|
MISCELLANEOUS CYBERSECURITY NEWS:
Microsoft shares the latest in its crawl toward a world without
passwords - Let’s be real: We all hate them. And most of us are not
terribly good at creating them.
https://www.scmagazine.com/news/security-awareness/watch-microsoft-shares-the-latest-in-its-crawl-toward-a-world-without-passwords
The downside of cybersecurity overconfidence - A recent IDG survey
found that many IT managers believe their existing network security
equaled or surpassed their competitors, with 48% reporting their
overall network security was “ahead of the curve.”
https://www.scmagazine.com/perspective/cybercrime/the-downside-of-cybersecurity-overconfidence%ef%bf%bc
How to face the new challenges in an ever-expanding – and risky –
internet environment - Two decades ago, we kept everything
relatively simple by containing our organization’s technology
footprint within the closed fortress that was the corporate network.
https://www.scmagazine.com/perspective/network-security/how-to-face-the-new-challenges-in-an-ever-expanding-and-risky-internet-environment%ef%bf%bc
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Feds ink $26 million contract for deception platform for defense
agencies - The federal government has awarded a contract to
CounterCraft for a new deception platform that will be deployed
throughout the Department of Defense.
https://www.scmagazine.com/analysis/network-security/feds-ink-26-million-contract-for-deception-platform-for-defense-agencies
Cyber-snoops broke into US military contractor, stole data, hid for
months - Spies for months hid inside a US military contractor's
enterprise network and stole sensitive data, according to a joint
alert from the US government's Cybersecurity and Infrastructure
Security Agency (CISA), the FBI, and NSA.
https://www.theregister.com/2022/10/05/military_contractor_hack/
Australia moots changes to privacy laws after Optus data breach -
Government is revising regulations to allow telcos to temporarily
share some of their customers' personal information, such as
driver's licence and passport numbers, with financial services
institutions to facilitate monitoring and remediation in the event
of a data breach.
https://www.zdnet.com/article/australia-moots-changes-to-privacy-laws-after-optus-data-breach/
Australian Federal Police arrest man suspected of exploiting Optus
cyberattack - Aussie police have cuffed a 19-year-old Sydney
resident accused of trying to extort money from victims of the
recent cyberattack and digital burglary at national
telecommunications provider Optus.
https://www.theregister.com/2022/10/06/optus_blackmail_arrest/
Former Uber CSO convicted for covering up massive 2016 data theft -
Uber's former chief security officer, has been found guilty of
illegally covering up the theft of Uber drivers and customers'
personal information.
https://www.theregister.com/2022/10/06/uber_cso_sullivan_guilty/
CommonSpirit cyberattack spurs IT outages at CHI Memorial, hospitals
across US - A cyberattack deployed against CommonSpirit has led to
IT outages at hospitals across the U.S., including multiple CHI
Memorial hospitals in Chattanooga, Tennessee. Local media outlets
report the incident has also caused disruptions at hospitals run by
Virginia Mason Franciscan Health (VMFH) in Seattle.
https://www.scmagazine.com/analysis/ransomware/commonspirit-cyberattack-spurs-it-outages-at-chi-memorial-hospitals-across-us
Airports regain website service after Killnet DDoS attacks, but
experts warn of more severe attacks - By mid-afternoon Monday, many
of the airport websites that were taken down by the Russian hacking
group Killnet earlier in the day were up and running.
https://www.scmagazine.com/analysis/network-security/airports-regain-website-service-after-killnet-ddos-attacks-but-experts-warn-of-more-severe-attacks
Fortinet says critical auth bypass bug is exploited in attacks -
Fortinet has confirmed today that a critical authentication bypass
security vulnerability patched last week is being exploited in the
wild.
https://www.bleepingcomputer.com/news/security/fortinet-says-critical-auth-bypass-bug-is-exploited-in-attacks/
Lloyd's of London cuts off network after dodgy activity detected -
Lloyd's of London has cut off its IT systems and is probing a
possible cyberattack against it after detecting worrisome network
behavior this week.
https://www.theregister.com/2022/10/07/lloyds_london_security_incident/
Cancer Testing Lab Reports 2nd Major Breach Within 6 Months - A data
breach at a Georgia cancer testing laboratory affecting the
information of nearly 245,000 individuals is the second time within
six months the lab reported to federal regulators a hacking breach
affecting hundreds of thousands of individuals.
https://www.govinfosecurity.com/cancer-testing-lab-reports-2nd-major-breach-within-6-months-a-20230
Intel Alder Lake BIOS code leak may contain vital secrets - Source
code for the BIOS used with Intel's 12th-gen Core processors has
been leaked online, possibly including details of undocumented
model-specific registers (MSRs) and even the private signing key for
Intel's Boot Guard security technology.
https://www.theregister.com/2022/10/10/alder_lake_bios_code_leaked/
Family Medical informs 234K patients of possible data compromise -
Family Medical Center Services recently informed 233,948 patients
that their data was potentially compromised after a “network data
security incident” on July 26. FMC is a network of 75 primary care
clinics in Amarillo and Canyon, Texas.
https://www.scmagazine.com/analysis/ransomware/family-medical-reports-informs-234k-patients-of-possible-data-compromise
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract
Issues
Business Resumption and Contingency Plans
The contract should address the service provider’s responsibility
for backup and record protection, including equipment, program and
data files, and maintenance of disaster recovery and contingency
plans. Responsibilities should include testing of the plans and
providing results to the institution. The institution should
consider interdependencies among service providers when determining
business resumption testing requirements. The service provider
should provide the institution with operating procedures the service
provider and institution are to implement in the event business
resumption contingency plans are implemented. Contracts should
include specific provisions for business recovery timeframes that
meet the institution’s business requirements. The institution should
ensure that the contract does not contain any provisions that would
excuse the service provider from implementing its contingency plans.
