MISCELLANEOUS CYBERSECURITY NEWS:

Organizations admit employee use of AI is a risk they aren’t prepared for - A majority of risk and compliance pros say employee use of generative artificial intelligence (AI) opens the door to business risk, adding that less than 10% of companies are prepared to mitigate internal threats associated with the emerging tech. https://www.scmagazine.com/news/organizations-recognize-the-risk-generative-ai-poses-but-few-prepared

CISA - SHIFTING THE BALANCE OF CYBERSECURITY RISK - Technology is integrated into nearly every facet of daily life, as internet-facing systems increasingly connect us to critical systems that directly impact our economic prosperity, livelihoods, and even health, ranging from personal identity management to medical care. https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-Design-Software.pdf

Exploring the second quantum revolution - Quantum computing and quantum technologies are knocking on law enforcement’s door with new opportunities, as well as new threats, that authorities need to anticipate. Europol published today the first-of-its-kind report, “The Second Quantum Revolution: The impact of quantum computing and quantum technologies on law enforcement”. https://www.europol.europa.eu/media-press/newsroom/news/exploring-second-quantum-revolution-new-report

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Attackers target Okta and abuse stolen credential to access backend system - Okta reported that on October 20 an attacker leveraged a stolen credential to access its backend support case management system.
https://www.scmagazine.com/news/attackers-leverage-stolen-credential-to-access-oktas-support-case-management-system
https://arstechnica.com/security/2023/10/okta-says-hackers-breached-its-support-system-and-viewed-customer-files/

US energy firm shares how Akira ransomware hacked its systems - In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. https://www.bleepingcomputer.com/news/security/us-energy-firm-shares-how-akira-ransomware-hacked-its-systems/

American Family Insurance confirms cyberattack is behind IT outages - Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week. https://www.bleepingcomputer.com/news/security/american-family-insurance-confirms-cyberattack-is-behind-it-outages/

ICC: September Breach Was Espionage Raid - The International Criminal Court (ICC) has revealed that a September cyber-attack on its IT systems was a highly targeted espionage attempt, although attribution thus far remains elusive. https://www.infosecurity-magazine.com/news/icc-september-breach-was-espionage/

Cyberattack On NY Hospitals Forces Ambulance Diversions - Two New York hospitals and one residential care center were impacted by a cyberattack that resulted in temporary ambulance diversions and IT outages. https://healthitsecurity.com/news/cyberattack-on-ny-hospitals-forces-ambulance-diversions

DC Board of Elections Says Full Voter Roll Compromised in Data Breach - The District of Columbia Board of Elections (DCBOE) on Friday announced that its full voter roll might have been accessed in a recent data breach at a third-party services provider. https://www.securityweek.com/dc-board-of-elections-says-full-voter-roll-compromised-in-data-breach/

BeyondTrust, Cloudflare and 1Password targeted after recent Okta breach - The breach of Okta’s case management system first reported late last week has evolved into a new phase as Cloudflare, 1Password, and BeyondTrust confirmed that hackers targeted their systems as a result of the breach. https://www.scmagazine.com/news/beyond-trust-cloudflare-and-1password-are-all-targets-of-recent-okta-breach

Hackers target US Facebook biz accounts with potent malware cocktail - A cybercrime group based in Vietnam is targeting English-language Facebook business accounts in a malicious campaign targeting digital marketing firms based in the U.S., UK and India, warned a Friday report. https://www.scmagazine.com/news/hackers-target-u-s-facebook-biz-accounts-with-potent-malware-cocktail

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    PENETRATION ANALYSIS (Part 2 of 2)
    
    A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:
    
    1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.
    
    2) If using internal testers, the independence of the testers from system administrators.
    
    3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
    
    4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.
    
    FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your compnay a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
   
  SECURITY OBJECTIVES
   
  Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.
   
   1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
   
   2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
   
   3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
   
   4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
   
   5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
   
   Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.1 Step 1: Identifying the Mission- or Business-Critical Function
  
  Protecting the continuity of an organization's mission or business is very difficult if it is not clearly identified. Managers need to understand the organization from a point of view that usually extends beyond the area they control. The definition of an organization's critical mission or business functions is often called a business plan.
  
  Since the development of a business plan will be used to support contingency planning, it is necessary not only to identify critical missions and businesses, but also to set priorities for them. A fully redundant capability for each function is prohibitively expensive for most organizations. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set (and approved by senior management), it could mean the difference in the organization's ability to survive a disaster.
  
  11.2 Step 2: Identifying the Resources That Support Critical Functions
  
  After identifying critical missions and business functions, it is necessary to identify the supporting resources, the time frames in which each resource is used (e.g., is the resource needed constantly or only at the end of the month?), and the effect on the mission or business of the unavailability of the resource. In identifying resources, a traditional problem has been that different managers oversee different resources. They may not realize how resources interact to support the organization's mission or business. Many of these resources are not computer resources. Contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer.
  
  The analysis of needed resources should be conducted by those who understand how the function is performed and the dependencies of various resources on other resources and other critical relationships. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions.