MISCELLANEOUS CYBERSECURITY NEWS:

Warner calls for cybersecurity workforce development, incentives for health sector - Sen. Mark Warner, D-Va., released a healthcare cybersecurity white paper with policy options.
https://www.scmagazine.com/analysis/careers/warner-calls-for-cybersecurity-workforce-development-incentives-for-health-sector
White paper - https://www.warner.senate.gov/public/index.cfm/pressreleases

Ritz cracker giant settles bust-up with insurer over $100m - NotPetya cleanup Mondelez International has settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover the snack giant's $100-million-plus cleanup bill following the 2017 NotPetya outbreak. https://www.theregister.com/2022/11/02/mondelez_zurich_notpetya_settlement/

NCSC Implements Vulnerability Scanning Program Across UK - The National Cyber Security Centre has announced a new program that intends to scan every Internet-connected system hosted in the UK for vulnerabilities in what it touts as an effort to both remediate threats and monitor the nation's exposure. https://www.darkreading.com/risk/ncsc-implements-vulnerability-scanning-program-across-uk

Red Cross Eyes Digital Emblem for Cyberspace Protection - When Red Cross staff work in conflict zones, their recognizable red-on-white emblems signal that they and those they are helping should not be targeted. https://www.securityweek.com/red-cross-seeks-digital-emblem-protect-against-hacking

US Treasury says financial ransomware losses topped $1.2 billion last year - US financial institutions processed roughly $1.2 billion in ransomware-related payments last year, a nearly 200 percent increase compared to 2020, according to the Treasury Department. https://www.scmagazine.com/analysis/policy/us-treasury-says-financial-ransomware-losses-topped-1-2-billion-last-year

Attacks on critical infrastructure doubled in the past year, Microsoft says - In the Microsoft Digital Defense Report 2022, the software maker said cyberattacks targeting critical infrastructure around the world jumped from 20% of all nation-state attacks Microsoft detected to 40%. https://www.scmagazine.com/news/critical-infrastructure/attacks-on-critical-infrastructure-doubled-in-the-past-year-microsoft-says

Managing software risk in the automotive software supply chain - Most software components used in automobiles are not developed directly by car manufacturers themselves or even their top-tier suppliers. https://www.scmagazine.com/perspective/critical-infrastructure/managing-software-risk-in-the-automotive-software-supply-chain

NIST on tap to improve cybersecurity of water systems - The National Institute of Standards and Technology (NIST) hopes a new project will create a set of best practices to help the nation’s complex water and wastewater systems bolster their cybersecurity posture. https://fcw.com/security/2022/11/nist-tap-improve-cybersecurity-water-systems/379390/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Over 250 US News Websites Deliver Malware via Supply Chain Attack - Hundreds of regional and national news websites in the United States are delivering malware as a result of a supply chain attack involving one of their service providers. https://www.securityweek.com/over-250-us-news-websites-deliver-malware-supply-chain-attack

Dropbox discloses breach after hacker stole 130 GitHub repositories - Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. https://www.bleepingcomputer.com/news/security/dropbox-discloses-breach-after-hacker-stole-130-github-repositories/

Hacker Charged With Extorting Online Psychotherapy Service - A 25-year-old Finnish man has been charged with extorting a once popular and now-bankrupt online psychotherapy company and its patients. https://krebsonsecurity.com/2022/11/hacker-charged-with-extorting-online-psychotherapy-service/

ALMA Observatory shuts down operations due to a cyberattack - The Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline following a cyberattack on Saturday, October 29, 2022. https://www.bleepingcomputer.com/news/security/alma-observatory-shuts-down-operations-due-to-a-cyberattack/

Massachusetts AG finds failed security measures led to Georgia provider’s breach - Aveanna Healthcare in Georgia agreed to pay Massachusetts $425,000 after that state's attorney general investigation into the home health and hospice provider found that the company’s failure to implement proper security measures led to its phishing-related data breach in 2019. https://www.scmagazine.com/analysis/breach/massachusetts-ag-finds-failed-security-measures-led-to-georgia-providers-breach

Medibank refuses to pay ransom for hacked data affecting 9.7 million customers - Medibank, Australia’s largest health insurer, announced Monday that it will not pay a ransom to the hacker behind the recent data theft affecting 9.7 million customers. https://www.scmagazine.com/analysis/ransomware/medibank-refuses-to-pay-ransom-for-hacked-data-affecting-9-7-million-customers

Breached health insurer won't pay ransom to protect customers, warns of more attacks - Australian health insurer Medibank – which spent October discovering a security incident was worse than it first thought – has announced it will not pay a ransom to attackers that made off with personal info describing nearly ten million customers. https://www.theregister.com/2022/11/07/medibank_breach_n0_ransom_payment/

SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit Over Data Breach - Texas-based IT management solutions provider SolarWinds has agreed to pay $26 million to settle a shareholder lawsuit over the data breach disclosed by the company in 2020. https://www.securityweek.com/solarwinds-agrees-pay-26-million-settle-shareholder-lawsuit-over-data-breach

Boeing Subsidiary Jeppesen’s Services Hit By Cyberattack - Boeing Co. unit Jeppesen has been hit by a cyberattack that’s affecting access to its flight planning software, which is used by airlines globally. https://www.bloomberg.com/news/articles/2022-11-04/boeing-subsidiary-jeppesen-s-services-hit-by-cyberattack

Experian, T-Mobile reach settlements with 40 states over past data breaches - A coalition of 40 U.S. state attorneys general has reached separate settlements with Experian and T-Mobile totaling over $16 million following data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. https://www.scmagazine.com/analysis/breach/experian-t-mobile-reach-settlements-with-40-states-over-past-data-breaches

Killnet DDoS attacks against former Eastern Block government sites fail - Former Eastern Bloc countries Bulgaria, Estonia, Moldova, Poland, and Romania had their intelligence agency websites targeted by failed distributed denial-of-service attacks launched by Russian hacktivist group Killnet over the weekend, reports The Record, a news site by cybersecurity firm Recorded Future. https://www.scmagazine.com/brief/threat-intelligence/killnet-ddos-attacks-against-former-eastern-block-government-sites-fail

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Honeypots
   
   A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.
   
   Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.
   
   Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.4 Protection Against Disclosure or Brokerage of Information

HGA's protection against information disclosure is based on a need-to-know policy and on personnel hiring and screening practices. The need-to-know policy states that time and attendance information should be made accessible only to HGA employees and contractors whose assigned professional responsibilities require it. Such information must be protected against access from all other individuals, including other HGA employees. Appropriate hiring and screening practices can lessen the risk that an untrustworthy individual will be assigned such responsibilities.

The need-to-know policy is supported by a collection of physical, procedural, and automated safeguards, including the following: