MISCELLANEOUS CYBERSECURITY NEWS:

HHS proposes new cybersecurity requirements for hospitals through HIPAA, Medicaid and Medicare - The United States Department of Health and Human Services (HHS) said it is planning to take a range of actions in an effort to better address cyberattacks on hospitals, which have caused dozens of outages across the country in recent months. https://therecord.media/hhs-proposes-cyber-requirements-for-hospitals

How the FBI plans to handle 4-day breach disclosure exemption requests - A week before contentious new breach-disclosure regulations take effect, authorities have outlined the process U.S. public companies will need to follow if they want to delay reporting a particular attack. https://www.scmagazine.com/news/how-the-fbi-plans-to-handle-4-day-breach-disclosure-exemption-requests

Feds Levy First-Ever HIPAA Fine for a Phishing Breach - Weeks after the Department of Health and Human Services announced its first HIPAA enforcement action in a ransomware breach, federal regulators have reached another milestone: a $480,000 settlement in a HIPAA case centered for the first time ever on a phishing attack. https://www.govinfosecurity.com/feds-levy-first-ever-hipaa-fine-for-phishing-breach-a-23812

How the FBI plans to handle 4-day breach disclosure exemption requests - A week before contentious new breach-disclosure regulations take effect, authorities have outlined the process U.S. public companies will need to follow if they want to delay reporting a particular attack. https://www.scmagazine.com/news/how-the-fbi-plans-to-handle-4-day-breach-disclosure-exemption-requests

Feds Warn Health Sector to Watch for Open-Source Threats - Open-source software is pervasive in healthcare. It is used in critical systems such as electronic health records and components contained in medical devices. Federal regulators are urging healthcare sector firms to be vigilant in managing risks and threats involving open-source software. https://www.govinfosecurity.com/feds-warn-health-sector-to-watch-for-open-source-threats-a-23821

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Apple-backed data breach report says 2.6 billion records leaked in 2 years - An Apple-commissioned data breach report found 2.6 billion records were stolen by hackers between 2021 and 2022. https://www.scmagazine.com/news/apple-backed-data-breach-report-says-2-6-billion-records-leaked-in-2-years

Medical Imaging Patients Exposed in Cyber Incident - Right before Thanksgiving, East River Medical Imaging (ERMI) began sending letters to impacted individuals concerning a data security incident that it experienced. https://www.darkreading.com/cyberattacks-data-breaches/healthcare-facility-informs-patients-of-cyber-incident

Navy contractor Austal USA confirms cyberattack after data leak - Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident. https://www.bleepingcomputer.com/news/security/navy-contractor-austal-usa-confirms-cyberattack-after-data-leak/

Six of the most popular Android password managers are leaking data - Several mobile password managers are leaking user credentials due to a vulnerability discovered in the autofill functionality of Android apps. https://www.zdnet.com/article/six-of-the-most-popular-android-password-managers-are-leaking-data/

Cold storage giant Americold discloses data breach after April malware attack - Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware. https://www.bleepingcomputer.com/news/security/cold-storage-giant-americold-discloses-data-breach-after-april-malware-attack/

Norton Healthcare Ransomware Hack: 2.5 Million Personal Records Stolen - The incident was identified on May 9, 2023, and involved unauthorized access to certain network storage systems for two days, the company said. https://www.securityweek.com/norton-healthcare-ransomware-hack-2-5-million-personal-records-stolen/

Cyberattack on Irish Utility Cuts Off Water Supply for Two Days - Hackers launched a cyberattack on an Irish water utility, causing disruption and leaving people without water for two days. The cyberattack was reported by a local newspaper, Western People, and technical details are murky. https://www.securityweek.com/cyberattack-on-irish-utility-cuts-off-water-supply-for-two-days/

K-12 student geolocation data, names exposed via API flaws: 6M kids impacted - Application programming interface (API) bugs in the Edulog Parent Portal platform allowed bad actors to access names and geolocation data of six million K-12 riders, according to researchers. https://www.scmagazine.com/news/edulog-school-bus-tracking-api-exposed-data-of-children-and-parents

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    Introduction 
    
    Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers. 
    
    Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges. 
    
    Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.
    
    The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INFORMATION SECURITY RISK ASSESSMENT
    
    ANALYZE INFORMATION (1 of 2)
    
    The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.
    
    System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.
    
    A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.
    
    Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.
    
    An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.3 Automated Applications and Data
 
 Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored off-site, and how it is transported (to storage, to an alternate processing site, or to support the resumption of normal operations).
 
 The need for computer security does not go away when an organization is processing in a contingency mode. In some cases, the need may increase due to sharing processing facilities, concentrating resources in fewer sites, or using additional contractors and consultants. Security should be an important consideration when selecting contingency strategies.
 
 11.4.4 Computer-Based Services
 
 Service providers may offer contingency services. Voice communications carriers often can reroute calls (transparently to the user) to a new location. Data communications carriers can also reroute traffic. Hot sites are usually capable of receiving data and voice communications. If one service provider is down, it may be possible to use another. However, the type of communications carrier lost, either local or long distance, is important. Local voice service may be carried on cellular. Local data communications, especially for large volumes, is normally more difficult. In addition, resuming normal operations may require another rerouting of communications services.
 
 11.4.5 Physical Infrastructure
 
 Hot sites and cold sites may also offer office space in addition to processing capability support. Other types of contractual arrangements can be made for office space, security services, furniture, and more in the event of a contingency. If the contingency plan calls for moving offsite, procedures need to be developed to ensure a smooth transition back to the primary operating facility or to a new facility. Protection of the physical infrastructure is normally an important part of the emergency response plan, such as use of fire extinguishers or protecting equipment from water damage.
 
 11.4.6 Documents and Papers
 
 The primary contingency strategy is usually backup onto magnetic, optical, microfiche, paper, or other medium and offsite storage. Paper documents are generally harder to backup than electronic ones. A supply of forms and other needed papers can be stored offsite.