/story/china-backed-hackers-steal-microsofts-signing-key-post-mortem/

Senators want a special government unit to help small businesses with cyberattacks - There are precious few issues or topics capable of garnering bipartisan support in Congress these days. Finding new ways to help small businesses protect against cyberattacks and other digital threats is one of them. https://www.scmagazine.com/news/bipartisan-bill-would-create-special-government-unit-to-help-small-businesses-with-cyber-attacks

IRS lacks authority to monitor how contractors, other agencies manage taxpayer data - The IRS lacks the authority to inspect whether other federal agencies who receive taxpayer information are protecting that data as required by law, according to a new Government Accountability Office report. https://www.scmagazine.com/news/irs-lacks-authority-visibility-to-monitor-how-contractors-and-other-agencies-manage-taxpayer-data

The International Criminal Court Will Now Prosecute Cyberwar Crimes - FOR YEARS, SOME cybersecurity defenders and advocates have called for a kind of Geneva Convention for cyberwar, new international laws that would create clear consequences for anyone hacking civilian critical infrastructure, like power grids, banks, and hospitals.
https://www.wired.com/story/icc-cyberwar-crimes/
https://digitalfrontlines.io/2023/08/20/technology-will-not-exceed-our-humanity/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

German financial agency site disrupted by DDoS attack since Friday - The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. https://www.bleepingcomputer.com/news/security/german-financial-agency-site-disrupted-by-ddos-attack-since-friday/

|Thousands of dollars stolen from Texas ATMs using Raspberry Pi - A Texas court has heard how last month a gang of men used a Raspberry Pi device to steal thousands of dollars from ATMs. https://www.tripwire.com/state-of-security/thousands-dollars-stolen-texas-atms-using-raspberry-pi

Hackers phish users of old AP Stylebook site for credit card info - The Associated Press has informed users of an old AP Stylebook website who received phishing emails that directed them to a fake website that imitated the real AP Stylebook and was asking for updated credit card information. https://www.scmagazine.com/news/hackers-phish-users-of-old-ap-stylebook-site-luring-them-to-fake-location-for-credit-card-info

MGM Resorts shuts down IT systems after cyberattack - MGM Resorts International disclosed today that it is dealing with a cybersecurity issue that impacted some of its systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/

Huge DDoS attack against US financial institution thwarted - Akamai says it thwarted a major distributed denial-of-service (DDoS) attack aimed at a US bank that peaked at 55.1 million packets per second earlier this month. https://www.theregister.com/2023/09/11/ddos_attack_against_us_bank/

Sri Lankan government loses months of data following ransomware attack - Sri Lanka’s government email network was hit by a ransomware attack that wiped months of data from thousands of email accounts, including ones belonging to top government officials, authorities confirmed on Monday. https://therecord.media/sri-lanka-loses-months-of-government-data-in-ransomware-attack

Over the past few weeks, MGM and Caesars were both hacked by one of the most ‘aggressive threat actors’ targeting the U.S. - MGM Resorts International was hacked by the same group of attackers that breached Caesars Entertainment weeks earlier, according to four people familiar with the matter. https://fortune.com/2023/09/13/mgm-caesars-hacked-ransomware/

Cyberattack causes MGM Resorts to shut down its systems - The ALPHV ransomware group is allegedly responsible for MGM Resorts shutting down some of its systems Monday at several major hotels in Las Vegas, which apparently left some with faulty door locks, slot machines and problems making reservations, among other issues. https://www.scmagazine.com/news/cyberattack-attack-causes-mgm-resorts-to-shut-down-its-systems

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:
    
    1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.
    
    2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 
    
    3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."
    
    4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.
    
    8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.
    
    9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs. 
    
    10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.
    
    11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.2.3 Central Enforcement and Oversight
  
  Besides helping an organization improve the economy and efficiency of its computer security program, a centralized program can include an independent evaluation or enforcement function to ensure that organizational subunits are cost-effectively securing resources and following applicable policy. While the Office of the Inspector General (OIG) and external organizations, such as the General Accounting Office (GAO), also perform a valuable evaluation role, they operate outside the regular management channels.
  
  There are several reasons for having an oversight function within the regular management channel. First, computer security is an important component in the management of organizational resources. This is a responsibility that cannot be transferred or abandoned. Second, maintaining an internal oversight function allows an organization to find and correct problems without the potential embarrassment of an IG or GAO audit or investigation. Third, the organization may find different problems from those that an outside organization may find. The organization understands its assets, threats, systems, and procedures better than an external organization; additionally, people may have a tendency to be more candid with insiders.