|
MISCELLANEOUS CYBERSECURITY NEWS:
|
What security teams need to know about HIPAA compliance in
the cloud - The Health Insurance Portability and
Accountability Act (HIPAA) has become one of the healthcare
sector's most widely recognized compliance frameworks.
https://www.scmagazine.com/perspective/what-security-teams-need-to-know-about-hipaa-compliance-in-the-cloud
Europe’s privacy watchdog probes Google over data used for
AI training - Google is under investigation by Europe’s
privacy watchdog over its processing of personal data in the
development of one of its artificial intelligence models, as
regulators ramp up their scrutiny of Big Tech’s AI
ambitions.
https://arstechnica.com/tech-policy/2024/09/europes-privacy-watchdog-probes-google-over-data-used-for-ai-training/
UK Labels Data Centers as Critical National Infrastructure -
The U.K. government on Thursday designated data centers as
part of its critical national infrastructure in a move
intended to prevent the loss of sensitive user data during
disruptive cyberattacks.
https://www.govinfosecurity.com/uk-labels-data-centers-as-critical-national-infrastructure-a-26278
Cyber insurance keeps growing, as threats spur competition -
Concerns remain about aggregation risk as highlighted by the
July outage of Microsoft Windows devices, according to a
report from Moody’s Ratings.
https://www.cybersecuritydive.com/news/cyber-insurance-growing-threats-competition/726440/
Keeping data secure in the age of generative AI - Generative
AI has rapidly cemented itself as a cornerstone of modern
life.
https://www.cybersecuritydive.com/spons/keeping-data-secure-in-the-age-of-generative-ai/726494/
98% of organizations worldwide connected to breached
third-party vendors - A total of 98% of organizations
worldwide have integrations with at least one third-party
vendor that has been breached in the last two years.
https://www.cybersecuritydive.com/news/connected-breached-third-party/641857/
CYBERSECURITY ATTACKS,
INTRUSIONS, DATA THEFT & LOSS:
Electronic payment firm Slim CD notifies 1.7M customers of
data breach - Slim CD, a company that provides processing
services for electronic payments, has notified nearly 1.7
million credit card holders that their data may have been
stolen in a June breach.
https://www.scmagazine.com/news/electronic-payment-firm-slim-cd-notifies-17m-customers-of-data-breach
Fortinet admits miscreant got hold of customer data in the
cloud - Fortinet has admitted that bad actors accessed
cloud-hosted data about its customers, but insisted it was a
"limited number" of files. The question is: how limited is
"limited"?
https://www.theregister.com/2024/09/13/fortinet_data_loss/
Transport for London confirms 5,000 users' bank data
exposed, pulls large chunks of IT infra offline - Transport
for London's ongoing cyber incident has taken a dark turn as
the organization confirmed that some data, including bank
details, might have been accessed, and 30,000 employees'
passwords will need to be reset via in-person appointments.
https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/
Highline Public Schools closes schools following cyberattack
- Highline Public Schools, a K-12 district in Washington
state, has shut down all schools and canceled school
activities after its technology systems were compromised in
a cyberattack.
https://www.bleepingcomputer.com/news/security/highline-public-schools-closes-schools-following-cyberattack/
MOVEit victims are still coming forward. This time it’s
Wisconsin Medicare. - The delayed notifications underscore
the difficulty organizations confront in discovering
breaches and attributing compromises to a root cause or
source.
https://www.cybersecuritydive.com/news/moveit-wisconsin-medicare/726441/
Port of Seattle officials pin attack, data theft to Rhysida
ransomware group - The port restored most of the systems
impacted by the ransomware attack as officials warn their
refusal to pay extortion demand could result in data leaks.
https://www.cybersecuritydive.com/news/seattle-port-ransomware-attack/727098/
Ransomware Group Leaks Data Allegedly Stolen From Kawasaki
Motors - The RansomHub ransomware group has released 487
gigabytes of data it allegedly stole from motorcycles
manufacturer Kawasaki Motors Europe (KME).
https://www.securityweek.com/ransomware-group-leaks-data-allegedly-stolen-from-kawasaki-motors/
Suffolk County ransomware attack linked to lack of planning,
ignored warnings - A special report blames county officials
for ignoring FBI warnings during the 2022 attack and an
overall failure of IT and security leadership.
https://www.cybersecuritydive.com/news/suffolk-county-ignored-threat-warnings/727352/
Return to the top of the newsletter
WEB SITE COMPLIANCE
- We continue the series regarding FDIC Supervisory
Insights regarding Incident
Response Programs. (11 of 12)
Last
week's best practices focused on the more common criteria
that have been noted in actual IRPs, but some banks have
developed other effective incident response practices.
