MISCELLANEOUS CYBERSECURITY NEWS:

US prohibits Chinese tech equipment sales over security risk - Threats to national security have prompted the U.S. Federal Communications Commission to ban sales or imports of equipment from Chinese telecommunications firms Huawei Technologies, ZTE, and Hytera Communications, as well as Chinese surveillance manufacturers Dahua Technology and Hangzhou Hikvisionn Digital Technology, according to Reuters. https://www.scmagazine.com/brief/device-security/us-prohibits-chinese-tech-equipment-sales-over-security-risk

Security leaders need to look beyond ‘retention’ - Security teams continue to face shortages, and that leads to headlines suggesting companies need to focus on retaining the talent they have. https://www.scmagazine.com/perspective/leadership/security-leaders-need-to-look-beyond-retention

Telltale signs of a network compromise: A step-by-step analysis - If organizations are ever going to effectively manage cybersecurity risks, especially from modern APT-style attacks, security managers and analysts must be able to spot attackers lurking within the blind spots created by today's complex multi-cloud environments. https://www.scmagazine.com/resource/network-security/telltale-signs-of-a-network-compromise-a-step-by-step-analysis

US Defense Department Releases Zero Trust Strategy and Roadmap - Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users. The rapid growth of these offensive threats emphasizes the need for the Department of Defense (DoD) to adapt and significantly improve our deterrence strategies and cybersecurity implementations.
https://www.defense.gov/News/Releases/Release/Article/3225919/department-of-defense-releases-zero-trust-strategy-and-roadmap/
https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf

Security, ESG are the top two risks for corporate audit professionals - The tax professional services reported on Tuesday that while cybersecurity continues as the No. 1 risk among audit professionals, environmental, social and governance (ESG) jumped up to No. 2 on the list of emerging risks. https://www.scmagazine.com/news/privacy/security-esg-are-the-top-two-risks-for-corporate-audit-professionals

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Massive Twitter data breach affects over 5.4 million accounts - A Twitter data breach reported earlier this year that affected more than five million users is worse than initially thought. https://www.scmagazine.com/analysis/cybercrime/massive-twitter-data-breach-affects-over-5-4-million-accounts

Pixel fallout expands: Community Health informs 1.5M of unauthorized disclosure - Community Health Network recently informed 1.5 million of its patients that its use of the Meta Pixel tracking tool led to the unauthorized disclosure of their health information to the social media giant. https://www.scmagazine.com/analysis/breach/pixel-fallout-expands-community-health-informs-1-5m-of-unauthorized-disclosure

European Parliament Putin things back together after cyber attack - DDoS started not long after Russia was declared a state sponsor of terrorism - The European Parliament has experienced a cyber attack that started not long after it declared Russia to be a state sponsor of terrorism. https://www.theregister.com/2022/11/24/european_parliament_russia_ddos/

Belgian Police Under Fire After Major Ransomware Leak - A notorious ransomware group has begun leaking highly sensitive data it stole from Belgian police, in what is being described as one of the biggest breaches of its kind in the country. https://www.infosecurity-magazine.com/news/belgian-police-under-fire-major/

Password app LastPass hit by cybersecurity breach but says data remains safe - Password manager LastPass has told customers that some of their information has been accessed in a cybersecurity breach, but says passwords remain safe.
https://www.techspot.com/news/96820-lastpass-customer-data-exposed-data-breach.html
https://www.theguardian.com/technology/2022/dec/01/password-app-lastpass-hit-by-cybersecurity-breach-but-says-data-remains-safe

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   INTRUSION RESPONSE  (Part 2 of 2)
   
   Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.
   
   Institutions can assess best the adequacy of their preparations through testing.
   
