MISCELLANEOUS CYBERSECURITY NEWS:

Biggest Healthcare Data Breaches Reported This Year, So Far - Healthcare data breaches are continuing to impact the healthcare sector at alarming rates, even as more organizations adopt updated security solutions in an attempt to keep pace with the influx of new cyber threats. https://healthitsecurity.com/features/biggest-healthcare-data-breaches-reported-this-year-so-far

Feds in search of better data as they look to replenish cyber workforce - While the nation is facing a massive shortage of cyber talent, there aren’t very good numbers or estimates around how much the federal government will need to grow its workforce to keep pace with needs and the current threat landscape. https://www.scmagazine.com/analysis/careers/the-details-are-murky-for-how-the-feds-grow-a-bigger-cyber-workforce

The cyberattack with the most negative impact to patient care: ransomware - A study released by Proofpoint in tandem with the Ponemon Institute found that ransomware attacks are the most likely kind of cyberattack to have a negative impact on patient care. https://www.scmagazine.com/news/ransomware/the-cyberattack-with-the-most-negative-impact-to-patient-care-ransomware

CISA puts out the call for public feedback on new incident reporting rules - The Cybersecurity and Infrastructure Security Agency is seeking public input on how to set up a new incident reporting regime for critical infrastructure. https://www.scmagazine.com/analysis/incident-response/cisa-puts-out-the-call-for-public-feedback-on-new-incident-reporting-rules

The OCC’s Mark Morrison: Balancing security with the modern-day tech environment - A conversation with Mark Morrison, chief security officer for Options Clearing Corporation, or the OCC, the world’s largest equity derivatives clearing organization. https://www.scmagazine.com/news/security-awareness/mark-morrison-balancing-security-with-the-modern-day-tech-environment

Microsoft, Cloud Providers Move to Ban Basic Authentication - Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving - or have moved - to requiring more secure authentication as well. Is your company ready? https://www.darkreading.com/cloud/microsoft-cloud-providers-ban-basic-authentication

HC3 Details Healthcare Cybersecurity Implications of AI, 5G, Emerging Tech - HC3 outlined the cybersecurity implications of emerging technologies such as AI, 5G, and smart hospitals in its latest brief. https://healthitsecurity.com/news/hc3-details-healthcare-cybersecurity-implications-of-ai-5g-emerging-tech

FBI: Legacy medical devices pose risk of exploit, patient safety impacts - Cyber threat actors are increasingly exploiting unpatched medical devices operating on outdated software and those with a lack of adequate security features, according to a new FBI private industry notification. https://www.scmagazine.com/analysis/device-security/fbi-legacy-medical-devices-pose-risk-of-exploit-patient-safety-impacts

Lawsuit after KeyBank breach heralds potential changes in cyber liability - Just days after KeyBank publicly announced late last Friday that an untold number of its mortgage customers had their information stolen, the Cleveland-based financial institution was slapped with a lawsuit that claims both the bank and a third-party service provider were negligent in monitoring and controlling potential IT security issues. https://www.scmagazine.com/analysis/breach/lawsuit-after-keybank-breach-heralds-potential-changes-in-cyber-liability

Citizen Bank’s Holly Ridgeway: Respecting the security path taken - Holly Ridgeway has not only cultivated a diverse and impressive résumé of her own cybersecurity experience in the government, law enforcement and consulting, as well as the financial industry, but she has also put together an equally diverse IT security team at Citizens Bank. https://www.scmagazine.com/news/power-players/citizen-banks-holly-ridgeway-respecting-the-security-path-taken
 
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

KeyBank: Hackers of third-party provider stole customer data - Hackers stole personal data including Social Security numbers, addresses and account numbers of home mortgage holders at KeyBank, the bank reports, in the breach of a third-party vendor that serves multiple corporate clients. https://apnews.com/article/technology-hacking-data-privacy-23b0d233ddaf6fee4831f69e7b113848

