MISCELLANEOUS CYBERSECURITY NEWS:

Feds hit Penn State University with false claims lawsuit over cyber compliance - The United States government is bringing legal action against Penn State University under the False Claims Act, saying the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government. https://www.scmagazine.com/news/feds-hit-penn-state-university-with-false-claims-lawsuit-over-cyber-compliance

Threat actors target remote endpoints to conduct BECs, steal credentials and load malware - Today, companies spend a fortune erecting walls around their core IT infrastructure, but they fail to secure the stragglers in their midst. https://www.scmagazine.com/research-article/threat-actors-target-remote-endpoints-to-conduct-becs-steal-credentials-and-load-malware

California legislature passes ‘Delete Act’ to protect consumer data - On Wednesday, the California legislature passed the “Delete Act,” a first-of-its-kind law that allows the state’s consumers to universally remove their personal data from all data brokers based in the state with a single request. https://statescoop.com/california-legislature-passes-delete-act-to-protect-consumer-data/

Feds hit Penn State University with false claims lawsuit over cyber compliance - The United States government is bringing legal action against Penn State University under the False Claims Act, saying the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government. https://www.scmagazine.com/news/feds-hit-penn-state-university-with-false-claims-lawsuit-over-cyber-compliance

CISA Publishes Plan to Enhance Open Source Security - A leading US security agency has released a long-awaited plan detailing how it will enhance open source security for both federal government and across the entire ecosystem. https://www.infosecurity-magazine.com/news/cisa-plan-enhance-open-source/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Microsoft worker accidentally exposes 38TB of sensitive data in GitHub blunder - A Microsoft employee accidentally exposed 38 terabytes of private data while publishing a bucket of open-source AI training data on GitHub, according to Wiz security researchers who spotted the leaky account and reported it to the Windows giant.
https://www.theregister.com/2023/09/18/more_microsoft_token_trouble/
https://www.scmagazine.com/news/misconfigured-sas-token-by-microsofts-ai-team-exposes-38tb-of-github-data

Google Feature Blamed for Retool Breach That Led to Cryptocurrency Firm Hacks - A recently introduced Google account sync feature has been blamed by software development firm Retool after sophisticated hackers gained access to its systems and targeted over two dozen of its customers from the cryptocurrency sector. https://www.securityweek.com/google-feature-blamed-for-retool-breach-that-led-to-cryptocurrency-firm-hacks/

US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak - The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization. https://www.theregister.com/2023/09/15/ijc_noescape_ransomware/

ORBCOMM ransomware attack causes trucking fleet management outage - Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. https://www.bleepingcomputer.com/news/security/orbcomm-ransomware-attack-causes-trucking-fleet-management-outage/

Greater Manchester Police ransomware attack another classic demo of supply chain challenges - The UK's Greater Manchester Police (GMP) has admitted that crooks have got their mitts on some of its data after a third-party supplier responsible for ID badges was attacked. https://www.theregister.com/2023/09/15/greater_manchester_police_breach_demonstrates/

Caesars Confirms Ransomware Hack, Stolen Loyalty Program Database - Caesars Entertainment, Inc., a well-known global hospitality brand, has been hacked by a cybercrime gang that stole a vast chunk of data, including the company’s loyalty program database. https://www.securityweek.com/caesars-confirms-ransomware-hack-stolen-loyalty-program-database/

Auckland transport authority hit by suspected ransomware attack - The Auckland Transport (AT) transportation authority in New Zealand is dealing with a widespread outage caused by a cyber incident, impacting a wide range of customer services. https://www.bleepingcomputer.com/news/security/auckland-transport-authority-hit-by-suspected-ransomware-attack/

Multiple crypto raids net Lazarus Group $290M in 15 weeks - After a quiet start to 2023 on the cryptocurrency front, North Korea’s Lazarus Group appears to be making up for lost time, stealing over $290 million from five crypto heists carried out in a little over three months. https://www.scmagazine.com/news/multiple-crypto-raids-net-lazarus-group-290m-in-15-weeks

Cyberattack causes MGM Resorts to shut down its systems - The ALPHV ransomware group is allegedly responsible for MGM Resorts shutting down some of its systems Monday at several major hotels in Las Vegas, which apparently left some with faulty door locks, slot machines and problems making reservations, among other issues. https://www.scmagazine.com/news/cyberattack-attack-causes-mgm-resorts-to-shut-down-its-systems

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    Potential Threats To Consider
    
    Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.
    
    Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.
    
    Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures.
   
   Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them. 
   
   Policies and procedures should address the following:
   
   1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.
   
   2. Gathering and retaining intrusion information, as discussed below.
   
   3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.
   
   4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.
   
   5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.
   
   6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). 
   
   7. Periodic testing, as discussed below.
   
   8. Staff training resources and requirements.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.3 Elements of an Effective Central Computer Security Program
  
  For a central computer security program to be effective, it should be an established part of organization management. If system managers and applications owners do not need to consistently interact with the security program, then it can become an empty token of upper management's "commitment to security."
  
  Stable Program Management Function. A well-established program will have a program manager recognized within the organization as the central computer security program manager. In addition, the program will be staffed with able personnel, and links will be established between the program management function and computer security personnel in other parts of the organization. A computer security program is a complex function that needs a stable base from which to direct the management of such security resources as information and money. The benefits of an oversight function cannot be achieved if the computer security program is not recognized within an organization as having expertise and authority.
  
  Stable Resource Base. A well-established program will have a stable resource base in terms of personnel, funds, and other support. Without a stable resource base, it is impossible to plan and execute programs and projects effectively.
  
  Existence of Policy. Policy provides the foundation for the central computer security program and is the means for documenting and promulgating important decisions about computer security. A central computer security program should also publish standards, regulations, and guidelines that implement and expand on policy.
  
  Published Mission and Functions Statement. A published mission statement grounds the central computer security program into the unique operating environment of the organization. The statement clearly establishes the function of the computer security program and defines responsibilities for both the computer security program and other related programs and entities. Without such a statement, it is impossible to develop criteria for evaluating the effectiveness of the program.
  
  Long-Term Computer Security Strategy. A well-established program explores and develops long-term strategies to incorporate computer security into the next generation of information technology. Since the computer and telecommunications field moves rapidly, it is essential to plan for future operating environments.
  
  Compliance Program. A central computer security program needs to address compliance with national policies and requirements, as well as organization-specific requirements. National requirements include those prescribed under the Computer Security Act of 1987, OMB Circular A-130, the FIRMR, and Federal Information Processing Standards.
  
  Intraorganizational Liaison. Many offices within an organization can affect computer security. The Information Resources Management organization and physical security office are two obvious examples. However, computer security often overlaps with other offices, such as safety, reliability and quality assurance, internal control, or the Office of the Inspector General. An effective program should have established relationships with these groups in order to integrate computer security into the organization's management. The relationships should encompass more than just the sharing of information; the offices should influence each other.
   
  Liaison with External Groups. There are many sources of computer security information, such as NIST's Computer Security Program Managers' Forum, computer security clearinghouse, and the Forum of Incident Response and Security Teams (FIRST). An established program will be knowledgeable of and will take advantage of external sources of information. It will also be a provider of information.