|
MISCELLANEOUS CYBERSECURITY NEWS:
New SEC rules for reporting cybersecurity incidents serves
investors, not CISOs - The Securities and Exchange Commission (SEC)
on July 26 finally turned the controversial Proposed Rule for Public
Companies (PRPC) into an actual rule.
https://www.scmagazine.com/perspective/new-sec-rules-for-reporting-cybersecurity-incidents-serves-investors-not-cisos
Privacy watchdog recommends court approval for FBI searches of spy
data - The recommendations from the executive branch's privacy
watchdog to reform Section 702 puts the panel at odds with the White
House.
https://cyberscoop.com/pclob-section-702-court-approval/
Growth in cybersecurity spending sank by 65% in 2022-23, report
finds - Cybersecurity spending saw a 65% drop in growth during the
2022-23 budget cycle, according to a new report from IANS Research
and Artico Search.
https://www.scmagazine.com/news/cybersecurity-spending-increases-sank-by-65-in-2022-23-report-finds
CISOs push for baseline AI business rules - The responsibility for
artificial intelligence in the workplace has swiftly rolled uphill
to the chief information security officer’s inbox.
https://www.scmagazine.com/news/cisos-push-for-baseline-ai-business-rules
FBI Warns of Dual Ransomware Attacks and Data Destruction Trends -
The US Federal Bureau of Investigation (FBI) has issued a Private
Industry Notification highlighting two concerning trends in the
world of ransomware attacks.
https://www.infosecurity-magazine.com/news/fbi-warns-dual-ransomware-data/
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Russian state hackers attempted to block Ukrainians from opening US
bank accounts - For a two-week period in March 2022, 95% of the
accounts that were opened at major U.S. banks were fraudulently
created - many by Russian state hackers who were carrying out a
denial-of-service attack of sorts in an attempt to block Ukrainian
war refugees from transferring their money to American financial
institutions.
https://www.scmagazine.com/news/russian-state-hackers-attempted-to-block-ukrainians-from-opening-us-bank-accounts
US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
- The US State Department said Thursday that hackers took around
60,000 emails, although none of them classified, in an attack which
Microsoft has blamed on China.
https://www.securityweek.com/us-state-department-says-60000-emails-taken-in-alleged-chinese-hack/
Johnson Controls International Disrupted by Major Cyberattack -
Johnson Controls International (JCI) this week reported in a filing
with the US Securities and Exchange Commission (SEC) that it had
suffered a cyberattack that caused disruptions to its internal IT
infrastructure.
https://www.darkreading.com/ics-ot/johnson-controls-international-hit-with-massive-ransomware-attack
UK Logistics Firm Forced to Close After Ransomware Breach - One of
the UK’s largest privately owned logistics firms has entered
administration following major disruption to its business caused by
a ransomware attack earlier this year, according to reports.
https://www.infosecurity-magazine.com/news/uk-logistics-close-after/
MOVEit customers ‘happy’ with company’s response to hack - Progress
Software CEO Yogesh Gupta has downplayed the reputational impact of
the massive MOVEit Transfer attack, saying most customers were
“really happy” with the way the company responded.
https://www.scmagazine.com/news/ceo-moveit-customers-happy-with-companys-response-to-hack
LinkedIn Messaging used by APT to phish aerospace target and plant
novel malware - The North Korean-linked Lazarus threat group used an
undocumented remote access trojan (RAT) as part of a
LinkedIn-focused phishing attack on a Spanish aerospace company.
https://www.scmagazine.com/news/lazarus-uses-linkedin-to-phish-aerospace-targets-for-secrets-deploying-novel-rat
Johnson Controls Ransomware Attack Could Impact DHS - Sensitive
Department of Homeland Security (DHS) information might have been
compromised in a recent ransomware attack aimed at government
contractor Johnson Controls International.
https://www.securityweek.com/johnson-controls-ransomware-attack-could-impact-dhs/
European Telecommunications Standards Institute Discloses Data
Breach - Established in 1988, ETSI is an independent, not-for-profit
organization that supports the development and testing of technical
standards in the fields of information and communication, including
technologies such as GSM, 3G, 4G, 5G, and others.
https://www.securityweek.com/european-telecommunications-standards-institute-discloses-data-breach/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
VULNERABILITY ASSESSMENT TOOLS
Vulnerability assessment tools, also called security scanning
tools, assess the security of network or host systems and report
system vulnerabilities. These tools can scan networks, servers,
firewalls, routers, and applications for vulnerabilities. Generally,
the tools can detect known security flaws or bugs in software and
hardware, determine if the systems are susceptible to known attacks
and exploits, and search for system vulnerabilities such as settings
contrary to established security policies.
