MISCELLANEOUS CYBERSECURITY NEWS:

 
Pentagon shares new cybersecurity rules for government contractors - The U.S. Department of Defense introduced new cybersecurity requirements for companies that contract with the federal government. https://www.scworld.com/news/pentagon-shares-new-cybersecurity-rules-for-government-contractors

FBI, CISA seek input on software security, configuration changes - Authorities are seeking public comment on steps the software industry can take to make their products more resistant to malicious threat activity. https://www.cybersecuritydive.com/news/fbi-cisa-software-security/730174/

Microsoft: BYOD, QR Codes Lead Rampant Education Attacks - The average higher education institution is getting hit once a week now, and as one Oregon State University attack shows, the sector often lacks the resources to keep pace. https://www.darkreading.com/threat-intelligence/byod-qr-codes-education-attacks

CISA official: AI tools ‘need to have a human in the loop’ - Lisa Einstein, the cyber agency’s chief AI officer, made the case at two D.C. events for “strong human processes” when using the technology. https://fedscoop.com/cisa-chief-ai-officer-lisa-einstein-cyber-ai-policy/

Introduction of landmark Cyber Security Legislation Package - ​​The Australian Government is​ committed to enhancing the security and resilience of Australia’s cyber environment and critical infrastructure. https://www.homeaffairs.gov.au/news-media/archive/article

Marriott settles with FTC, to pay $52 million over data breaches - Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers. https://www.bleepingcomputer.com/news/legal/marriott-settles-with-ftc-to-pay-52-million-over-data-breaches/

CISOs, C-suite remain at odds over corporate cyber resilience - Security and IT executives, more than a year after a SEC vote on incident disclosure, still face an uphill battle to articulate risk strategy. https://www.cybersecuritydive.com/news/cisos-c-suite-cyber-resilience/729079/

Experts say MFA is no longer enough for enterprises - The UK’s cyber watchdog says that companies need to be more mindful with how they handle their multi-factor authentication. https://www.scworld.com/news/experts-say-mfa-is-no-longer-enough-for-enterprises

Where organizations invest after a data breach - Asking customers to foot the bill for data breach remediation will not prevent future data breaches or address the issues that cause costs to increase. https://www.cybersecuritydive.com/news/data-breach-recovery-investments/728825/

SEC cyber disclosure rules put CISO liability under the spotlight - Security executives find themselves in the eye of the needle as governance and incident response come into focus. https://www.cybersecuritydive.com/news/sec-cyber-disclosure-rules-ciso-liability/692696/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

American Water shuts down customer portal amid cybersecurity incident - American Water Company, the largest regulated water and wastewater utility company in the United States, said it was the victim of a “cybersecurity incident” last week, leading it to take its MyWater customer portal offline. https://www.scworld.com/news/american-water-shuts-down-customer-portal-amid-cybersecurity-incident

Ivanti warns critical flaws in Endpoint Manager exploited in the wild - Ivanti is advising administrators to get up to date on their patches following a new spell of exploits against Endpoint Manager (EPM). https://www.scworld.com/news/ivanti-warns-critical-flaws-in-endpoint-manager-exploited-in-the-wild

Fidelity Investments confirms August breach affected 77K customers - Fidelity Investments sent out letters to its customers on Oct. 9 explaining it experienced a data breach in which a “third-party” stole unspecified personal information from a small subset of its customers. The incident did not involve access to Fidelity accounts. https://www.scworld.com/news/fidelity-investments-confirms-august-breach-affected-77k-customers

American Water Works reconnecting systems a week after cyberattack - The water utility said there is no evidence of damage to its facilities, but law enforcement and forensic experts are still investigating. https://www.cybersecuritydive.com/news/american-water-reconnecting-cyberattack/729565/

Fidelity Investments says data breach affects over 77,000 people - Fidelity Investments, a Boston-based multinational financial services company, disclosed that the personal information of over 77,000 customers was exposed after its systems were breached in August. https://www.bleepingcomputer.com/news/security/fidelity-investments-says-data-breach-affects-over-77-000-people/

