MISCELLANEOUS CYBERSECURITY NEWS:

Fewer cybersecurity professionals losing their jobs in breach ‘blame’ game - Cybersecurity job loss after a major incident is becoming less likely as organizations drop the “blame” game for more practical approaches to breach prevention, a survey of 500 CISOs shows. https://www.scmagazine.com/news/fewer-cybersecurity-professionals-losing-their-jobs-in-breach-blame-game

Europol shutters ransomware operation with kingpin arrests - International law enforcement investigators have made a number of high-profile arrests after tracking a major cybercrime group for more than four years. https://www.theregister.com/2023/11/28/europol_shutters_ransomware_operation/

GAO - Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements. https://www.gao.gov/products/gao-24-105658 

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Okta Breach Impacted All Customer Support Users - Not 1 Percent - Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.” In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. https://www.wired.com/story/okta-breach-disclosure-all-customer-support-users/

Japanese Space Agency JAXA hacked in summer cyberattack - The Japan Aerospace Exploration Agency (JAXA) was hacked in a cyberattack over the summer, which may have put sensitive space-related technology and data at risk. https://www.bleepingcomputer.com/news/security/japanese-space-agency-jaxa-hacked-in-summer-cyberattack/

Thanksgiving Day Healthcare Cyberattack Impacts Hospitals Across Multiple States - Ardent Health Services, which owns 30 hospitals and 200 sites of care across six states, confirmed a healthcare cyberattack that occurred on the morning of November 23. https://healthitsecurity.com/news/thanksgiving-day-healthcare-cyberattack-impacts-hospitals-across-multiple-states

Slovenia's largest power provider HSE hit by ransomware attack - Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production. https://www.bleepingcomputer.com/news/security/slovenias-largest-power-provider-hse-hit-by-ransomware-attack/

Fidelity National Financial back to ‘normal business operations’ after cyberattack - After more than a week of disruption that left its real estate industry customers wondering how they could execute transactions, Fidelity National Financial (FNF) insists that the cybersecurity attack it disclosed on Nov. 19 has been contained and it’s moving forward with normal business operations. https://www.scmagazine.com/news/fidelity-national-financial-back-to-normal-business-operations-after-cyberattack

23andMe confirms nearly 7 million customers affected in data leak - Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. https://www.scmagazine.com/news/23andme-confirms-nearly-7-million-customers-affected-in-data-leak
 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Legal and Reputational Risk Management 
 
 To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INFORMATION SECURITY RISK ASSESSMENT
    
    KEY STEPS
    
    Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.
    
    INFORMATION GATHERING
    
    Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:
    
    1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.
    
    2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).
    
    3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).
    
    4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).
    
    5)  Documenting current controls and security processes, including both information technology and physical security.
    
    6)  Identifying security requirements and considerations (e.g., GLBA).
    
    7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.4.1 Human Resources
  
  To ensure an organization has access to workers with the right skills and knowledge, training and documentation of knowledge are needed. During a major contingency, people will be under significant stress and may panic. If the contingency is a regional disaster, their first concerns will probably be their family and property. In addition, many people will be either unwilling or unable to come to work. Additional hiring or temporary services can be used. The use of additional personnel may introduce security vulnerabilities.
  
  Contingency planning, especially for emergency response, normally places the highest emphasis on the protection of human life.
  
  11.4.2 Processing Capability
  
  Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.
  
  1. Hot site -- A building already equipped with processing capability and other services.
  2. Cold site -- A building for housing processors that can be easily adapted for use.
  3. Redundant site -- A site equipped and configured exactly like the primary site. (Some organizations plan on having reduced processing capability after a disaster and use partial redundancy. The stocking of spare personal computers or LAN servers also provides some redundancy.)
  4. Reciprocal agreement -- An agreement that allows two organizations to back each other up. (While this approach often sounds desirable, contingency planning experts note that this alternative has the greatest chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change.)
  5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency.
  
  Recovery may include several stages, perhaps marked by increasing availability of processing capability. Resumption planning may include contracts or the ability to place contracts to replace equipment.