MISCELLANEOUS CYBERSECURITY NEWS:

Role of CISOs misunderstood by executive leadership, IT pros say - FTI Consulting on Thursday reported that 85% of CISOs say that the prominence of cybersecurity on the board’s agenda has increased over the last 12 months, with 79% feeling heightened scrutiny from top leadership. https://www.scmagazine.com/news/leadership/role-of-cisos-misunderstood-by-executive-leadership-it-pros-say

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows - Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw. https://www.darkreading.com/attacks-breaches/concerns-fortinet-flaw-poc-increased-exploit-activity

Doctor Pleads Guilty to HIPAA Violation, Wrongful Disclosure of PHI - A former physician pleaded guilty to a HIPAA violation and admitted to conspiring to wrongfully disclose patient PHI to a pharmaceutical sales representative. https://healthitsecurity.com/news/doctor-pleads-guilty-hipaa-violation-wrongful-disclosure-of-phi

5 challenges to public cloud security - Nothing sends a chill down a CISO’s spine like news of a data breach that originated from public cloud vulnerabilities. https://www.scmagazine.com/resource/cloud-security/5-challenges-to-public-cloud-security

Cloud security expected to drive 11.3% growth in security spending in 2023 - Gartner last week estimated that spending on information security and risk management products and services will grow 11.3% in 2023, reaching more than $188.3 billion. https://www.scmagazine.com/news/cloud-security/cloud-security-expected-to-drive-11-3-growth-in-security-spending-in-2023

Cyberattacks accelerating in Europe, Moody’s says - The number of cyberattacks in Europe has grown significantly this year, highlighting the urgent need for organizations to develop security strategies to protect operations and financial profile, according to a new report from Moody's investors Service. https://www.scmagazine.com/analysis/vulnerability-management/cyberattacks-accelerating-in-europe-moodys-says

The company’s cloud environment was hacked. Now what? - Top cloud providers go to great lengths to protect customer privacy and prevent unauthorized users from gaining access to restricted accounts using real-time monitoring and end-to-end encryption. https://www.scmagazine.com/perspective/cloud-security/the-companys-cloud-environment-was-hacked-now-what%ef%bf%bc

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Securing the complex federal software supply chain - SolarWinds demonstrated in a pretty painful way just how catastrophic a software supply chain attack can be to both public and private sector entities. https://www.scmagazine.com/news/security-awareness/securing-the-complex-federal-software-supply-chain

Hospital giant's IT still poorly a week after suspected ransomware infection - Computer systems are still down at CommonSpirit Health - America's second-largest nonprofit hospital network - more than a week after it was hit by a somewhat mystery cyberattack. https://www.theregister.com/2022/10/12/hospital_outages_ransomware/

Medibank restores services as experts warn of backlash - Consumers will vote with their feet and ditch companies that fail to adequately deal with cybercrime, experts say, after Australia’s biggest health insurer Medibank joined telco giant Optus in revealing it had been targeted. https://www.afr.com/companies/financial-services/medibank-restores-services-as-experts-warn-of-backlash-20221013-p5bpog

Ransomware attack impacted some CommonSpirit sites, but few details released - Now into its third week of care disruptions, a new update from CommonSpirit Health confirms that only a portion of its 700 care sites and 142 hospitals in 21 states have been impacted by the ransomware attack and subsequent IT and network outages. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-impacted-some-commonspirit-sites-but-few-details-released

LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites - Advanced, a managed software provider to the UK National Health Service, has confirmed that customer data was indeed lifted as part of the attack by cyber baddies that has disrupted operations for months. https://www.theregister.com/2022/10/14/nhs_software_hosting_provider_advanced_ransomware_lockbit/

Ransomware attack halts circulation of some German newspapers - German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. https://www.bleepingcomputer.com/news/security/ransomware-attack-halts-circulation-of-some-german-newspapers/

New York fines EyeMed $4.5 million for 2020 email hack, data breach - The state of New York has slapped EyeMed Vision Care with yet another fine over its massive 2020 email hack and healthcare data breach. This time the vision benefits company will pay a $4.5 million penalty for multiple security violations that “contributed to” the data exposure. https://www.scmagazine.com/analysis/privacy/new-york-fines-eyemed-4-5-million-for-2020-email-hack-data-breach

Ransomware attack impacted some CommonSpirit sites, but few details released - Now into its third week of care disruptions, a new update from CommonSpirit Health confirms that only a portion of its 700 care sites and 142 hospitals in 21 states have been impacted by the ransomware attack and subsequent IT and network outages. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-impacted-some-commonspirit-sites-but-few-details-released

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
    
    Due Diligence in Selecting a Service Provider - Contract Issues
    
    Ownership and License
    
    The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
    
    Duration
    
    Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INTRUSION DETECTION AND RESPONSE
    
    Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
    
    "Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.
    
    Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).
    
    Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.
    
    Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.2 Protection Against Payroll Fraud and Errors: Time and Attendance Application (2 of 2)

Protection Against Payroll Errors

The frequency of data entry errors is reduced by having Time and Attendance clerks enter each time sheet into the time and attendance application twice. If the two copies are identical, both are considered error free, and the record is accepted for subsequent review and approval by a supervisor. If the copies are not identical, the discrepancies are displayed, and for each discrepancy, the clerk determines which copy is correct. The clerk then incorporates the corrections into one of the copies, which is then accepted for further processing. If the clerk makes the same data-entry error twice, then the two copies will match, and one will be accepted as correct, even though it is erroneous. To reduce this risk, the time and attendance application could be configured to require that the two copies be entered by different clerks.

In addition, each department has one or more Time and Attendance Supervisors who are authorized to review these reports for accuracy and to approve them by running another server program that is part of the time and attendance application. The data are then subjected to a collection of "sanity checks" to detect entries whose values are outside expected ranges. Potential anomalies are displayed to the supervisor prior to allowing approval; if errors are identified, the data are returned to a clerk for additional examination and corrections.

When a supervisor approves the time and attendance data, this application logs into the interagency mainframe via the WAN and transfers the data to a payroll database on the mainframe. The mainframe later prints paychecks or, using a pool of modems that can send data over phone lines, it may transfer the funds electronically into employee-designated bank accounts. Withheld taxes and contributions are also transferred electronically in this manner.

The Director of Personnel is responsible for ensuring that forms describing significant payroll-related personnel actions are provided to the Payroll Office at least one week before the payroll processing date for the first affected pay period. These actions include hiring, terminations, transfers, leaves of absences and returns from such, and pay raises.

The Manager of the Payroll Office is responsible for establishing and maintaining controls adequate to ensure that the amounts of pay, leave, and other benefits reported on pay stubs and recorded in permanent records and those distributed electronically are accurate and consistent with time and attendance data and with other information provided by the Personnel Department. In particular, paychecks must never be provided to anyone who is not a bona fide, active-status employee of HGA. Moreover, the pay of any employee who terminates employment, who transfers, or who goes on leave without pay must be suspended as of the effective date of such action; that is, extra paychecks or excess pay must not be dispersed.

Protection Against Accidental Corruption or Loss of Payroll Data

The same mechanisms used to protect against fraudulent modification are used to protect against accidental corruption of time and attendance data -- namely, the access-control features of the server and mainframe operating systems.

COG's (Computer Operations Group) nightly backups of the server's disks protect against loss of time and attendance data. To a limited extent, HGA also relies on mainframe administrative personnel to back up time and attendance data stored on the mainframe, even though HGA has no direct control over these individuals. As additional protection against loss of data at the mainframe, HGA retains copies of all time and attendance data on line on the server for at least one year, at which time the data are archived and kept for three years. The server's access controls for the on-line files are automatically set to read-only access by the time and attendance application at the time of submission to the mainframe. The integrity of time and attendance data will be protected by digital signatures as they are implemented.

The WAN's communications protocols also protect against loss of data during transmission from the server to the mainframe (e.g., error checking). In addition, the mainframe payroll application includes a program that is automatically run 24 hours before paychecks and pay stubs are printed. This program produces a report identifying agencies from whom time and attendance data for the current pay period were expected but not received. Payroll department staff are responsible for reviewing the reports and immediately notifying agencies that need to submit or resubmit time and attendance data. If time and attendance input or other related information is not available on a timely basis, pay, leave, and other benefits are temporarily calculated based on information estimated from prior pay periods.