MISCELLANEOUS CYBERSECURITY NEWS:

Host Todd Fitzgerald reflects on 100 episodes of the CISO Stories podcast - Milestones are often worth celebrating - delivering affirmation that a vision made good on its promise. And so we celebrate a milestone for the CISO Stories podcast: the 100th episode, which welcomes guest Gene Spafford, known by many as Spaf, to share his own experiences as an infosec expert and founder of Purdue University's Center for Education and Research in Information Assurance and Security. https://www.scmagazine.com/news/leadership/host-todd-fitzgerald-reflects-on-100-episodes-of-the-ciso-stories-podcast

Fed’s updated mobile health app tool aims to reduce HIPAA compliance mistakes - The Department of Health and Human Services, the FDA, and the FTC have updated the mobile health app interactive tool for developers, the latest effort to clarify how regulations impact health data and apps that fall outside of the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/analysis/application-security/feds-updated-mobile-health-app-tool-aims-to-reduce-hipaa-compliance-mistakes

Three cloud security lessons learned in 2022 – and the path forward - Enterprises across every vertical in every geography have moved to the cloud en masse. The cloud has revolutioned the way IT infrastructure gets managed – removing the need to purchase, install, and configure hardware – shifting the focus to building applications. https://www.scmagazine.com/perspective/cloud-security/three-cloud-security-lessons-learned-in-2022-and-the-path-forward

What companies can do to lower cyber insurance costs - This year saw some important geopolitical developments that have led to some equally significant changes within the cyber insurance market. https://www.scmagazine.com/perspective/strategy/what-companies-can-do-to-lower-cyber-insurance-costs

Most of the 10 largest healthcare data breaches in 2022 are tied to vendors - Ninety percent of 10 largest healthcare data breaches reported this year were caused by third-party vendors, much like in 2021. https://www.scmagazine.com/feature/breach/most-of-the-10-largest-healthcare-data-breaches-in-2022-are-tied-to-vendors

UK Government Rolls Out Security Guidance for Mobile Apps - The U.K. government on Friday released voluntary code of practice that urges app store operators and app developers to upgrade their security and privacy practices. The new guidelines will be monitored for compliance. https://www.govinfosecurity.com/uk-government-rolls-out-security-guidance-for-mobile-apps-a-20673

Google launches new tool to identify open source vulnerabilities - Google has released a new free tool that allows open-source developers to more easily access vulnerability information relevant to their projects. https://www.scmagazine.com/analysis/vulnerability-management/google-launches-new-tool-to-identify-open-source-vulnerabilities

GAO - Information Technology and Cybersecurity: - The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. https://www.gao.gov/products/gao-23-106414

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Rackspace confirms ransomware attack behind days-long email meltdown - Rackspace has admitted a ransomware infection was to blame for the days-long email outage that disrupted services for customers. https://www.theregister.com/2022/12/06/rackspace_confirms_ransomware/

Popular HR and Payroll Company Sequoia Discloses a Data Breach - THE HUMAN RESOURCES, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company's Sequoia One customers. https://www.wired.com/story/sequoia-hr-data-breach/

Antwerp's city services down after hackers attack digital partner - The city of Antwerp, Belgium, is working to restore its digital services that were disrupted last night by a cyberattack on its digital provider. https://www.bleepingcomputer.com/news/security/antwerps-city-services-down-after-hackers-attack-digital-partner/

Agrius Iranian APT Group Cuts Into Diamond Industry - A previous cyberattack on an Israeli software developer is being used by Agrius Advanced Persistent Threat (APT) group to launch wiper attacks against various organizations in the diamond industry. https://www.darkreading.com/attacks-breaches/agrius-iranian-apt-group-cuts-into-diamond-industry

Medibank systems back online after weekend shutdown for security update - Medibank's systems are back online after they were shut down over the weekend for a security upgrade. The move was part of efforts to bolster its resilience following the October data breach that impacted 9.7 million customers. https://www.zdnet.com/article/medibank-systems-back-online-after-weekend-shutdown-for-security-update/

NYC's Metropolitan Opera is under cyberattack - It is the third day of a cyberattack on the Metropolitan Opera that has prevented the institution from selling tickets. https://gothamist.com/news/nycs-metropolitan-opera-is-under-cyberattack

Dentist settles HIPAA violations for disclosing information replying to Yelp reviews - The Office for Civil Rights reached a settlement with a dentist to resolve potential violations of the Health Insurance Portability and Accountability Act, after the impermissible disclosure of patients’ protected health information on social media site Yelp. https://www.scmagazine.com/analysis/privacy/dentist-settles-hipaa-violations-for-disclosing-information-replying-to-yelp-reviews

Government of Vanuatu offline since early November in suspected ransomware attack - The government of Vanuatu has been offline for over a month in what is a suspected ransomware attack. https://www.scmagazine.com/news/ransomware/the-government-of-vanuatu-offline-since-early-november-in-suspected-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

• nature of the third-party product or service;
• trade name of the third party; and
• website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   INSURANCE  (Part 1 of 2)
   
   Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:
   
   ! Insurance is not a substitute for an effective security program.
   ! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
   ! Availability, cost, and covered risks vary by insurance company.
   ! Availability of new insurance products creates a more dynamic environment for these factors.
   ! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
   ! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.4 Vulnerabilities Related to Information Disclosure/Brokerage

HGA takes a conservative approach toward protecting information about its employees. Since information brokerage is more likely to be a threat to large collections of data, HGA risk assessment focused primarily, but not exclusively, on protecting the mainframe.

The risk assessment concluded that significant, avoidable information brokering vulnerabilities were present--particularly due to HGA's lack of compliance with its own policies and procedures. Time and attendance documents were typically not stored securely after hours, and few PCs containing time and attendance information were routinely locked. Worse yet, few were routinely powered down, and many were left logged into the LAN server overnight. These practices make it easy for an HGA employee wandering the halls after hours to browse or copy time and attendance information on another employee's desk, PC hard disk, or LAN server directories.

The risk assessment pointed out that information sent to or retrieved from the server is subject to eavesdropping by other PCs on the LAN. The LAN hardware transmits information by broadcasting it to all connection points on the LAN cable. Moreover, information sent to or retrieved from the server is transmitted in the clear--that is, without encryption. Given the widespread availability of LAN "sniffer" programs, LAN eavesdropping is trivial for a prospective information broker and, hence, is likely to occur.

Last, the assessment noted that HGA's employee master database is stored on the mainframe, where it might be a target for information brokering by employees of the agency that owns the mainframe. It might also be a target for information brokering, fraudulent modification, or other illicit acts by any outsider who penetrates the mainframe via another host on the WAN.