MISCELLANEOUS CYBERSECURITY NEWS:

 
NIST proposes barring some of the most nonsensical password rules - The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/

4 ways AI is transforming audit, risk and compliance - Fast-moving trends in cloud, SaaS and especially artificial intelligence are creating a digital disruption within businesses that audit leaders say represent major risks today and more tomorrow. https://www.scworld.com/feature/4-ways-ai-is-transforming-audit-risk-and-compliance

Customers are done with passwords. Do businesses have a solution? - Research shows customers are frustrated with the login experience, and the friction can cost businesses customers. https://www.cybersecuritydive.com/news/passwords-biometric-authentication/728401/

Cybersecurity experts praise veto of California’s AI safety bill - A controversial artificial intelligence safety bill, Senate Bill 1047, was vetoed by Gov. Gavin Newsom on Sunday after passing through the California legislature in late August. https://www.scworld.com/news/cybersecurity-experts-praise-veto-of-californias-ai-safety-bill

Researchers hacked Kia cars armed with only license plate numbers - A team of security researchers discovered a vulnerability that allows for Kia cars to be remotely compromised with nothing more than a license plate number. https://www.scworld.com/news/researchers-hacked-kia-cars-armed-with-only-license-plate-numbers

New bill seeks to mandate healthcare cybersecurity standards - The proposed legislation, which has the backing of the Department of Health and Human Services, would require the health agency to set and enforce cybersecurity standards for healthcare providers, clearinghouses and other industry players. https://www.nextgov.com/cybersecurity/2024/09/new-bill-seeks-mandate-healthcare-cybersecurity-standards/399864/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

US Transportation and Logistics Firms Targeted With Infostealers, Backdoors - Threat actors are compromising email accounts at transportation and shipping organizations in North America to deliver various malware families, https://www.securityweek.com/us-transportation-and-logistics-firms-targeted-with-infostealers-backdoors/

Kansas Water Facility Switches to Manual Operations Following Cyberattack - The incident, described by local media as a cyberattack, was discovered on the morning of September 22 and led to precautionary measures being taken “to ensure plant operations remained secure”, the city announced in an incident notice. https://www.securityweek.com/kansas-water-facility-switches-to-manual-operations-following-cyberattack/

MoneyGram faces backlog after cyberattack - The international wire transfer company has restarted some services since the incident, but is battling to fulfill transactions after taking its systems offline for much of the week. https://www.cybersecuritydive.com/news/moneygram-cyberattack-money-transfer/728318/

Louisiana accounting firm breach affects 127,000 customers - A breach of a mid-sized accounting firm in Louisiana that impacted 127,431 of its customers offers some insight into how average businesses find reporting data breaches in a timely manner very challenging. https://www.scworld.com/news/louisiana-accounting-firm-breach-affects-127000-customers

FCC reaches $31.5M settlement with T-Mobile over rash of data breaches - The company agreed to a major change in board-level governance and will make a series of upgrades to boost its cyber resilience. https://www.cybersecuritydive.com/news/fcc-settlement-t-mobile-data-breaches/728543/

Crucial Texas hospital system turning ambulances away after ransomware attack - One of the largest hospitals in West Texas has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday. https://therecord.media/crucial-hospital-texas-ransomware-attackc

Kuwait Health Ministry restoring systems after cyberattack takes down hospitals, healthcare app - Kuwait’s Health Ministry is recovering from a cyberattack that took down systems at several of the country’s hospitals, as well as the country’s Sahel healthcare app. https://therecord.media/kuwait-ministry-restoring-systems-cyberattack

Meta pays the price for storing hundreds of millions of passwords in plaintext - Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees. https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/

North Korea Hackers Linked to Breach of German Missile Manufacturer - A professional hacking team linked to the North Korean government has broken into Diehl Defence, a German company that manufactures Iris-T air defense systems, using a clever phishing campaign with fake job offers and advanced social engineering tactics, according to a report. https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/

Hacker charged for breaching 5 companies for insider trading - The U.S. Securities and Exchange Commission (SEC) charged a U.K. citizen, with hacking into the computer systems of five U.S. public companies to access confidential earnings information and conduct insider trading. https://www.bleepingcomputer.com/news/security/hacker-charged-for-breaching-5-companies-for-insider-trading/

Dallas suburb working with FBI to address attempted ransomware attack - A large Dallas suburb is dealing with a ransomware attack that has required help from the FBI to resolve. https://therecord.media/richardson-texas-cyberattack-city-government

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)
  
  BACKGROUND
  
  Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.
  
  PROCEDURES TO ADDRESS SPOOFING
  
  Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.
  
  Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.
  
  Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
  
  Additional operating system access controls include the following actions:
  
  ! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
  ! Ensure effective authentication methods are used to restrict system access to both users and applications.
  ! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
  ! Restrict operating system access to specific terminals in physically secure and monitored locations.
  ! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
  ! Restrict and log access to system utilities, especially those with data altering capabilities.
  ! Restrict access to operating system parameters.
  ! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
  ! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
  ! Segregate operating system access, where possible, to limit full or root - level access to the system.
  ! Monitor operating system access by user, terminal, date, and time of access.
  ! Update operating systems with security patches and using appropriate change control mechanisms

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.6 Cost Considerations
 
 There are many security costs under the category of user issues. Among these are:
 
 Screening -- Costs of initial background screening and periodic updates, as appropriate.
 
 Training and Awareness -- Costs of training needs assessments, training materials, course fees, and so forth.
 
 User Administration -- Costs of managing identification and authentication, which, particularly for large distributed systems, may be rather significant.
 
 Access Administration -- Particularly beyond the initial account set-up, are ongoing costs of maintaining user accesses currently and completely.
 
 Auditing -- Although such costs can be reduced somewhat when using automated tools, consistent, resource-intensive human review is still often necessary to detect and resolve security anomalies.