   While containment strategies between institutions can vary, they typically contain the following broad elements:
   
   ! Isolation of compromised systems, or enhanced monitoring of intruder activities;
   ! Search for additional compromised systems;
   ! Collection and preservation of evidence; and
   ! Communication with effected parties, the primary regulator, and law enforcement.
   Restoration strategies should address the following:
   ! Elimination of an intruder's means of access;
   ! Restoration of systems, programs and data to known good state;
   ! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
   ! Communication with effected parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.1 Vulnerabilities Related to Payroll Fraud

Falsified Time Sheets

The primary safeguards against falsified time sheets are review and approval by supervisory personnel, who are not permitted to approve their own time and attendance data. The risk assessment has concluded that, while imperfect, these safeguards are adequate. The related requirement that a clerk and a supervisor must cooperate closely in creating time and attendance data and submitting the data to the mainframe also safeguards against other kinds of illicit manipulation of time and attendance data by clerks or supervisors acting independently.

Unauthorized Access

When a PC user enters a password to the server during I&A, the password is sent to the server by broadcasting it over the LAN "in the clear." This allows the password to be intercepted easily by any other PC connected to the LAN. In fact, so-called "password sniffer" programs that capture passwords in this way are widely available. Similarly, a malicious program planted on a PC could also intercept passwords before transmitting them to the server. An unauthorized individual who obtained the captured passwords could then run the time and attendance application in place of a clerk or supervisor. Users might also store passwords in a log-on script file.

Bogus Time and Attendance Applications

The server's access controls are probably adequate for protection against bogus time and attendance applications that run on the server. However, the server's operating system and access controls have only been in widespread use for a few years and contain a number of security-related bugs. And the server's access controls are ineffective if not properly configured, and the administration of the server's security features in the past has been notably lax.

Unauthorized Modification of Time and Attendance Data

Protection against unauthorized modification of time and attendance data requires a variety of safeguards because each system component on which the data are stored or transmitted is a potential source of vulnerabilities.

First, the time and attendance data are entered on the server by a clerk. On occasion, the clerk may begin data entry late in the afternoon, and complete it the following morning, storing it in a temporary file between the two sessions. One way to avoid unauthorized modification is to store the data on a diskette and lock it up overnight. After being entered, the data will be stored in another temporary file until reviewed and approved by a supervisor. These files, now stored on the system, must be protected against tampering. As before, the server's access controls, if reliable and properly configured, can provide such protection (as can digital signatures, as discussed later) in conjunction with proper auditing.

Second, when the Supervisor approves a batch of time and attendance data, the time and attendance application sends the data over the WAN to the mainframe. The WAN is a collection of communications equipment and special-purpose computers called "switches" that act as relays, routing information through the network from source to destination. Each switch is a potential site at which the time and attendance data may be fraudulently modified. For example, an HGA PC user might be able to intercept time and attendance data and modify the data enroute to the payroll application on the mainframe. Opportunities include tampering with incomplete time and attendance input files while stored on the server, interception and tampering during WAN transit, or tampering on arrival to the mainframe prior to processing by the payroll application.

Third, on arrival at the mainframe, the time and attendance data are held in a temporary file on the mainframe until the payroll application is run. Consequently, the mainframe's I&A and access controls must provide a critical element of protection against unauthorized modification of the data.

According to the risk assessment, the server's access controls, with prior caveats, probably provide acceptable protection against unauthorized modification of data stored on the server. The assessment concluded that a WAN-based attack involving collusion between an employee of HGA and an employee of the WAN service provider, although unlikely, should not be dismissed entirely, especially since HGA has only cursory information about the service provider's personnel security practices and no contractual authority over how it operates the WAN.

The greatest source of vulnerabilities, however, is the mainframe. Although its operating system's access controls are mature and powerful, it uses password-based I&A. This is of particular concern, because it serves a large number of federal agencies via WAN connections. A number of these agencies are known to have poor security programs. As a result, one such agency's systems could be penetrated (e.g., from the Internet) and then used in attacks on the mainframe via the WAN. In fact, time and attendance data awaiting processing on the mainframe would probably not be as attractive a target to an attacker as other kinds of data or, indeed, disabling the system, rendering it unavailable. For example, an attacker might be able to modify the employee data base so that it disbursed paychecks or pensions checks to fictitious employees. Disclosure-sensitive law enforcement databases might also be attractive targets.

The access control on the mainframe is strong and provides good protection against intruders breaking into a second application after they have broken into a first. However, previous audits have shown that the difficulties of system administration may present some opportunities for intruders to defeat access controls.