MISCELLANEOUS CYBERSECURITY NEWS:

CISA, HHS Collaborate on Healthcare Cybersecurity Toolkit - The healthcare cybersecurity toolkit compiles resources such as CISA’s cyber hygiene services and HHS’s HICP publication to help the healthcare sector manage risk. https://healthitsecurity.com/news/cisa-hhs-collaborate-on-healthcare-cybersecurity-toolkit

Ransomware boom hits all-time high - Incidents of reported ransomware attacks hit an all-time high in September with more threat actors joining the criminal fray in a double-extortion blitz against a mix of organizations. https://www.scmagazine.com/news/ransomware-boom-hits-all-time-high

UK Parliament Probes Critical Infrastructure Cybersecurity - The U.K. Parliament is calling on experts to provide information on improving critical infrastructure cybersecurity amid mounting concerns that internet-connected systems underpinning functions such as power delivery and healthcare are vulnerable to hackers. https://www.govinfosecurity.com/uk-parliament-probes-critical-infrastructure-cybersecurity-a-23400

Google launches AI bug bounty program as organizations plan to study risks - There’s been any number of news releases around artificial intelligence (AI) this week, as the industry and government look to chart a path forward with these new technologies. https://www.scmagazine.com/news/google-launches-ai-bug-bounty-program-as-organizations-plan-to-study-risks

Cybersecurity Awareness Month: Four actions to improve security hygiene - Started in 2004, Cybersecurity Awareness Month is a campaign designed to raise awareness and promote healthy cybersecurity practices among individuals and organizations. This year's theme is "Secure Our World." https://www.scmagazine.com/resource/cybersecurity-awareness-month-four-key-actions-that-improve-security-hygiene

White House executive order on AI seeks to address security risks - Long-awaited EO attempts to toe the line between harnessing artificial intelligence’s vast capabilities and protecting “Americans from the potential risks of AI systems.” https://cyberscoop.com/white-house-ai-executive-order-cybersecurity/

FTC orders non-bank financial firms to report breaches in 30 days - The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days. https://www.bleepingcomputer.com/news/security/ftc-orders-non-bank-financial-firms-to-report-breaches-in-30-days/

SEC charges SolarWinds, CISO with fraud in 2020 supply chain attacks - SolarWinds and the company’s chief information security officer (CISO), Tim Brown, were charged with fraud following the U.S. Securities and Exchange Commission (SEC) investigation into the devastating 2020 Orion Sunburst supply chain attacks. https://www.scmagazine.com/news/sec-charges-solarwinds-ciso-with-fraud-in-2020-supply-chain-attacks

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Irish cops data debacle exposes half a million motorist records - A third-party contractor running a database without password protection exposed more than 500,000 records related to vehicle seizures by the Irish National Police. https://www.theregister.com/2023/10/24/irish_national_police_leak/

Cyberattack on health services provider impacts 5 Canadian hospitals - A cyberattack on shared service provider TransForm has impacted operations in five hospitals in Ontario, Canada, impacting patient care and causing appointments to be rescheduled. https://www.bleepingcomputer.com/news/security/cyberattack-on-health-services-provider-impacts-5-canadian-hospitals/

Philadelphia cyberattack compromised health data of city employees - Philadelphia on Friday disclosed it had been hit by a cyberattack in May and that the malicious actors may have accessed the personal and health data of city employees through their email accounts. https://statescoop.com/philadelphia-city-health-data-cyberattack-orange-county/

Chilean telecom giant GTD hit by the Rorschach ransomware gang - Chile's Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services. https://www.bleepingcomputer.com/news/security/chilean-telecom-giant-gtd-hit-by-the-rorschach-ransomware-gang/

BeyondTrust, Cloudflare and 1Password targeted after recent Okta breach - The breach of Okta’s case management system first reported late last week has evolved into a new phase as Cloudflare, 1Password, and BeyondTrust confirmed that hackers targeted their systems as a result of the breach. https://www.scmagazine.com/news/beyond-trust-cloudflare-and-1password-are-all-targets-of-recent-okta-breach

Stanford schooled in cybersecurity after Akira claims ransomware attack - Stanford University has confirmed it is "investigating a cybersecurity incident" after an attack last week by the Akira ransomware group. https://www.theregister.com/2023/10/30/stanford_university_confirms_investigation_into/

Toronto Public Library services down following weekend cyberattack - The Toronto Public Library (TPL) is warning that many of its online services are offline after suffering a cyberattack over the weekend, on Saturday, October 28. https://www.bleepingcomputer.com/news/security/toronto-public-library-services-down-following-weekend-cyberattack/

Hackers email stolen student data to parents of Nevada school district - The Clark County School District (CCSD) in Nevada is dealing with a potentially massive data breach, as hackers email parents their children's' data that was allegedly stolen during a recent cyberattack. https://www.bleepingcomputer.com/news/security/hackers-email-stolen-student-data-to-parents-of-nevada-school-district/

‘One of the most dangerous financial criminal groups’ responsible for MGM cyberattack - Scattered Spider, the threat gang responsible for recent attacks against MGM International and Caesars Entertainment, amongst others, has been described by Microsoft as “one of the most dangerous financial criminal groups." https://www.scmagazine.com/news/one-of-the-most-dangerous-financial-criminal-groups-responsible-for-mgm-cyberattack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
    
    INTRUSION DETECTION SYSTEMS
    
    Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.
    
    Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
    
    Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.
    
    Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.
    
    Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
    
    IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
    
    FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
   
   SECURITY PROCESS 
   
   Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.
   
   OVERVIEW
   
   The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
   
   1)  Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
   
   2)  Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.
   
   3)  Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
   
   4)  Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.
   
   5)  Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.
   
   Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.3 Step 3: Anticipating Potential Contingencies or Disasters
  
  Although it is impossible to think of all the things that can go wrong, the next step is to identify a likely range of problems. The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong.
  
  Scenarios should include small and large contingencies. While some general classes of contingency scenarios are obvious, imagination and creativity, as well as research, can point to other possible, but less obvious, contingencies. The contingency scenarios should address each of the resources described above. The following are examples of some of the types of questions that contingency scenarios may address:
  
  Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are there critical skills and knowledge possessed by one person? Can people easily get to an alternative site?
  
  Processing Capability: Are the computers harmed? What happens if some of the computers are inoperable, but not all?
  
  Automated Applications and Data: Has data integrity been affected? Is an application sabotaged? Can an application run on a different processing platform?
  
  Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?
  
  Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they occupy the building?
  
  Documents/Paper: Can needed records be found? Are they readable?
  
  Examples of Some Less Obvious Contingencies
  
  1. A computer center in the basement of a building had a minor problem with rats. Exterminators killed the rats, but the bodies were not retrieved because they were hidden under the raised flooring and in the pipe conduits. Employees could only enter the data center with gas masks because of the decomposing rats.
  
  2. After the World Trade Center explosion when people reentered the building, they turned on their computer systems to check for problems. Dust and smoke damaged many systems when they were turned on. If the systems had been cleaned first, there would not have been significant damage.