Internet Archive user info stolen in cyberattack, succumbs to DDoS - 31M folks' usernames, email addresses, salted-encrypted passwords now out there - The Internet Archive had a bad day on the infosec front, after being DDoSed and having had its user account data stolen in a security breach. https://www.theregister.com/2024/10/10/internet_archive_ddos_data_theft/

American Water Works investigates unauthorized cyber intrusion - American Water Works said it learned of an unauthorized cyber incident Thursday that gained access to its computer networks, according to a Monday securities filing. https://www.cybersecuritydive.com/news/american-water-works-cyber-intrusion/729153/

ADT employee account data stolen in cyberattack - The alarm system company said an attacker accessed its network with compromised credentials obtained from an unnamed third party. https://www.cybersecuritydive.com/news/adt-data-theft-cyberattack/729218/

MoneyGram attack exposed a trove of sensitive customer data - The attack led to a days-long outage in September. The money transfer firm hasn’t described the nature of the incident or said how many people are impacted. https://www.cybersecuritydive.com/news/moneygram-cyberattack-sensitive-data/729342/

Dutch government will replace hackable traffic lights to avoid movie-like carnage - The Dutch government will replace thousands of road traffic lights after a researcher found a serious vulnerability that could be easily exploited by threat actors. https://cybernews.com/news/dutch-government-will-replace-hackable-traffic-lights/

Massachusetts shuts down payroll system after successful phishing campaign - Massachusetts disabled its payroll system this week after a successful phishing campaign compromised employee login credentials. https://statescoop.com/massachusetts-payroll-system-phishing-2024/

Cyberattack targets healthcare nonprofit overseeing 13 Colorado facilities - A prominent hospital system in Colorado said a cyberattack is affecting the portal patients use to communicate with providers. https://therecord.media/cyberattack-targets-healthcare-nonprofit-colorado

Gryphon Healthcare, Tri-City Medical Center Disclose Significant Data Breaches - Gryphon Healthcare and Tri-City Medical Center last week disclosed separate data breaches in which the personal information of more than 500,000 individuals was stolen. https://www.securityweek.com/gryphon-healthcare-tri-city-medical-center-disclose-significant-data-breaches/

Marriott faces $52 million FTC fine and reprimand over data breaches - Marriott and Starwood have been fined and told implement a comprehensive security program following three large data breaches. https://www.scworld.com/news/marriott-faces-52-million-ftc-fine-and-reprimand-over-data-breaches

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)
   
   PROCEDURES TO ADDRESS SPOOFING - Information Gathering
   
   After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.
   
   *  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
   *  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
   *  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
   *  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
   *  The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)
  
  Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:
  
  ! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
  ! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
  ! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
  ! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
  ! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
  ! Logging access and events.
  ! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.1 Step 1: Identifying the Mission- or Business-Critical Function
 
 Protecting the continuity of an organization's mission or business is very difficult if it is not clearly identified. Managers need to understand the organization from a point of view that usually extends beyond the area they control. The definition of an organization's critical mission or business functions is often called a business plan.
 
 Since the development of a business plan will be used to support contingency planning, it is necessary not only to identify critical missions and businesses, but also to set priorities for them. A fully redundant capability for each function is prohibitively expensive for most organizations. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set (and approved by senior management), it could mean the difference in the organization's ability to survive a disaster.
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 After identifying critical missions and business functions, it is necessary to identify the supporting resources, the time frames in which each resource is used (e.g., is the resource needed constantly or only at the end of the month?), and the effect on the mission or business of the unavailability of the resource. In identifying resources, a traditional problem has been that different managers oversee different resources. They may not realize how resources interact to support the organization's mission or business. Many of these resources are not computer resources. Contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer.
 
 The analysis of needed resources should be conducted by those who understand how the function is performed and the dependencies of various resources on other resources and other critical relationships. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions.