MISCELLANEOUS CYBERSECURITY NEWS:

MUST READ FOR IT AUDITORS - GAO - Cybersecurity Program Audit Guide - Federal cybersecurity is an urgent priority because it protects critical infrastructure, federal operations, and individuals' personal data. https://www.gao.gov/products/gao-23-104705

KEV Catalog Reaches 1000, What Does That Mean and What Have We Learned - Every organization is confronted by a common cybersecurity challenge: there are too many vulnerabilities in technology products. This makes it difficult to prioritize limited resources – with over 25,000 new vulnerabilities released in 2022 alone, where should an organization begin? https://www.cisa.gov/news-events/news/kev-catalog-reaches-1000-what-does-mean-and-what-have-we-learned

Time to navigate the legal and data governance implications of AI - Ever since Big Tech began talking about generative AI in their earnings reports, there has been a frenzy over its potential benefits, from increased workplace productivity to breakthroughs in medical research. https://www.scmagazine.com/perspective/time-to-navigate-the-legal-and-data-governance-implications-of-ai

GAO - National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods - Federal agencies and critical infrastructure owners and operators must share information to tackle increasingly complex cyber threats. Long-standing challenges, such as security concerns and timeliness, make this harder. https://www.gao.gov/products/gao-23-105468

DHS looks to harmonize cyber reporting for critical industry - In a new report, the Department of Homeland Security assessed more than 50 existing and proposed federal cybersecurity incident reporting requirements with an eye to ironing out duplicative, confusing and overlapping rules. https://www.nextgov.com/cybersecurity/2023/09/dhs-looks-harmonize-cyber-reporting-critical-industry/390574/

US, UK strike data transfer agreement - The United Kingdom and the United States finalized an agreement Thursday allowing for the free flow of online data between the two nations starting Oct. 12. https://cyberscoop.com/us-uk-data-transfer-agreement/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Clorox Blames Damaging Cyberattack for Product Shortage - Cleaning products manufacturer Clorox says the recent cyberattack has been contained, but production is still not fully restored and some of its consumer products are in short supply. https://www.securityweek.com/clorox-blames-damaging-cyberattack-for-product-shortage/

Hackers breached International Criminal Court’s systems last week - The International Criminal Court (ICC) disclosed a cyberattack on Tuesday after discovering last week that its systems had been breached. https://www.bleepingcomputer.com/news/security/hackers-breached-international-criminal-courts-systems-last-week/

Nearly 900 colleges hit by MOVEit hack on National Student Clearinghouse - The National Student Clearinghouse disclosed that nearly 900 colleges and universities have been impacted by the MOVEit hack. https://www.scmagazine.com/news/nearly-900-colleges-hit-by-moveit-hack

Dallas says Royal ransomware breached its network using stolen account - The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. https://www.bleepingcomputer.com/news/security/dallas-says-royal-ransomware-breached-its-network-using-stolen-account/

900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse - A ransomware group gained access to information belonging to thousands of organizations and millions of individuals earlier this year by exploiting a zero-day vulnerability in the MOVEit managed file transfer software. https://www.securityweek.com/900-us-schools-impacted-by-moveit-hack-at-national-student-clearinghouse/

Fake Red Cross blood drive info lures phishing victims - A highly skilled but previously unknown advanced persistent threat (APT) group targeted victims using an American Red Cross blood drive phishing lure and two novel trojan horse malware tools. https://www.scmagazine.com/news/fake-red-cross-blood-drive-info-lures-phishing-victims

Misconfigured SAS token by Microsoft’s AI team exposes 38TB of GitHub data - A data exposure incident found on Microsoft’s AI GitHub repository, including more than 30,000 internal Microsoft Teams messages - was caused by one misconfigured shared access signature (SAS) token. https://www.scmagazine.com/news/misconfigured-sas-token-by-microsofts-ai-team-exposes-38tb-of-github-data

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:
    
    Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
    
    Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
    
    Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 
    
    Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.
 

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.
   
   Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.4 System-Level Computer Security Programs
  
  While the central program addresses the entire spectrum of computer security for an organization, system-level programs ensure appropriate and cost-effective security for each system. This includes influencing decisions about what controls to implement, purchasing and installing technical controls, day-to-day computer security administration, evaluating system vulnerabilities, and responding to security problems. It encompasses all the areas discussed in the handbook.
  
  System-level computer security program personnel are the local advocates for computer security. The system security manager/officer raises the issue of security with the cognizant system manager and helps develop solutions for security problems. For example, has the application owner made clear the system's security requirements? Will bringing a new function online affect security, and if so, how? Is the system vulnerable to hackers and viruses? Has the contingency plan been tested? Raising these kinds of questions will force system managers and application owners to identify and address their security requirements.