MISCELLANEOUS CYBERSECURITY NEWS:

HHS warning to providers: Use of pixel tracking tech without BAA violates HIPAA - The Office for Civil Rights is warning covered entities that they might be sharing protected health information with third-party tracking vendors like Facebook and Google through their use of pixel tech, in a manner that violates the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/analysis/privacy/hhs-warning-to-providers-use-of-pixel-tracking-tech-without-baa-violates-hipaa

Most US defense contractors fail basic cybersecurity requirements - Nearly nine out of ten US defense contractors fail to meet basic cybersecurity minimums, according to research commissioned by CyberSheath. https://www.scmagazine.com/analysis/third-party-risk/most-us-defense-contractors-fail-basic-cybersecurity-requirements

TSA Plans Cyber Risk Regulation for Pipeline and Rail Sector - More regulation is likely in the future for the U.S. oil pipeline and rail transport industry now that federal regulators say those sectors need comprehensive cybersecurity risk management. https://www.govinfosecurity.com/tsa-plans-cyber-risk-regulation-for-pipeline-rail-sector-a-20576

Five reasons why we can expect a major cyberattack on a healthcare organization in 2023 - The upcoming year will see the most catastrophic attack against a healthcare delivery organization (HDO) to date - and that isn’t all that bold of a prediction. https://www.scmagazine.com/perspective/critical-infrastructure/five-reasons-why-we-can-expect-a-major-cyberattack-on-a-healthcare-organization-in-2023

Here’s how breach disclosures could impact company credit ratings - Cybersecurity disclosure and regulations could either spur a positive credit environment or cause unintended consequences if not well manage. https://www.scmagazine.com/analysis/compliance/breach-disclosures-improve-transparency-but-regulations-add-to-costs

US Agencies Told to Assess IoT/OT Security Risks to Boost Critical Infrastructure Protection - The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors. https://www.securityweek.com/us-agencies-told-assess-iotot-security-risks-boost-critical-infrastructure-protection

Maryland bars state employees from using Kaspersky, TikTok, Huawei - Outgoing Republican Gov. Larry Hogan banned Maryland state employees from using a range of Chinese and Russian equipment and software, citing national security and the potential for such technologies for be leveraged for hacking and foreign espionage. https://www.scmagazine.com/analysis/asset-management/maryland-bars-state-employees-from-using-kaspersky-tiktok-huawei

Insurance turmoil widening the gap between ‘cyber haves and have-nots’ in healthcare - This year will have one the highest percentage of U.S. hospitals at or approaching bankruptcy, further compounding the financial constraints long facing the healthcare sector and widening the gap between the “cyber haves and have-nots.”  https://www.scmagazine.com/analysis/business-continuity/insurance-turmoil-widening-the-gap-between-cyber-haves-and-have-nots-in-healthcare

Bad software cost US businesses $2.41 trillion in 2022 - Poor software quality may have cost the U.S. at least $2.41 trillion this year, nearly double that of the country's budget deficit. https://www.scmagazine.com/analysis/application-security/bad-software-cost-u-s-businesses-2-41-trillion-in-2022

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Brooklyn Hospitals Decried for Silence on Cyber Incident - Patients and neighboring physicians are frustrated over a lack of transparency from a trio of Brooklyn safety-net hospitals involved in an ongoing cyber incident affecting electronic health records, patient portals and other systems. https://www.govinfosecurity.com/brooklyn-hospitals-decried-for-silence-on-cyber-incident-a-20591

Vanuatu officials turn to phone books and typewriters, one month after cyber attack - One month after a cyber-attack brought down government servers and websites in Vanuatu, frustrated officials were still using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government of the prime minister, Ishmael Kalsakau, who came into office just a few days after the crash. https://www.theguardian.com/world/2022/nov/29/vanuatu-officials-turn-to-phone-books-and-typewriters-one-month-after-cyber-attack

