MISCELLANEOUS CYBERSECURITY NEWS:

DDoS attack on ChatGPT sparks concerns over coding, productivity disruptions - Security researchers expressed broad concern over news late in the day Nov. 8 that OpenAI confirmed it was “dealing with periodic outages” because of distributed-denial-of-service (DDoS) attacks on its ChatGPT services. https://www.scmagazine.com/news/ddos-attack-on-chatgpt-sparks-concerns-over-coding-productivity-disruptions

SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity - SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission's announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack. https://www.theregister.com/2023/11/09/solarwinds_sec_filing/

NIST releases revised cyber requirements for controlled unclassified information - The proposed revisions will ideally serve as a “balanced, strong starting point” for agencies and contractors that deal with sensitive information, a NIST official said. https://www.nextgov.com/cybersecurity/2023/11/nist-releases-revised-cyber-requirements-controlled-unclassified-information/391904/

How to combat ransomware in the face of tight security staffing - Ransomware remains a threat for which all organizations must be prepared. But with much of today’s cybersecurity guidance geared toward larger companies, smaller organizations with tighter staffing are often left hanging. The advice in this article is for them. https://www.scmagazine.com/resource/ransomware-how-small-security-teams-can-mount-a-better-defense

Hackers breach healthcare orgs via ScreenConnect remote access - Security researchers are warning that hackers are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool. https://www.bleepingcomputer.com/news/security/hackers-breach-healthcare-orgs-via-screenconnect-remote-access/

CISA's New SBOM Guidance Faces Implementation Challenges - Many organizations will struggle to implement new software security guidance from the U.S. Cybersecurity and Infrastructure Security Agency, industry experts say, citing a lack of specific components required to effectively develop and scale a consumption process for software bills of materials. https://www.govinfosecurity.com/cisas-new-sbom-guidance-faces-implementation-challenges-a-23579

FBI takes heat from industry for not making arrests in MGM-Caesars cases - The FBI has faced criticism before following a major cyber incident, but a new report Tuesday by Reuters calls out law enforcement for not making arrests for the September attacks on MGM Resorts International and Caesars Entertainment. https://www.scmagazine.com/news/fbi-takes-heat-from-industry-for-not-making-arrests-in-mgm-caesars-cases

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Sandworm Hackers Caused Another Blackout in Ukraine - During a Missile Strike - Russia's most notorious military hackers successfully sabotaged Ukraine's power grid for the third time last year. And in this case, the blackout coincided with a physical attack. https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/

Medical Company Fined $450,000 by New York AG Over Data Breach - The attorney general of the state of New York announced on Wednesday that a medical company has been fined $450,000 over a data breach resulting from a ransomware attack. https://www.securityweek.com/medical-company-fined-450000-by-new-york-ag-over-data-breach/

AHA Sues Feds Over Privacy Warning About Web Tracker Use - The American Hospital Association, along with three other organizations, has filed a federal lawsuit seeking to have the U.S. Department of Health and Human Services withdraw guidance issued last year warning that the use of online trackers by hospitals potentially violates HIPAA. https://www.govinfosecurity.com/aha-sues-feds-over-privacy-warning-about-web-tracker-use-a-23544

LockBit takes credit for ransomware attack on US subsidiary of Chinese bank - Security pros on Friday were “very concerned” that this week’s ransomware attack on the U.S. subsidiary of the Industrial & Commercial Bank of China (ICBC) was engineered by Russia-linked LockBit, a notorious ransomware-as-a-service (RaaS) gang that took credit for disrupting ICBC’s trading system. https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank

Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks - Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit. https://www.theregister.com/2023/11/13/inside_denmarks_hell_week_as/

DP World cyberattack blocks thousands of containers in ports - A cyberattack on international logistics firm DP World Australia has severely disrupted the regular freight movement in multiple large Australian ports. https://www.bleepingcomputer.com/news/security/dp-world-cyberattack-blocks-thousands-of-containers-in-ports/

State of Maine Becomes Latest MOVEit Victim to Surface - ybercriminals exploiting the now-infamous vulnerability in the MOVEit file-transfer tool to allow them access to files belonging to the State of Maine between May 28 and 29. https://www.darkreading.com/attacks-breaches/state-maine-latest-moveit-victim

2.2 Million Impacted by Data Breach at McLaren Health Care - Michigan healthcare delivery system McLaren Health Care has started notifying roughly 2.2 million individuals that their personal information was compromised in a data breach earlier this year. https://www.securityweek.com/2-2-million-impacted-by-data-breach-at-mclaren-health-care/

Ransomware attack on Ohio city impacts multiple services - A ransomware attack on Huber Heights, Ohio, is causing significant problems for several city systems. The community of nearly 45,000 residents outside of Dayton released a notice on Sunday warning that its systems were hit with ransomware at around 8 a.m. https://therecord.media/huber-heights-ohio-ransomware-attack

China's top bank ICBC hit by ransomware, derailing global trades - China's largest bank, ICBC, was hit by ransomware that resulted in disruption of financial services (FS) systems on Thursday Beijing time, according to a notice on its website. https://www.theregister.com/2023/11/10/icbc_ransomware/

Hacker group files SEC complaint against its own victim - A notorious ransomware gang has filed a “failure to report” complaint against its own victim to the U.S. Securities and Exchange Commission (SEC) after an alleged breach last week. https://www.scmagazine.com/news/hacker-group-files-sec-complaint-against-its-own-victim

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Executive Summary
   
   Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits. 
   
   The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking. 
   
   Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
    
    ROLES AND RESPONSIBILITIES (2 of 2)
    
    Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.
    
    Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should
    
    1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
    2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
    3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
    4)  Coordinate information security with physical security.
    
    Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.
    
    Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.
    
    Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.2 Step 2: Identifying the Resources That Support Critical Functions
  
  11.2.3 Automated Applications and Data
  
  Computer systems run applications that process data. Without current electronic versions of both applications and data, computerized processing may not be possible. If the processing is being performed on alternate hardware, the applications must be compatible with the alternate hardware, operating systems and other software (including version and configuration), and numerous other technical factors. Because of the complexity, it is normally necessary to periodically verify compatibility.
  
  11.2.4 Computer-Based Services
  
  An organization uses many different kinds of computer-based services to perform its functions. The two most important are normally communications services and information services. Communications can be further categorized as data and voice communications; however, in many organizations these are managed by the same service. Information services include any source of information outside of the organization. Many of these sources are becoming automated, including on-line government and private databases, news services, and bulletin boards.
  
  11.2.5 Physical Infrastructure
  
  For people to work effectively, they need a safe working environment and appropriate equipment and utilities. This can include office space, heating, cooling, venting, power, water, sewage, other utilities, desks, telephones, fax machines, personal computers, terminals, courier services, file cabinets, and many other items. In addition, computers also need space and utilities, such as electricity. Electronic and paper media used to store applications and data also have physical requirements
  
  11.2.6 Documents and Papers
  
  Many functions rely on vital records and various documents, papers, or forms. These records could be important because of a legal need (such as being able to produce a signed copy of a loan) or because they are the only record of the information. Records can be maintained on paper, microfiche, microfilm, magnetic media, or optical disk.