|
MISCELLANEOUS CYBERSECURITY NEWS:
Veterans are the key to the cybersecurity talent shortage - As
organizations search for cybersecurity talent, some are tapping
ex-military personnel. From technical aptitude to experience and
work ethic, veterans bring compelling skills to cybersecurity and
are a welcome addition to many resource-strapped IT teams.
https://www.scmagazine.com/perspective/veterans-are-the-key-to-the-cybersecurity-talent-shortage
Post-Thanksgiving ecommerce indigestion: Web app security issues
beckon - With the holiday online shopping blitz just days away, a
study examining how online merchants handle customer personal and
financial data suggests shoppers need to add a dollop of caution to
their shopping list.
https://www.scmagazine.com/news/pii-of-consumers-at-risk-as-black-friday-and-cyber-monday-beckons
Why Banks Need to Build a Mobile Wallet Strategy to Defend Against
Apple - According to Liminal, the global mobile payment market will
be valued at $553 billion in 2023 and is projected to reach $1.2
trillion by 2027, growing at a CAGR of 20.7% from 2021 to 2026.
https://liminal.co/articles/why-banks-need-to-build-a-mobile-wallet-strategy-to-defend-against-apple/
Google cloud environment flaw lets attackers access critical data,
systems - Attackers who gain privileges in a Google Cloud Platform
(GCP) environment can potentially access critical data and systems
by abusing a design flaw in domain-wide delegation (DWD), a feature
that lets applications access user data across Google Workspace
(GWS) apps such as Gmail, Google Calendar, and Google Drive.
https://www.scmagazine.com/news/google-cloud-environment-flaw-lets-attackers-access-critical-data-systems
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
LockBit may have stolen 24 years of data on Canadian government
employees - A data breach affecting Canadian government, military
and police employees may involve 24 years’ worth of personal and
financial information, officials announced Friday.
https://www.scmagazine.com/news/lockbit-may-have-stolen-24-years-of-data-on-canadian-government-employees
Trio of major holes in ownCloud expose admin passwords, allow
unauthenticated file mods - ownCloud has disclosed three critical
vulnerabilities, the most serious of which leads to sensitive data
exposure and carries a maximum severity score.
https://www.theregister.com/2023/11/27/three_major_vulnerabilities_in_owncloud/
Hacktivists breach U.S. nuclear research lab, steal employee data -
The Idaho National Laboratory (INL) confirms they suffered a
cyberattack after 'SiegedSec' hacktivists leaked stolen human
resources data online.
https://www.bleepingcomputer.com/news/security/hacktivists-breach-us-nuclear-research-lab-steal-employee-data/
Cyberattack on IT provider CTS impacts dozens of UK law firms - A
cyberattack on CTS, a leading managed service provider (MSP) for law
firms and other organizations in the UK legal sector, is behind a
major outage impacting numerous law firms and home buyers in the
country since Wednesday.
https://www.bleepingcomputer.com/news/security/cyberattack-on-it-provider-cts-impacts-dozens-of-uk-law-firms/
Former infosec COO pleads guilty to attacking hospitals to drum up
business - An Atlanta tech company's former COO has pleaded guilty
to a 2018 incident in which he deliberately launched online attacks
on two hospitals, later citing the incidents in sales pitches.
https://www.theregister.com/2023/11/20/former_infosec_coo_pleads_guilty/
Kansas courts confirm data theft, ransom demand after cyberattack -
The Kansas Judicial Branch has published an update on a
cybersecurity incident it suffered last month, confirming that
hackers stole sensitive files containing confidential information
from its systems.
https://www.bleepingcomputer.com/news/security/kansas-courts-confirm-data-theft-ransom-demand-after-cyberattack/
Fidelity National Financial Takes Down Systems Following Cyberattack
- The incident, FNF said in a Form 8-K filing with the Securities
and Exchange Commission (SEC) just before Thanksgiving, has impacted
“title insurance, escrow and other title-related services, mortgage
transaction services, and technology to the real estate and mortgage
industries”.
https://www.securityweek.com/fidelity-national-financial-takes-down-systems-following-cyberattack/
Hackers Hijack Industrial Control System at US Water Utility - The
company provides water and sewer services to more than 6,600
customers in Aliquippa and portions of Hopewell, Raccoon and Potter
Townships.
https://www.securityweek.com/hackers-hijack-industrial-control-system-at-us-water-utility/
Google Drive users angry over losing months of stored data - Google
Drive users are reporting that recent files stored in the cloud have
suddenly disappeared, with the cloud service reverting to a storage
snapshot as it was around April-May 2023.
https://www.bleepingcomputer.com/news/google/google-drive-users-angry-over-losing-months-of-stored-data/
All Okta customer support users exposed in October breach, company
discloses - It turns out security industry experts were right: the
Okta breach on its customer support system first disclosed in
October was much more severe than originally portrayed by the major
identity provider, sparking some criticism from the industry.
https://www.scmagazine.com/news/all-okta-customer-support-users-exposed-in-october-breach-company-discloses
Thanksgiving week ransomware attack hits Ardent Health hospitals in
6 states - A ransomware attack on Ardent Health Services impacted 30
hospitals in six states over the Thanksgiving weekend.
https://www.scmagazine.com/news/thanksgiving-week-ransomware-attack-hits-ardent-health-hospitals-in-6-states
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Security Controls
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate
authorization privileges and authentication measures, logical and
physical access controls, adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities and data integrity of transactions,
records and information. In addition, the existence of clear audit
trails for all e-banking transactions should be ensured and measures
to preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort.
Regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimize legal
and reputational risk associated with e-banking activities conducted
both domestically and cross-border, banks should make adequate
disclosure of information on their web sites and take appropriate
measures to ensure adherence to customer privacy requirements
applicable in the jurisdictions to which the bank is providing
e-banking services.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
OVERVIEW
The quality of security controls can significantly influence
all categories of risk. Traditionally, examiners and bankers
recognize the direct impact on operational/transaction risk from
incidents related to fraud, theft, or accidental damage. Many
security weaknesses, however, can directly increase exposure in
other risk areas. For example, the GLBA introduced additional
legal/compliance risk due to the potential for regulatory
noncompliance in safeguarding customer information. The potential
for legal liability related to customer privacy breaches may present
additional risk in the future. Effective application access controls
can reduce credit and market risk by imposing risk limits on loan
officers or traders. If a trader were to exceed the intended trade
authority, the institution may unknowingly assume additional market
risk exposure.
A strong security program reduces levels of reputation and
strategic risk by limiting the institution's vulnerability to
intrusion attempts and maintaining customer confidence and trust in
the institution. Security concerns can quickly erode customer
confidence and potentially decrease the adoption rate and rate of
return on investment for strategically important products or
services. Examiners and risk managers should incorporate security
issues into their risk assessment process for each risk category.
Financial institutions should ensure that security risk assessments
adequately consider potential risk in all business lines and risk
categories.
Information security risk assessment is the process used to
identify and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
program.
Risk assessments for most industries focus only on the risk to
the business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4 Step 4:
Selecting Contingency Planning Strategies
The next step is to plan how to recover needed resources. In
evaluating alternatives, it is necessary to consider what controls
are in place to prevent and minimize contingencies. Since no set of
controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts.
A contingency planning strategy normally consists of three parts:
emergency response, recovery, and resumption.89 Emergency response
encompasses the initial actions taken to protect lives and limit
damage. Recovery refers to the steps that are taken to continue
support for critical functions. Resumption is the return to normal
operations. The relationship between recovery and resumption is
important. The longer it takes to resume normal operations, the
longer the organization will have to operate in the recovery mode.
The selection of a strategy needs to be based on practical
considerations, including feasibility and cost. The different
categories of resources should each be considered. Risk assessment
can be used to help estimate the cost of options to decide on an
optimal strategy. For example, is it more expensive to purchase and
maintain a generator or to move processing to an alternate site,
considering the likelihood of losing electrical power for various
lengths of time? Are the consequences of a loss of computer-related
resources sufficiently high to warrant the cost of various recovery
strategies? The risk assessment should focus on areas where it is
not clear which strategy is the best.
In developing contingency planning strategies, there are many
factors to consider in addressing each of the resources that support
critical functions. Some examples are:
Example 1: If the system administrator for a LAN has to be out of
the office for a long time (due to illness or an accident),
arrangements are made for the system administrator of another LAN to
perform the duties. Anticipating this, the absent administrator
should have taken steps beforehand to keep documentation current.
This strategy is inexpensive, but service will probably be
significantly reduced on both LANs which may prompt the manager of
the loaned administrator to partially renege on the agreement.
Example 2: An organization depends on an on-line information
service provided by a commercial vendor. The organization is no
longer able to obtain the information manually (e.g., from a
reference book) within acceptable time limits and there are no other
comparable services. In this case, the organization relies on the
contingency plan of the service provider. The organization pays a
premium to obtain priority service in case the service provider has
to operate at reduced capacity.
Example #3: A large mainframe data center has a contract with a hot
site vendor, has a contract with the telecommunications carrier to
reroute communications to the hot site, has plans to move people,
and stores up-to-date copies of data, applications and needed paper
records off-site. The contingency plan is expensive, but management
has decided that the expense is fully justified.
Example #4. An organization distributes its processing among two
major sites, each of which includes small to medium processors
(personal computers and minicomputers). If one site is lost, the
other can carry the critical load until more equipment is purchased.
Routing of data and voice communications can be performed
transparently to redirect traffic. Backup copies are stored at the
other site. This plan requires tight control over the architectures
used and types of applications that are developed to ensure
compatibility. In addition, personnel at both sites must be
cross-trained to perform all functions. |