Examples of these additional practices are listed below.
Organizations may want to review these practices and
determine if any would add value to their IRPs given their
operating environments.
Additional IRP Best Practices
1) Test the incident response plan (via walkthrough or
tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer
information systems to establish a basis for disciplinary or
legal action.
3) Develop an incident grading system that quantifies the
severity of the incident, helps determine if the incident
response plan needs to be activated, and specifies the
extent of notification escalation.
4) Provide periodic staff awareness training on recognizing
potential indicators of unauthorized activity and reporting
the incident through proper channels. Some institutions have
established phone numbers and e-mail distribution lists for
reporting possible incidents.
5) Inform users about the status of any compromised system
they may be using.
6) Establish a list of possible consultants, in case the
bank does not have the expertise to handle or investigate
the specific incident (especially regarding technical
compromises).
7) Establish evidence-gathering and handling procedures
aimed at preserving evidence of the incident and aiding in
prosecution activities.
Return to the top of the newsletter
FFIEC IT
SECURITY - We
continue our series on the FFIEC interagency Information
Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - NETWORK
ACCESS
Firewall
Policy (Part
3 of 3)
Financial institutions can reduce
their vulnerability to these attacks somewhat through
network configuration and design, sound implementation of
its firewall architecture that includes multiple filter
points, active firewall monitoring and management, and
integrated intrusion detection. In most cases, additional
access controls within the operating system or application
will provide an additional means of defense.
Given the importance of firewalls as
a means of access control, good practices include:
! Hardening the firewall by removing
all unnecessary services and appropriately patching,
enhancing, and maintaining all software on the firewall
unit;
! Restricting network mapping
capabilities through the firewall, primarily by blocking
inbound ICMP traffic;
! Using a ruleset that disallows all
traffic that is not specifically allowed;
! Using NAT and split DNS (domain
name service) to hide internal system names and addresses
from external networks (split DNS uses two domain name
servers, one to communicate outside the network, and the
other to offer services inside the network);
! Using proxy connections for
outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal
media, and not backing up the firewall to servers on
protected networks;
! Logging activity, with daily
administrator review;
! Using intrusion detection devices
to monitor actions on the firewall and to monitor
communications allowed through the firewall;
! Administering the firewall using
encrypted communications and strong authentication, only
accessing the firewall from secure devices, and monitoring
all administrative access;
! Limiting administrative access to
few individuals; and
! Making changes only through well - administered change
control procedures.
Return to the
top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We
continue the series on the National Institute of Standards
and Technology (NIST) Handbook.
Section III. Operational Controls - Chapter 10
10.3 Contractor Access Considerations
Many federal agencies as well as private organizations use
contractors and consultants to assist with computer
processing. Contractors are often used for shorter periods
of time than regular employees. This factor may change the
cost-effectiveness of conducting screening. The often higher
turnover among contractor personnel generates additional
costs for security programs in terms of user administration.
10.4 Public Access Considerations
Many federal agencies have begun to design, develop, and
implement public access systems for electronic dissemination
of information to the public. Some systems provide
electronic interaction by allowing the public to send
information to the government (e.g., electronic tax filing)
as well as to receive it. When systems are made available
for access by the public (or a large or significant subset
thereof), additional security issues arise due to: (1)
increased threats against public access systems and (2) the
difficulty of security administration.
While many computer systems have been victims of hacker
attacks, public access systems are well known and have
published phone numbers and network access IDs. In addition,
a successful attack could result in a lot of publicity. For
these reasons, public access systems are subject to a
greater threat from hacker attacks on the confidentiality,
availability, and integrity of information processed by a
system. In general, it is safe to say that when a system is
made available for public access, the risk to the system
increases -- and often the constraints on its use are
tightened.
Besides increased risk of hackers, public access systems
can be subject to insider malice. For example, an
unscrupulous user, such as a disgruntled employee, may try
to introduce errors into data files intended for
distribution in order to embarrass or discredit the
organization. Attacks on public access systems could have a
substantial impact on the organization's reputation and the
level of public confidence due to the high visibility of
public access systems. Other security problems may arise
from unintentional actions by untrained users.
In systems without public access, there are procedures for
enrolling users that often involve some user training and
frequently require the signing of forms acknowledging user
responsibilities. In addition, user profiles can be created
and sophisticated audit mechanisms can be developed to
detect unusual activity by a user. In public access systems,
users are often anonymous. This can complicate system
security administration.
In most systems without public access, users are typically
a mix of known employees or contractors. In this case,
imperfectly implemented access control schemes may be
tolerated. However, when opening up a system to public
access, additional precautions may be necessary because of
the increased threats.
|
|