Sub-contracting and Multiple Service Provider Relationships
Some service providers may contract with third-parties in
providing services to the financial institution. To provide
accountability, it may be beneficial for the financial institution
to seek an agreement with and designate a primary contracting
service provider. The institution may want to consider including a
provision specifying that the contracting service provider is
responsible for the service provided to the institution regardless
of which entity is actually conducting the operations. The
institution may also want to consider including notification and
approval requirements regarding changes to the service provider’s
significant subcontractors.
Cost
The contract should fully describe fees and calculations for base
services, including any development, conversion, and recurring
services, as well as any charges based upon volume of activity and
for special requests. Cost and responsibility for purchase and
maintenance of hardware and software may also need to be addressed.
Any conditions under which the cost structure may be changed should
be addressed in detail including limits on any cost increases.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is
that a signature must exist for an alert to be generated. Attacks
that generate different signatures from what the institution
includes in its IDS will not be detected. This problem can be
particularly acute if the institution does not continually update
its signatures to reflect lessons learned from attacks on itself and
others, as well as developments in attack tool technologies. It can
also pose problems when the signatures only address known attacks,
rather than both known attacks and anomalous traffic. Another
general weakness is in the capacity of the IDS to read traffic. If
the IDS falls behind in reading network traffic, traffic may be
allowed to bypass the IDS. That traffic may contain attacks that
would otherwise cause the IDS to issue an alert.
Proper placement of network IDS is a strategic decision
determined by the information the institution is trying to obtain.
Placement outside the firewall will deliver IDS alarms related to
all attacks, even those that are blocked by the firewall. With this
information, an institution can develop a picture of potential
adversaries and their expertise based on the probes they issue
against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
(HGA)20.4.2
Protection Against Payroll Fraud and Errors: Time and Attendance
Application (1 of 2)
The time and attendance
application plays a major role in protecting against payroll fraud
and errors. Since the time and attendance application is a component
of a larger automated payroll process, many of its functional and
security requirements have been derived from both governmentwide and
HGA-specific policies related to payroll and leave. For example, HGA
must protect personal information in accordance with the Privacy
Act. Depending on the specific type of information, it should
normally be viewable only by the individual concerned, the
individual's supervisors, and personnel and payroll department
employees. Such information should also be timely and accurate.
Each week, employees
must sign and submit a time sheet that identifies the number of
hours they have worked and the amount of leave they have taken. The
Time and Attendance Clerk enters the data for a given group of
employees and runs an application on the LAN server to verify the
data's validity and to ensure that only authorized users with access
to the Time and Attendance Clerk's functions can enter time and
attendance data. The application performs these security checks by
using the LAN server's access control and identification and
authentication (I&A) mechanisms. The application compares the data
with a limited database of employee information to detect incorrect
employee identifiers, implausible numbers of hours worked, and so
forth. After correcting any detected errors, the clerk runs another
application that formats the time and attendance data into a report,
flagging exception/out-of-bound conditions (e.g., negative leave
balances).
Department supervisors
are responsible for reviewing the correctness of the time sheets of
the employees under their supervision and indicating their approval
by initialing the time sheets. If they detect significant
irregularities and indications of fraud in such data, they must
report their findings to the Payroll Office before submitting the
time sheets for processing. In keeping with the principle of
separation of duty, all data on time sheets and corrections on the
sheets that may affect pay, leave, retirement, or other benefits of
an individual must be reviewed for validity by at least two
authorized individuals (other than the affected individual).
Protection Against
Unauthorized Execution
Only users with access
to Time and Attendance Supervisor functions may approve and submit
time and attendance data -- or subsequent corrections thereof -- to
the mainframe. Supervisors may not approve their own time and
attendance data.
Only the System
Administrator has been granted access to assign a special access
control privilege to server programs. As a result, the server's
operating system is designed to prevent a bogus time and attendance
application created by any other user from communicating with the
WAN and, hence, with the mainframe.
The time and attendance
application is supposed to be configured so that the clerk and
supervisor functions can only be carried out from specific PCs
attached to the LAN and only during normal working hours.
Administrators are not authorized to exercise functions of the time
and attendance application apart from those concerned with
configuring the accounts, passwords, and access permissions for
clerks and supervisors. Administrators are expressly prohibited by
policy from entering, modifying, or submitting time and attendance
data via the time and attendance application or other mechanisms.
Protection against
unauthorized execution of the time and attendance application
depends on I&A and access controls. While the time and attendance
application is accessible from any PC, unlike most programs run by
PC users, it does not execute directly on the PC's processor.
Instead, it executes on the server, while the PC behaves as a
terminal, relaying the user's keystrokes to the server and
displaying text and graphics sent from the server. The reason for
this approach is that common PC systems do not provide I&A and
access controls and, therefore, cannot protect against unauthorized
time and attendance program execution. Any individual who has
access to the PC could run any program stored there.
Another possible
approach is for the time and attendance program to perform I&A and
access control on its own by requesting and validating a password
before beginning each time and attendance session. This approach,
however, can be defeated easily by a moderately skilled programming
attack, and was judged inadequate by HGA during the application's
early design phase.
Recall that the server
is a more powerful computer equipped with a multiuser operating
system that includes password-based I&A and access controls.
Designing the time and attendance application program so that it
executes on the server under the control of the server's operating
system provides a more effective safeguard against unauthorized
execution than executing it on the user's PC.
|
