MISCELLANEOUS CYBERSECURITY NEWS:

5 Former Methodist Hospital Employees Indicted Over HIPAA Violations - The five former Tennessee hospital employees allegedly committed HIPAA violations by disclosing the personal information of patients involved in car accidents. https://healthitsecurity.com/news/5-former-methodist-hospital-employees-indicted-over-hipaa-violations

Over a third of vulnerabilities reviewed by ethical hackers did not have a CVE - On Thursday it was reported that 35% of the vulnerabilities reviewed by its private network of ethical hackers did not have a CVE assigned. https://www.scmagazine.com/news/vulnerability-management/over-a-third-of-vulnerabilities-reviewed-by-ethical-hackers-did-not-have-a-cve

How to determine if your IT environment is ready for SASE - Migrating your organization's networking and security functions to a secure access service edge (SASE) framework offers cloud-based scalability, flexibility and cost savings that would be hard to match with a traditional perimeter- and data-center-based implementation. https://www.scmagazine.com/resource/network-security/how-to-determine-if-your-it-environment-is-ready-for-sase

GAO: Feds Should Do More to Stop Ransomware at SLTT, Ed Level - The Government Accountability Office (GAO) said in a Nov. 16 report that Federal agencies need to up their ransomware assistance for state, local, Tribal, and territorial (SLTT) government organizations – including schools – by improving interagency collaboration, awareness, outreach, communication, and coordination with schools. https://www.meritalk.com/articles/gao-feds-should-do-more-to-stop-ransomware-at-sltt-ed-level/

IT pros struggle to hire, train staff to implement multi-cloud architecture - On Monday it was reported that 64% of those surveyed are struggling to hire or train staff with the necessary skills to properly design and implement an effective multi-cloud network architecture. https://www.scmagazine.com/news/cloud-security/it-pros-struggle-to-hire-train-staff-to-implement-multi-cloud-architecture

Why are CISOs resigning? - Another day, another CISO resignation, at least it feels that way sometimes. My LinkedIn and other news feeds offer a steady stream of announcements of security professionals stepping down from their roles or considering a career change. https://www.scmagazine.com/perspective/careers/why-are-cisos-resigning

US offshore oil and gas installation at 'increasing' risk of cyberattack - The US Government Accountability Office (GAO) has warned that the time to act on securing the US's offshore oil and natural gas installations is now because they are under "increasing" and "significant risk" of cyberattack. https://www.theregister.com/2022/11/21/us_oil_gas_cyber_threats/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

U.S Federal Network Hacked - APT Hackers Gained Access to the Domain Controller - U.S Cyber security infrastructure and security Agency uncovered a potential cyber attack on the U.S Federal network where attackers compromised the organization’s DC and possibly deployed crypto Miner, credential Harvester. https://cybersecuritynews-com.cdn.ampproject.org/c/s/cybersecuritynews.com/u-s-federal-network-hacked/?amp

Not patched Log4j yet? Assume attackers are in your network, say CISA and FBI - Almost a year on from Log4j's disclosure, a joint alert by CISA and the FBI warns organizations that if they haven't protected their systems against it yet, they really need to now. https://www.zdnet.com/article/cybersecurity-warning-if-youve-not-patched-log4j-yet-assume-attackers-are-in-your-network/

DOD Must Enhance Cyber Incident Reporting and Sharing, Watchdog Says - The Government Accountability Office found that the Pentagon “lacks an accountable organization and consistent guidance” for documenting and sharing details about reported cyber incidents. https://www.nextgov.com/cybersecurity/2022/11/dod-must-enhance-cyber-incident-reporting-and-sharing-watchdog-says/379776/

Additional 15K added to Eye Care Leaders’ already record-setting breach tally - Another 15,000 patients have been added to the breach tally of the Eye Care Leaders ransomware attack from nearly one year ago. https://www.scmagazine.com/analysis/ransomware/additional-15k-added-to-eye-care-leaders-already-record-setting-breach-tally

Forefront Dermatology settles lawsuit from 2021 breach for $3.75 million - Forefront Dermatology reached a $3.75 million settlement with the 2.41 million patients and employees whose data was accessed and stolen by the Cuba hacking group during an IT systems hack in May and June of 2021. https://www.scmagazine.com/analysis/ransomware/forefront-dermatology-settles-lawsuit-from-2021-breach-for-3-75-million

Government of Moldova shaken by big hack-and-leak operation - A weird newly-registered website called Moldova Leaks has been releasing damaging private exchanges of at least two prominent political figures in this small Eastern European country. The leaked Telegram conversations have caused a major political scandal. https://cybernews.com/news/government-moldova-hack-leak-operation/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Monitor Contract Compliance and Revision Needs

• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.

Maintain Business Resumption Contingency Plans

• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for mission critical services and applications.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   INTRUSION RESPONSE  (Part 1 of 2)
   
   Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.
   
   The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.
   
   Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:
   
   ! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
   ! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
   ! How to control the frequently powerful intrusion identification and response tools.
   ! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
   ! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
   ! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
   ! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
   ! How to document and maintain the evidence, decisions, and actions taken.
   ! What criteria must be met before compromised services, equipment and software are returned to the network.
   ! How to learn from the intrusion and use those lessons to improve the institution's security.
   ! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.6 Protection Against Risks from Non-HGA Computer Systems

HGA relies on systems and components that it cannot control directly because they are owned by other organizations. HGA has developed a policy to avoid undue risk in such situations. The policy states that system components controlled and operated by organizations other than HGA may not be used to process, store, or transmit HGA information without obtaining explicit permission from the application owner and the COG Manager. Permission to use such system components may not be granted without written commitment from the controlling organization that HGA's information will be safeguarded commensurate with its value, as designated by HGA. This policy is somewhat mitigated by the fact that HGA has developed an issue-specific policy on the use of the Internet, which allows for its use for e-mail with outside organizations and access to other resources (but not for transmission of HGA's proprietary data).

20.5 Vulnerabilities Reported by the Risk Assessment Team

The risk assessment team found that many of the risks to which HGA is exposed stem from (1) the failure of individuals to comply with established policies and procedures or (2) the use of automated mechanisms whose assurance is questionable because of the ways they have been developed, tested, implemented, used, or maintained. The team also identified specific vulnerabilities in HGA's policies and procedures for protecting against payroll fraud and errors, interruption of operations, disclosure and brokering of confidential information, and unauthorized access to data by outsiders.