MISCELLANEOUS CYBERSECURITY NEWS:

NIST Official Warns Against Device-only Approach to Securing IoT - Federal agencies’ implementation of NIST’s guidelines on the issue - under direction from Congress - is coinciding with industry resistance to the comprehensive approach stakeholders agree is necessary. https://www.nextgov.com/cybersecurity/2022/11/nist-official-warns-against-device-only-approach-securing-iot/379595/

CISA Issues Vulnerability-Management Tools Dependent on Industry Action - Federal agencies are under a binding operational directive to address exploitable security vulnerabilities in their software, but the success of CISA’s effort relies on the cooperation of software vendors. https://www.nextgov.com/cybersecurity/2022/11/cisa-issues-vulnerability-management-tools-dependent-industry-action/379632/

GitHub launches channel to ease vulnerability disclosure process for open source software - GitHub, the largest open source software development community in the world, launched a communication channel on the platform to make it more straightforward for security researchers to report vulnerabilities to projects’ maintainers. https://www.scmagazine.com/analysis/application-security/github-launches-channel-to-ease-vulnerability-disclosure-process-for-open-source-software

Nearly 80% of companies in new survey have had to use their cyber insurance - Delinea on Thursday reported that nearly 80% of companies surveyed have had to use their cyber insurance - and more than half have used it multiple times. https://www.scmagazine.com/news/business-continuity/nearly-80-of-companies-in-new-survey-have-had-to-use-their-cyber-insurance

World Cup apps pose a data security and privacy nightmare - With mandated spyware downloads to tens of thousands of surveillance cameras equipped with facial-recognition technology, the World Cup in Qatar next month is looking more like a data security and privacy nightmare than a celebration of the beautiful game. https://www.theregister.com/2022/11/11/world_cup_security/

Many financial institutions say their own IT staffs pose the biggest risk to cloud security - On Tuesday a reported stated 44% of financial institutions responding to its cloud security survey say their own IT staffs pose the biggest risk to data security in the cloud. https://www.scmagazine.com/news/cloud-security/many-financial-institutions-say-their-own-it-staffs-pose-the-biggest-risk-to-cloud-security

Why passwordless can’t eliminate passwords, but giving administrators the ability to manage passwords better can - Gather identity and security leaders in a room, douse with workforce passwordless as the topic, and enjoy the fireworks. https://www.scmagazine.com/perspective/identity-and-access/why-passwordless-cant-eliminate-passwords-but-giving-administrators-the-ability-to-manage-passwords-can

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Children’s hospital required to improve security in breach settlement - A settlement has been reached in the lawsuit filed against Ann & Robert H. Lurie Children’s Hospital of Chicago, filed by parents of patients affected by two data breaches caused by employee wrongdoing. https://www.scmagazine.com/analysis/insider-threat/childrens-hospital-required-to-improve-security-in-breach-settlement

Canadian Supermarket Chain Sobeys Hit by Ransomware Attack - Canadian supermarket and pharmacy chain Sobeys is recovering from a cyberattack that might have involved the Black Basta ransomware. https://www.securityweek.com/canadian-supermarket-chain-sobeys-hit-ransomware-attack

K-12 schools lack resources, remaining top target for cyberattacks - The K-12 sector remains a top target for cyberattacks despite its security capabilities improving over time, according to a new report published Monday by the Center for Internet Security. https://www.scmagazine.com/analysis/ransomware/k-12-schools-lack-resources-remaining-top-target-for-cyberattacks


Russia-based Pushwoosh tricks US Army and others into running its code - for a while - US government agencies including the Army and Centers for Disease Control and Prevention pulled apps running Pushwoosh code after learning the software company - which presents itself as American - is actually Russian, according to Reuters. https://www.theregister.com/2022/11/15/russia_pushwoosh_us_army/

Thales refutes ransomware attack following LockBit data leak - SecurityWeek reports that French aerospace, security, and defense company Thales denied having its systems hacked but confirmed that data has been stolen from a user account of a partner on a collaboration portal following the LockBit ransomware gang's leak of a 9.5GB archive file claimed to have Thales data. https://www.scmagazine.com/brief/data-security/thales-refutes-ransomware-attack-following-lockbit-data-leak

Black Basta ransomware hits Canadian supermarket chain - Canadian supermarket chain Sobeys had its grocery stores and pharmacies experiencing IT system issues following a Black Basta ransomware attack, reports BleepingComputer. https://www.scmagazine.com/brief/ransomware/black-basta-ransomware-hits-canadian-supermarket-chain

Ukrainian organizations hit by Russian Somnia ransomware attacks - BleepingComputer reports that numerous organizations in Ukraine are having their systems encrypted with the novel Somnia ransomware, which has been attributed by the Computer Emergency Response Team of Ukraine to Russian hacktivist operation From Russia with Love, also known as Z-Team and UAC-0118. https://www.scmagazine.com/brief/ransomware/ukrainian-organizations-hit-by-russian-somnia-ransomware-attacks

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Operational Anomalies
   
   Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.
   
   System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.
   
   Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.
   
   Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.5 Protection Against Network-Related Threats

HGA's current set of external network safeguards has only been in place for a few months. The basic approach is to tightly restrict the kinds of external network interactions that can occur by funneling all traffic to and from external networks through two interfaces that filter out unauthorized kinds of interactions. As indicated in Figure 20.1, the two interfaces are the network router and the LAN server. The only kinds of interactions that these interfaces allow are (1) e-mail and (2) data transfers from the server to the mainframe controlled by a few special applications (e.g., the time and attendance application).

Figure 20.1 shows that the network router is the only direct interface between the LAN and the Internet. The router is a dedicated special-purpose computer that translates between the protocols and addresses associated with the LAN and the Internet. Internet protocols, unlike those used on the WAN, specify that packets of information coming from or going to the Internet must carry an indicator of the kind of service that is being requested or used to process the information. This makes it possible for the router to distinguish e-mail packets from other kinds of packets--for example, those associated with a remote login request. The router has been configured by COG to discard all packets coming from or going to the Internet, except those associated with e-mail. COG personnel believe that the router effectively eliminates Internet-based attacks on HGA user accounts because it disallows all remote log-in sessions, even those accompanied by a legitimate password.

The LAN server enforces a similar type of restriction for dial-in access via the public-switched network. The access controls provided by the server's operating system have been configured so that during dial-in sessions, only the e-mail utility can be executed. (HGA policy, enforced by periodic checks, prohibits installation of modems on PCs, so that access must be through the LAN server.) In addition, the server's access controls have been configured so that its WAN interface device is accessible only to programs that possess a special access-control privilege. Only the System Administrator can assign this privilege to server programs, and only a handful of special-purpose applications, like the time and attendance application, have been assigned this privilege.