In evaluating a vulnerability assessment tool, management should
consider how frequently the tool is updated to include the detection
of any new weaknesses such as security flaws and bugs. If there is a
time delay before a system patch is made available to correct an
identified weakness, mitigating controls may be needed until the
system patch is issued.
Generally, vulnerability assessment tools are not run in
real-time, but they are commonly run on a periodic basis. When using
the tools, it is important to ensure that the results from the scan
are secure and only provided to authorized parties. The tools can
generate both technical and management reports, including text,
charts, and graphs. The vulnerability assessment reports can tell a
user what weaknesses exist and how to fix them. Some tools can
automatically fix vulnerabilities after detection.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Suspicious Activity Reporting.
National banks are required to report intrusions and other
computer crimes to the OCC and law enforcement by filing a
Suspicious Activity Report (SAR) form and submitting it to the
Financial Crimes Enforcement Network (FinCEN), in accordance with 12
USC 21.11. This reporting obligation exists regardless of whether
the institution has reported the intrusion to the
information-sharing organizations discussed below. For purposes of
the regulation and the SAR form instructions, an "intrusion" is
defined as gaining access to the computer system of a financial
institution to remove, steal, procure or otherwise affect
information or funds of the institution or customers. It also
includes actions that damage, disable, or otherwise affect critical
systems of the institution. For example, distributed denial of
service attaches (DDoS) attacks should be reported on a SAR because
they may temporarily disable critical systems of financial
institutions.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.5 Elements of Effective System-Level Programs
Like the central computer security program, many factors influence
how successful a system-level computer security program is. Many of
these are similar to the central program. This section addresses
some additional considerations.
Security Plans. The Computer Security Act mandates that
agencies develop computer security and privacy plans for sensitive
systems. These plans ensure that each federal and federal interest
system has appropriate and cost-effective security. System-level
security personnel should be in a position to develop and implement
security plans. Chapter 8 discusses the plans in more detail.
System-Specific Security Policy. Many computer security
policy issues need to be addressed on a system-specific basis. The
issues can vary for each system, although access control and the
designation of personnel with security responsibility are likely to
be needed for all systems. A cohesive and comprehensive set of
security policies can be developed by using a process that derives
security rules from security goals, as discussed in Chapter 5.
Life Cycle Management. As discussed in Chapter 8, security must be
managed throughout a system's life cycle. This specifically includes
ensuring that changes to the system are made with attention to
security and that accreditation is accomplished.
Integration With System Operations. The system-level
computer security program should consist of people who understand
the system, its mission, its technology, and its operating
environment. Effective security management usually needs to be
integrated into the management of the system. Effective integration
will ensure that system managers and application owners consider
security in the planning and operation of the system. The system
security manager/officer should be able to participate in the
selection and implementation of appropriate technical controls and
security procedures and should understand system vulnerabilities.
Also, the system-level computer security program should be capable
of responding to security problems in a timely manner.
For large systems, such as a mainframe data center, the security
program will often include a manager and several staff positions in
such areas as access control, user administration, and contingency
and disaster planning. For small systems, such as an officewide
local-area-network (LAN), the LAN administrator may have adjunct
security responsibilities.
Separation From Operations. A natural tension often exists
between computer security and operational elements. In many
instances, operational components -- which tend to be far larger and
therefore more influential -- seek to resolve this tension by
embedding the computer security program in computer operations. The
typical result of this organizational strategy is a computer
security program that lacks independence, has minimal authority,
receives little management attention, and has few resources. As
early as 1978, GAO identified this organizational mode as one of the
principal basic weaknesses in federal agency computer security
programs. System-level programs face this problem most often.
This conflict between the need to be a part of system management
and the need for independence has several solutions. The basis of
many of the solutions is a link between the computer security
program and upper management, often through the central computer
security program. A key requirement of this setup is the existence
of a reporting structure that does not include system management.
Another possibility is for the computer security program to be
completely independent of system management and to report directly
to higher management. There are many hybrids and permutations, such
as co-location of computer security and systems management staff but
separate reporting (and supervisory) structures. Figure 6.4 presents
one example of placement of the computer security program within a
typical Federal agency. |
