MISCELLANEOUS CYBERSECURITY NEWS:

Incident Response: 10 steps for an effective program - Incident response (IR) is one of the key components of a strong cyber security program, but it does not work well when fragmented and disjointed. https://www.scmagazine.com/resource/ransomware/incident-response-10-steps-for-an-effective-program

Financial firms increasingly held hostage by advanced ransomware attacks - ity professionals, who have seen these attacks wreak havoc on institutions big and small for more than half a dozen years. https://www.scmagazine.com/analysis/ransomware/financial-firms-increasingly-held-hostage-by-advanced-ransomware-attacks

Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls - After one company suffered a breach that could have been headed off by the MFA (Multi-factor Authentication) it claimed to have, insurers are looking to confirm claimed cybersecurity measures. A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications. https://www.darkreading.com/edge/cyber-insurers-clamp-down-on-clients-self-attestation-of-security-controls

$35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned - Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped. https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/

NSA shares guidance to help secure OT/ICS critical infrastructure - The National Security Agency (NSA) and CISA have issued guidance on how to secure operational technology (OT) and industrial control systems (ICSs) part of U.S. critical infrastructure. https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-to-help-secure-ot-ics-critical-infrastructure/

National data privacy proposal may shape health data not covered by HIPAA - Healthcare stakeholders have long warned of the need for better privacy protection for health data that falls outside the purview of the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/feature/privacy/national-data-privacy-proposal-may-shape-health-data-not-covered-by-hipaa

Senators propose open source software risk framework in new bill - Lawmakers introduced a bill Thursday that would have the Cybersecurity and Infrastructure Security Agency develop a risk framework to strengthen the security of open-source software. https://www.fedscoop.com/open-source-risk-framework-bill/

VPN Providers Flee India as a New Data Law Takes Hold - Many companies have pulled physical servers from the country as a mandate to collect customer data goes into effect. AHEAD OF THE deadline to comply with the Indian government’s new data-collection rules, VPN companies from across the globe have pulled their servers out of the country in a bid to protect their users’ privacy. https://www.wired.com/story/vpn-firms-flee-india-data-collection-law/

Privacy, security concerns prompt GAO to call for more telehealth oversight - The Department of Health and Human Services Office for Civil Rights is missing a tracking mechanism to understand the extent providers are informing Medicaid patients of privacy and security risks brought on by telehealth platforms, which led to 43 patient complaints to OCR during the COVID-19 pandemic. https://www.scmagazine.com/analysis/privacy/privacy-security-concerns-prompts-gao-to-call-for-more-telehealth-oversight

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Vulnerability in Oracle Cloud Infrastructure could have allowed unauthorized access - Researchers on Tuesday reported that #AttachMe, a dangerous cloud isolation vulnerability in Oracle Cloud Infrastructure (OCI), was of grave concern because it could have been targeted by an attacker without authorization. https://www.scmagazine.com/news/cloud-security/vulnerability-in-oracle-cloud-infrastructure-could-have-allowed-unauthorized-access

Hackers Paralyze 911 Operations in Suffolk County, NY - A Sept. 8 ransomware attack on Suffolk County government systems in New York continues to wreak havoc on citizens of the area, driving overwhelmed 911 operators working without the aid of computers to call for backup. https://www.darkreading.com/attacks-breaches/hackers-paralyze-911-operations-suffolk-county-ny

FBI: Iranian hackers lurked in Albania’s govt network for 14 months - The Federal Bureau of Investigation (FBI) and CISA said that one of the Iranian threat groups behind the destructive attack on the Albanian government's network in July lurked inside its systems for roughly 14 months. https://www.bleepingcomputer.com/news/security/fbi-iranian-hackers-lurked-in-albania-s-govt-network-for-14-months/

Optus security breach compromises customers' passport details - Australian operator says it is investigating "unauthorised access" of personal data belonging to its current and former customers, including dates of birth, phone numbers, and passport numbers. https://www.zdnet.com/article/optus-security-breach-compromises-customers-passport-details/

American Airlines learned it was breached from phishing targets - American Airlines says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee's hacked Microsoft 365 account. https://www.bleepingcomputer.com/news/security/american-airlines-learned-it-was-breached-from-phishing-targets/

Health data theft at Physician’s Business Office impacts 197K patients - Physician’s Business Office notified 196,573 patients that their personal data and protected health information was likely stolen during a hack of its network five months ago. https://www.scmagazine.com/analysis/breach/health-data-theft-at-physicians-business-office-impacts-197k-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.

Controls

Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
    
    Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.
    
    A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.
    
    Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.6 Other Threats

HGA's systems also are exposed to several other threats that, for reasons of space, cannot be fully enumerated here. Examples of threats and HGA's assessment of their probabilities and impacts include those listed in the table below.

20.4 Current Security Measures

HGA has numerous policies and procedures for protecting its assets against the above threats. These are articulated in HGA's Computer Security Manual, which implements and synthesizes the requirements of many federal directives, such as Appendix III to OMB Circular A-130, the Computer Security Act of 1987, and the Privacy Act. The manual also includes policies for automated financial systems, such as those based on OMB Circulars A-123 and A-127, as well as the Federal Manager's Financial Integrity Act.

Several examples of those policies follow, as they apply generally to the use of administration of HGA's computer system and specifically to security issues related to time and attendance, payroll, and continuity of operations.