Los Angeles school district to remain open despite ransomware attack - The Los Angeles Unified School District, the second largest school district in the country, is reporting it has been victimized in a ransomware attack. https://www.scmagazine.com/analysis/ransomware/los-angeles-school-district-to-remain-open-despite-ransomware-attack

Cyberattack brings down InterContinental Hotels' booking systems - The IT systems of InterContinental Hotels Group, the massive hospitality organization that operates 17 hotel brands around the world, have been compromised, causing ongoing disruption to the corporation's online booking systems and other services. https://www.theregister.com/2022/09/06/ihg_hotels_data_breach/

Law firm informs 255K of HIPAA data incident 10 months after hack - Warner Norcross & Judge recently informed the Department of Health and Human Services of a Health Insurance Portability and Accountability Act data breach impacting 255,160 individuals. https://www.scmagazine.com/analysis/ransomware/law-firm-informs-255k-of-hipaa-data-incident-10-months-after-hack

Samsung Has Been Hacked: What Data Has Been Stolen? - On September 2, Samsung published a security advisory confirming it had been hacked. The breach would appear to have been of Samsung systems in the U.S. and took place in 'late July' according to the advisory. https://www.forbes.com/sites/daveywinder/2022/09/02/samsung-has-been-hacked-what-data-has-been-stolen/?sh=3f4f41739b92

Cisco maintains data leak from ransomware attack poses no risk - Cisco on Sunday confirmed that the bad actors who had previously leaked Cisco data files to the dark web posted the actual contents of those files to the same location on the dark web. https://www.scmagazine.com/news/ransomware/cisco-maintains-data-leak-from-ransomware-attack-poses-no-risk

Texas hospital facing communication issues, system rebuild amid ransomware attack - A ransomware attack deployed against OakBend Medical Center on Sept. 1 caused communication issues and IT disruptions. https://www.scmagazine.com/analysis/ransomware/texas-hospital-facing-communication-issues-system-rebuild-amid-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE -

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

• Determine adequacy of the service provider’s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
• Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
• Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

• Analyze the service provider’s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has been in business and the service provider’s market share for a given service and how it has fluctuated.
• Consider the significance of the institution’s proposed contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s level of investment in technology consistent with supporting the institution’s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   LOGGING AND DATA COLLECTION (Part 2 of 2)
   
   When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.
   
   Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:
   
   ! Encrypting log files that contain sensitive data or that are transmitting over the network,
   ! Ensuring adequate storage capacity to avoid gaps in data gathering,
   ! Securing backup and disposal of log files,
   ! Logging the data to a separate, isolated computer,
   ! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
   ! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
   ! Setting logging parameters to disallow any modification to previously written data.
   
   The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.
   
   When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.3 Interruption of Operations

HGA's building facilities and physical plant are several decades old and are frequently under repair or renovation. As a result, power, air conditioning, and LAN or WAN connectivity for the server are typically interrupted several times a year for periods of up to one work day. For example, on several occasions, construction workers have inadvertently severed power or network cables. Fires, floods, storms, and other natural disasters can also interrupt computer operations, as can equipment malfunctions.

Another threat of small likelihood, but significant potential impact, is that of a malicious or disgruntled employee or outsider seeking to disrupt time-critical processing (e.g., payroll) by deleting necessary inputs or system accounts, misconfiguring access controls, planting computer viruses, or stealing or sabotaging computers or related equipment. Such interruptions, depending upon when they occur, can prevent time and attendance data from getting processed and transferred to the mainframe before the payroll processing deadline.

20.3.4 Disclosure or Brokerage of Information

Other kinds of threats may be stimulated by the growing market for information about an organization's employees or internal activities. Individuals who have legitimate work-related reasons for access to the master employee database may attempt to disclose such information to other employees or contractors or to sell it to private investigators, employment recruiters, the press, or other organizations. HGA considers such threats to be moderately likely and of low to high potential impact, depending on the type of information involved.