MISCELLANEOUS CYBERSECURITY NEWS:

DHS rolls out new cyber performance goals for private sector - The Department of Homeland Security released new cybersecurity performance goals and metrics that are designed to help drive cybersecurity best practices and improvements across different industrial sectors of the economy. https://www.scmagazine.com/analysis/compliance/dhs-rolls-out-new-cyber-performance-goals-for-private-sector

Healthcare’s email security problem is a compliance and forensics nightmare - Email hacks against the healthcare sector are common - and problematic from a compliance perspective in terms of reporting requirements. While the consensus is that email is merely a pivot point for other nefarious activities, the stat doesn’t hold as much water in highly regulated industries. https://www.scmagazine.com/feature/security-awareness/healthcares-email-security-problem-is-a-compliance-and-forensics-nightmare

HIPAA requires ‘timely response’ for security incidents, says alert to health sector - Health Insurance Portability and Accountability Act requires covered entities to implement policies to address incidents, according to the cyber bulletin from the U.S. Department of Health and Human Services' Office for Civil Rights. https://www.scmagazine.com/analysis/security-awareness/hipaa-requires-timely-response-for-security-incidents-says-alert-to-health-sector

FBI and CISA: Here's what you need to know about DDoS attacks - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning organizations to take proactive steps to reduce the impact of distributed denial-of-service (DDoS) attacks. https://www.zdnet.com/article/fbi-and-cisa-heres-what-you-need-to-know-about-ddos-attacks/

Snack giant settles with insurer over $100 million claim tied to 2017 NotPetya attacks - Mondelez International and Zurich American Insurance settled a multi-year legal battle over the snack giant’s $100 million claim regarding losses from the NotPetya cyberattack in 2017. https://www.scmagazine.com/analysis/policy/snack-giant-settles-with-insurer-over-100-million-claim-tied-to-2017-notpetya-attacks

Government workers face more phishing attacks on mobile devices - Lookout on Wednesday reported that 50% of the phishing attacks aimed at the mobile devices of federal, state and local government workers in 2021 sought to steal credentials - up from 30% a year ago. https://www.scmagazine.com/news/device-security/government-workers-face-more-phishing-attacks-on-mobile-devices

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Medibank now says hackers accessed all its customers’ personal data - ​Australian insurance firm Medibank has confirmed that hackers accessed all of its customers' personal data and a large amount of health claims data during a recent ransomware attack. https://www.bleepingcomputer.com/news/security/medibank-now-says-hackers-accessed-all-its-customers-personal-data/

Incidents expose weak cybersecurity programs at news media organizations - Two cyber incidents involving news media companies underscored the need for these businesses to take a closer look at their security operations. https://www.scmagazine.com/analysis/insider-threat/incidents-expose-weak-cybersecurity-programs-at-news-media-organizations

Ransomware attack on Ascension St. Vincent’s legacy EMR spurs breach notice - A “security event” deployed against several legacy systems, including an electronic medical record (EMR), at Ascension St. Vincent’s Coastal Cardiology in Georgia has led to the possible compromise of personal and health information tied to an undisclosed number of patients. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-on-ascension-st-vincents-legacy-emr-spurs-breach-notice

Zscaler's Cloud-Based Cybersecurity Outages Showcase Redundancy Problem - While fewer cloud providers are suffering outages, customers should prepare for the uncommon event, especially when relying on cloud services for security. https://www.darkreading.com/cloud/zscaler-cloud-based-cybersecurity-outages-redundancy

FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers - FTC order against Chegg will require company to shore up its security against data breaches, and delete unnecessary data. https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-brings-action-against-ed-tech-provider-chegg-careless-security-exposed-personal-data-millions

Slovak, Polish Parliaments Hit by Cyberattacks - Cyberattacks hit the Slovak and Polish parliaments on Thursday, bringing down the voting system in Slovakia's legislature, parliamentary authorities said. https://www.securityweek.com/slovak-polish-parliaments-hit-cyberattacks

Dropbox incident raises questions about how much security pros can depend on MFA - Reports on Tuesday that Dropbox was the target of a phishing campaign that successfully accessed some of the code it stores in GitHub raised eyebrows in security circles because the attackers were able to bypass multi-factor authentication (MFA). https://www.scmagazine.com/news/cloud-security/dropbox-incident-raises-questions-about-how-much-security-pros-can-depend-on-mfa

Ransomware attack on Ascension St. Vincent’s legacy EMR spurs breach notice - A “security event” deployed against several legacy systems, including an electronic medical record (EMR), at Ascension St. Vincent’s Coastal Cardiology in Georgia has led to the possible compromise of personal and health information tied to an undisclosed number of patients. https://www.scmagazine.com/analysis/ransomware/ransomware-attack-on-ascension-st-vincents-legacy-emr-spurs-breach-notice

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
    
    Due Diligence in Selecting a Service Provider - Contract Issues
    
    Termination
    
    The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy,
    company closure, and insolvency.
    
    Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution’s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated.
    
    Assignment
    
    The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution’s consent, including changes to subcontractors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INTRUSION DETECTION AND RESPONSE
    
    Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
    
    Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.
    
    Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.
    
    The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
    
    Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.3 Protection Against Interruption of Operations  (2 of 2)

Division Contingency Planning

HGA's divisions also must develop and maintain their own contingency plans. The plans must identify critical business functions, the system resources and applications on which they depend, and the maximum acceptable periods of interruption that these functions can tolerate without significant reduction in HGA's ability to fulfill its mission. The head of each division is responsible for ensuring that the division's contingency plan and associated support activities are adequate.

For each major application used by multiple divisions, a chief of a single division must be designated as the application owner. The designated official (supported by his or her staff) is responsible for addressing that application in the contingency plan and for coordinating with other divisions that use the application.

If a division relies exclusively on computer resources maintained by COG (Computer Operations Group) (e.g., the LAN), it need not duplicate COG's contingency plan, but is responsible for reviewing the adequacy of that plan. If COG's plan does not adequately address the division's needs, the division must communicate its concerns to the COG Director. In either situation, the division must make known the criticality of its applications to the COG. If the division relies on computer resources or services that are not provided by COG, the division is responsible for (1) developing its own contingency plan or (2) ensuring that the contingency plans of other organizations (e.g., the WAN service provider) provide adequate protection against service disruptions.