LastPass cloud breach involves ‘certain elements’ of customer information - LastPass on Wednesday reported that it detected “unusual activity” within a third-party cloud service that’s shared by LastPass and its GoTo affiliate - an event that was the company’s second reported breach in three months. https://www.scmagazine.com/news/identity-and-access/lastpass-cloud-breach-involves-certain-elements-of-customer-information

‘Black Proxies’ use 187,000-plus IP addresses to launch credential stuffing attacks - Researchers on Thursday reported on advances in cybercriminal proxy services that feature “unblocked” IP addresses - used in a series of credential stuffing attacks in one week against U.S. companies in which more than 187,000 IP addresses were used to try and defraud organizations and their clients. https://www.scmagazine.com/news/cybercrime/black-proxies-use-187000-plus-ip-addresses-to-launch-credential-stuffing-attacks

Rackspace: Ongoing Exchange outage caused by security incident - American cloud computing services provider Rackspace says an ongoing outage affecting its hosted Microsoft Exchange environments and likely thousands of customers was caused by a security incident. https://www.bleepingcomputer.com/news/technology/rackspace-ongoing-exchange-outage-caused-by-security-incident/

French Hospital Cancels Operations After Cyberattack - A hospital complex in Versailles, near Paris, had to cancel operations and transfer some patients after being hit by a cyberattack over the weekend, France's health ministry said. https://www.securityweek.com/french-hospital-cancels-operations-after-cyberattack

Rackspace confirms email outage was from a ransomware attack - Multicloud MSP company Rackspace on Tuesday confirmed that the suspicious activity in its Hosted Exchange environment was a ransomware incident. https://www.scmagazine.com/news/cloud-security/rackspace-confirms-email-outage-was-from-a-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 2 of 10)
    
    A. RISK DISCUSSION
    
    Introduction
    
    Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.
    
    Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.
    
    Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   BUSINESS CONTINUITY CONSIDERATIONS
   
   Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.
   
   Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.2 Vulnerabilities Related to Payroll Errors

HGA's management has established procedures for ensuring the timely submission and interagency coordination of paperwork associated with personnel status changes. However, an unacceptably large number of troublesome payroll errors during the past several years has been traced to the late submission of personnel paperwork. The risk assessment documented the adequacy of HGA's safeguards, but criticized the managers for not providing sufficient incentives for compliance.

20.5.3 Vulnerabilities Related to Continuity of Operations

COG Contingency Planning

The risk assessment commended HGA for many aspects of COG's contingency plan, but pointed out that many COG personnel were completely unaware of the responsibilities the plan assigned to them. The assessment also noted that although HGA's policies require annual testing of contingency plans, the capability to resume HGA's computer-processing activities at another cooperating agency has never been verified and may turn out to be illusory.

Division Contingency Planning

The risk assessment reviewed a number of the application-oriented contingency plans developed by HGA's divisions (including plans related to time and attendance). Most of the plans were cursory and attempted to delegate nearly all contingency planning responsibility to COG. The assessment criticized several of these plans for failing to address potential disruptions caused by lack of access to (1) computer resources not managed by COG and (2) nonsystem resources, such as buildings, phones, and other facilities. In particular, the contingency plan encompassing the time and attendance application was criticized for not addressing disruptions caused by WAN and mainframe outages.

Virus Prevention

The risk assessment found HGA's virus-prevention policy and procedures to be sound, but noted that there was little evidence that they were being followed. In particular, no COG personnel interviewed had ever run a virus scanner on a PC on a routine basis, though several had run them during publicized virus scares. The assessment cited this as a significant risk item.

The risk assessment concluded that HGA's safeguards against accidental corruption and loss of time and attendance data were adequate, but that safeguards for some other kinds of data were not. The assessment included an informal audit of a dozen randomly chosen PCs and PC users in the agency. It concluded that many PC users store significant data on their PC's hard disks, but do not back them up. Based on anecdotes, the assessment's authors stated that there appear to have been many past incidents of loss of information stored on PC hard disks and predicted that such losses would continue.