MISCELLANEOUS CYBERSECURITY NEWS:

 
Third-party vendors drive 45% of breaches in US energy sector - A joint study by SecurityScorecard and KPMG found that 90% of companies in the energy sector that sustained multiple breaches had security issues caused by third-party vendors. https://www.scworld.com/news/third-party-vendors-drive-45-of-breaches-in-us-energy-sector

What does your CEO need to know about cybersecurity? - CEOs can no longer skim over their cybersecurity plans. When big incidents occur, they risk shareholder lawsuits, regulatory charges or even job loss. https://www.cybersecuritydive.com/news/ceo-cyber-security-strategy-CISO/721102/

The Global Surveillance Free-for-All in Mobile Ad Data - place of worship was considered a dangerous power that should remain only within the purview of nation states. https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures - Four high-profile tech companies reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for misleading investors about their exposure to the 2020 SolarWinds hack. https://www.theregister.com/2024/10/22/sec_fines_four_tech_firms/

LinkedIn hit with $335 million fine for using member data for ad targeting without consent - Ireland’s top privacy regulator on Thursday fined social media platform LinkedIn €310 million ($335 million) for allegedly using its members' data for advertising purposes without obtaining their consent. https://therecord.media/linkedin-hit-with-335-million-fine-gdpr-ireland

Basic cyber hygiene still offers the best defense against ransomware - The recent FBI takedown of the Dispossessor ransomware gang serves as a powerful reminder that fundamental cybersecurity practices are crucial in preventing devastating attacks. https://www.scworld.com/perspective/basic-cyber-hygiene-still-offers-the-best-defense-against-ransomware

Cloud vs. datacenter: Decoding the security trade-offs - One of the first concepts that every student of economics learns about is trade-offs – if an IT department allocates more of its budget to cybersecurity, it may have less to spend on software development or hardware upgrades. https://www.scworld.com/perspective/cloud-vs-datacenter-decoding-the-security-trade-offs

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Change Healthcare data breach officially affects 100M people - The massive Change Healthcare cyberattack could have compromised data from 100 million people - the largest healthcare data breach ever reported to federal regulators. https://www.cybersecuritydive.com/news/change-healthcare-data-breach-exposure/731009/

Landmark, an administrator for insurance firms, says 800,000 affected by data breach - One of the biggest third-party administrators for several large insurance firms said a cyberattack in May exposed the sensitive information of more than 800,000 people. https://therecord.media/landmark-admin-data-breach-insurance-industry

Fortinet zero-day attack spree hits at least 50 customers - Active exploits of a critical vulnerability in FortiManager began in late June, Mandiant said. Firewall credentials and configuration data have been stolen. https://www.cybersecuritydive.com/news/fortinet-zero-day-attack-spree/730894/

Hospitals adopt error-prone AI transcription tools despite warnings - On Saturday, an Associated Press investigation revealed that OpenAI's Whisper transcription tool creates fabricated text in medical and business settings despite warnings against such use. https://arstechnica.com/ai/2024/10/hospitals-adopt-error-prone-ai-transcription-tools-despite-warnings/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes. 
  
  PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities
  
  If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.
  
  In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.
  
  In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY
  
  The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.
  
  The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:
  
  ! Aircraft crashes
  ! Chemical effects
  ! Dust
  ! Electrical supply interference
  ! Electromagnetic radiation
  ! Explosives
  ! Fire
  ! Smoke
  ! Theft/Destruction
  ! Vibration/Earthquake
  ! Water
  ! Wireless emissions
  ! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 11.2.3 Automated Applications and Data
 
 Computer systems run applications that process data. Without current electronic versions of both applications and data, computerized processing may not be possible. If the processing is being performed on alternate hardware, the applications must be compatible with the alternate hardware, operating systems and other software (including version and configuration), and numerous other technical factors. Because of the complexity, it is normally necessary to periodically verify compatibility.
 
 11.2.4 Computer-Based Services
 
 An organization uses many different kinds of computer-based services to perform its functions. The two most important are normally communications services and information services. Communications can be further categorized as data and voice communications; however, in many organizations these are managed by the same service. Information services include any source of information outside of the organization. Many of these sources are becoming automated, including on-line government and private databases, news services, and bulletin boards.
 
 11.2.5 Physical Infrastructure
 
 For people to work effectively, they need a safe working environment and appropriate equipment and utilities. This can include office space, heating, cooling, venting, power, water, sewage, other utilities, desks, telephones, fax machines, personal computers, terminals, courier services, file cabinets, and many other items. In addition, computers also need space and utilities, such as electricity. Electronic and paper media used to store applications and data also have physical requirements
 
 11.2.6 Documents and Papers
 
 Many functions rely on vital records and various documents, papers, or forms. These records could be important because of a legal need (such as being able to produce a signed copy of a loan) or because they are the only record of the information. Records can be maintained on paper, microfiche, microfilm, magnetic media, or optical disk.