MISCELLANEOUS CYBERSECURITY NEWS:

 
CISO hiring and compensation growth - A report shows the pace of CISO hiring remained slow during the first half of 2024, but is beginning to ramp back up. https://www.cybersecuritydive.com/news/economic-uncertainty-ciso-hiring/728951/

United Airlines leaned on real-time data to recover from the CrowdStrike outage - The airline modernized its technology foundations with better customer experiences in mind. Then, a major software outage underscored the importance of live data. https://www.cybersecuritydive.com/news/united-airlines-crowdstrike-recovery/728832/

ICS/OTUS, Allies Release Guidance on Securing OT Environments - New guidance from government agencies in the US and allied countries provides organizations with details on how to design, implement, and manage safe and secure operational technology (OT) environments. https://www.securityweek.com/us-allies-release-guidance-on-securing-ot-environments/

The three qualities modern CISOs must have today to succeed - Chief information security officers (CISOs) have heard loud and clear the message that they no longer have to function as the chief officer of “no.” But at the same time, boards and chief executive officers (CEOs) aren't looking for “yes” women and men. https://www.scworld.com/perspective/the-three-qualities-modern-cisos-must-have-today-to-succeed

Ryanair faces GDPR turbulence over customer ID checks - Ireland's Data Protection Commission (DPC) has launched an inquiry into Ryanair's Customer Verification Process for travelers booking flights through third-party websites or online travel agents (OTA). https://www.theregister.com/2024/10/05/irish_dpc_ryanair_probe/ 

What security pros can learn from the bad information spread during this year’s election cycle - Cybersecurity leaders across all levels of government face new challenges as this year’s election approaches – hurdles that are substantially different than the ones they dealt with four years ago when the last presidential ballots were cast. https://www.scworld.com/perspective/what-security-pros-can-learn-from-the-bad-information-spread-during-this-years-election-cycle 

FTC settles yearslong investigation into Marriott’s ‘security failures’ - The settlement caps a pattern of major data breaches at Marriott and its subsidiary Starwood Hotels and Resorts Worldwide over the last decade. https://www.cybersecuritydive.com/news/ftc-settles-marriott-starwood-data-breaches/729464/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

T-Mobile US to cough up $31.5M after that long string of security SNAFUs - At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'. https://www.theregister.com/2024/09/30/tmobile_data_breaches_settlement/

Sellafield ordered to pay nearly £400,000 over cybersecurity failings - Nuclear waste dump in Cumbria pleaded guilty to leaving data that could threaten national security exposed for four years, says regulator. https://www.theguardian.com/business/2024/oct/02/sellafield-ordered-to-pay-nearly-400000-over-cybersecurity-failings

American Water shuts down customer portal amid cybersecurity incident - American Water Company, the largest regulated water and wastewater utility company in the United States, said it was the victim of a “cybersecurity incident” last week, leading it to take its MyWater customer portal offline. https://www.scworld.com/news/american-water-shuts-down-customer-portal-amid-cybersecurity-incident

ADT employee account data stolen in cyberattack - The alarm system company said an attacker accessed its network with compromised credentials obtained from an unnamed third party. https://www.cybersecuritydive.com/news/adt-data-theft-cyberattack/729218/

China’s Salt Typhoon Hacked AT&T, Verizon - The China-linked threat group known as Salt Typhoon has hacked into the networks of several major broadband providers in the United States, potentially compromising wiretap systems, according to The Wall Street Journal. https://www.securityweek.com/chinas-salt-typhoon-hacked-att-verizon-report/

Michigan’s largest county suffers cyberattack - Wayne County, Michigan, the largest county in the state with more than 1.75 million residents, is dealing with a cyberattack that shut down all its websites and limited the operations of several functions, including financial transactions, case management and estate sales. https://statescoop.com/wayne-county-michigan-cyberattack-2024/

Comcast and Truist Bank customers caught up in FBCS data breach - Comcast Cable Communications and Truist Bank have disclosed they were impacted by a data breach at FBCS, and are now informing their respective customers that their data has been compromised. https://www.bleepingcomputer.com/news/security/comcast-and-truist-bank-customers-caught-up-in-fbcs-data-breach/

Okta Tells Users to Check for Potential Exploitation of Newly Patched Vulnerability - Identity and access management solutions provider Okta has resolved a vulnerability that could have allowed attackers to bypass sign-on policies and gain access to applications. https://www.securityweek.com/okta-tells-users-to-check-for-potential-exploitation-of-newly-patched-vulnerability/

Record-Breaking DDoS Attack Peaked at 3.8 Tbps, 2.14 Billion Pps - Web performance and security firm Cloudflare recently mitigated another record-breaking DDoS attack. https://www.securityweek.com/record-breaking-ddos-attack-peaked-at-3-8-tbps-2-14-billion-pps/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)
  
  PROCEDURES TO ADDRESS SPOOFING - Detection
  
  Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks.  The following is a list of possible indicators of Web-site spoofing:
  
  *  E-mail messages returned to bank mail servers that were not originally sent by the bank.  In some cases, these e-mails may contain links to spoofed Web sites;
  *  Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
  *  An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.
  
  Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank.  Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name.  The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site.  Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.
  
  Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.
  
  Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)
  
  Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.
  
  Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster.
 
 To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses.
 
 Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.
 
 This chapter presents the contingency planning process in six steps:
 
 1)  Identifying the mission- or business-critical functions.
 
 2)  Identifying the resources that support the critical functions.
 
 3)  Anticipating potential contingencies or disasters.
 
 4)  Selecting contingency planning strategies.
 
 5)  Implementing the contingency strategies.
 
 6)  Testing and revising the strategy.
 
 Contingency planning directly supports an organization's goal of continued operations. Organizations practice contingency planning because it makes good business sense.