MISCELLANEOUS CYBERSECURITY NEWS:

How to run a cybersecurity company during the current crisis in the Middle East - The world woke up on October 7th to the unthinkable. Yet another war broke out in the Middle East, bringing with it more senseless devastation, trauma, and loss of life. https://www.scmagazine.com/perspective/how-to-run-a-cybersecurity-company-during-the-current-crisis-in-the-middle-east

Google Cloud, AWS, and Cloudflare report largest DDoS attacks ever - Distributed Denial of Service (DDoS) attacks may be one of the least sophisticated types of cyberattacks but they can do real damage. Now Google and other top cloud companies are reporting new records for the largest DDoS attacks ever. https://www.zdnet.com/article/google-cloud-aws-and-cloudflare-report-largest-ddos-attacks-ever/

EPA Withdraws Water Sector Cybersecurity Rules Due to Lawsuits - The US Environmental Protection Agency (EPA) has withdrawn cybersecurity rules for public water systems due to lawsuits filed by states and non-profit water associations. https://www.securityweek.com/epa-withdraws-water-sector-cybersecurity-rules-due-to-lawsuits/

CISA shares vulnerabilities, misconfigs used by ransomware gangs - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has unveiled additional details regarding misconfigurations and security vulnerabilities exploited by ransomware gangs, aiming to help critical infrastructure organizations thwart their attacks. https://www.bleepingcomputer.com/news/security/cisa-shares-vulnerabilities-misconfigs-used-by-ransomware-gangs/

How Ransomware has disrupted the Cyber Insurance market, And what you can do about it! - The cost of cyber insurance is skyrocketing. In response to a string of high-profile attacks, record-setting ransomware numbers and government regulations, insurers are being forced to significantly increase premiums for cyber coverage. https://www.scmagazine.com/cybercast/how-ransomware-has-disrupted-the-cyber-insurance-market-and-what-you-can-do-about-it

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Simpson Manufacturing shuts down IT systems after cyberattack - Simpson Manufacturing disclosed via a SEC 8-K filing a cybersecurity incident that has caused disruptions in its operations, which are expected to continue. https://www.bleepingcomputer.com/news/security/simpson-manufacturing-shuts-down-it-systems-after-cyberattack/

CD-indexing cue files are the core of a serious Linux remote code exploit - ery long time since the average computer user thought about .cue files, or cue sheets, the metadata bits that describe the tracks of an optical disc, like a CD or DVD. https://arstechnica.com/information-technology/2023/10/one-click-remote-code-exploit-in-cd-cue-files-affects-most-gnome-based-linux-distros/

We're not in e-Kansas anymore: State courts reel from 'unauthorized incursion' - An unspecified security incident is forcing many state courts across Kansas to rely on paper filings, and it may have continue to do so for weeks, a state judge has warned. https://www.theregister.com/2023/10/16/kansas_courts_security_incident/

Skype message threads hijacked to spread DarkGate malware - Threat actors were observed abusing Skype to distribute DarkGate malware as the sophisticated loader continues its recent resurgence in popularity. https://www.scmagazine.com/news/skype-message-threads-hijacked-to-spread-darkgate-malware

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    PENETRATION ANALYSIS (Part 1 of 2)
    
    After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.
    
    A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.
    
    The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.
    
    A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.
    
    FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.
Return to the top of the newsletter

FFIEC IT SECURITY - This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks.  This week we review Information Sharing.
   
  Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.
   
   The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.
   
   The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov. 
   
   CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster.
  
  To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses.
  
  Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.
  
  This chapter presents the contingency planning process in six steps:
  
  1)  Identifying the mission- or business-critical functions.
  
  2)  Identifying the resources that support the critical functions.
  
  3)  Anticipating potential contingencies or disasters.
  
  4)  Selecting contingency planning strategies.
  
  5)  Implementing the contingency strategies.
  
  6)  Testing and revising the strategy.
  
  Contingency planning directly supports an organization's goal of continued operations. Organizations practice contingency planning because it makes good business sense.