MISCELLANEOUS CYBERSECURITY NEWS:

This will affect your bank's website in the coming year - FDIC Finalizes Rule to Modernize Official Signs and Advertising Statement Requirements for Insured Depository Institutions - The Federal Deposit Insurance Corporation Board of Directors today adopted a final rule to amend part 328 of its regulations to modernize the rules governing use of the official FDIC signs and advertising statements, and to clarify the FDIC’s regulations regarding false advertising, misrepresentations of deposit insurance coverage, and misuse of the FDIC’s name or logo. www.fdic.gov/news/press-releases/2023/pr23110.html

The Impact of the New SEC Regulations on Cybersecurity – BSW #331 - Materiality, Disclosure, and Evidence... New terms for cybersecurity professionals to understand under the new SEC Regulations for Cybersecurity. And the Solarwinds indictment is just the beginning. https://www.scmagazine.com/podcast-segment/12248-the-impact-of-the-new-sec-regulations-on-cybersecurity-bsw-331

EC has provided some important clarifications on its new cyber incident disclosure requirements, which come into effect - The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose any material breach within four business days of discovering that the incident has material impact. In addition, companies will have to submit annual reports with information on their cybersecurity risk management, strategy, and governance. https://www.securityweek.com/sec-shares-important-clarifications-as-new-cyber-incident-disclosure-rules-come-into-effect/

CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks - An alert released by CISA on Friday as part of its Secure by Design series recommends that manufacturers eliminate the risk associated with default passwords by implementing two principles: taking ownership of customer security outcomes, and building organizational structure and leadership to achieve such goals. https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-passwords-after-recent-ics-attacks/

Former IT manager pleads guilty to attacking high school network - A former IT manager for a New Jersey public high school, has admitted to committing a cyberattack against his former employer following the termination of his employment in June 2023. https://www.bleepingcomputer.com/news/security/former-it-manager-pleads-guilty-to-attacking-high-school-network/

Cloud engineer gets 2 years for wiping ex-employer’s code repos - A cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company. https://www.bleepingcomputer.com/news/security/cloud-engineer-gets-2-years-for-wiping-ex-employers-code-repos

Cyberspace Solarium Commission Hails NDAA Cyber Provisions - Co-chairs of the Cyberspace Solarium Commission praised the annual U.S. National Defense Authorization Act for enacting recommendations from its 2020 report, saying the defense bill marks "meaningful" advancements for cybersecurity. https://www.govinfosecurity.com/cyberspace-solarium-commission-hails-ndaa-cyber-provisions-a-23910

It makes sense for the Biden administration to focus on software security – but it’s up to the industry to make it happen - The Biden administration’s National Cybersecurity Strategy published earlier this year contains a single, big idea that could shake the software business’s foundation: shifting liability for insecure software away from customers back onto the companies that make the products. https://www.scmagazine.com/perspective/biden-administration-to-focus-on-software-security

Ransomware attack lessons, from MOVEit and Doubledrive to MGM/Caesars - In this webcast, we dissect the lessons derived from ransomware attacks involving MOVEit, Doubledrive, and the MGM/Caesars breach—to empower organizations in fortifying their cybersecurity defenses. https://www.scmagazine.com/cybercast/ransomware-attack-lessons-from-moveit-and-doubledrive-to-mgm-caesars

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Delta Dental of California discloses nearly 7M patients affected in MOVEit hack - The latest disclosure comes from Delta Dental of California, which notified nearly 7 million patients that they experienced a data breach after personal data was exposed in the MOVEit Transfer software case. https://www.scmagazine.com/news/delta-dental-of-california-discloses-nearly-7m-patients-affected-in-moveit-hack

Kyivstar Mobile Attack Plunges Millions in Ukraine Into Comms Blackout - Kyivstar, Ukraine's biggest mobile telecom operator, has suffered a cyberattack that took out cell service for more than half of Ukraine's population and cut Internet for millions — as well as knocking offline the emergency air-raid system in the capital region. https://www.darkreading.com/ics-ot-security/kyivstar-mobile-attack-ukraine-comms-blackout

U.S. nuclear research lab data breach impacts 45,000 people - The Idaho National Laboratory (INL) confirmed that attackers stole the personal information of more than 45,000 individuals after breaching its cloud-based Oracle HCM HR management platform last month. https://www.bleepingcomputer.com/news/security/us-nuclear-research-lab-data-breach-impacts-45-000-people/

Northern Ireland cops count human cost of August data breach - An official review of the Police Service of Northern Ireland's (PSNI) August data breach has revealed the full extent of the impact on staff. https://www.theregister.com/2023/12/12/psni_data_breach_forces_officers/

Mr. Cooper breach goes from bad to worse: 14.6M current, former customers exposed - Mr. Cooper, a major U.S. mortgage servicer, says an October data breach affected nearly 14.7 million people, including all its current and former customers. https://www.scmagazine.com/news/mr-cooper-breach-affects-more-than-14-6m-all-current-former-customers

35 million Xfinity customers have data leaked in breach tied to Citrix Bleed bug - Xfinity confirmed more than 35 million of its customers were affected by a data breach linked to the Citrix Bleed vulnerability. The company, which is part of Comcast Corporation, notified customers Monday that usernames and hashed passwords were stolen in a mid-October cyberattack. https://www.scmagazine.com/news/xfinity-breach-affecting-35m-blamed-on-citrix-bleed

MongoDB says customer data was exposed in a cyberattack - MongoDB is warning that its corporate systems were breached and that customer data was exposed in a cyberattack that was detected by the company earlier this week. https://www.bleepingcomputer.com/news/security/mongodb-says-customer-data-was-exposed-in-a-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    Risk management challenges
    
    The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:
    
    1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.
    
    2.   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.
    
    3.  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.
    
    4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INFORMATION SECURITY RISK ASSESSMENT
   
   ANALYZE INFORMATION (2 of 2)
   
   Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.
   
   Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.
   
   The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.
   
   The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.
   
   Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.5    Step 5: Implementing the Contingency Strategies
 
 Once the contingency planning strategies have been selected, it is necessary to make appropriate preparations, document the strategies, and train employees. Many of these tasks are ongoing.
 
 11.5.1 Implementation
 
 Much preparation is needed to implement the strategies for protecting critical functions and their supporting resources. For example, one common preparation is to establish procedures for backing up files and applications. Another is to establish contracts and agreements, if the contingency strategy calls for them. Existing service contracts may need to be renegotiated to add contingency services. Another preparation may be to purchase equipment, especially to support a redundant capability.
 
 It is important to keep preparations, including documentation, up-to-date. Computer systems change rapidly and so should backup services and redundant equipment. Contracts and agreements may also need to reflect the changes. If additional equipment is needed, it must be maintained and periodically replaced when it is no longer dependable or no longer fits the organization's architecture.
 
 Preparation should also include formally designating people who are responsible for various tasks in the event of a contingency. These people are often referred to as the contingency response team. This team is often composed of people who were a part of the contingency planning team.
 
 There are many important implementation issues for an organization. Two of the most important are 1) how many plans should be developed? and 2) who prepares each plan? Both of these questions revolve around the organization's overall strategy for contingency planning. The answers should be documented in organization policy and procedures.
 
 Backing up data files and applications is a critical part of virtually every contingency plan. Backups are used, for example, to restore files after a personal computer virus corrupts the files or after a hurricane destroys a data processing center.
 
 How many plans?
 
 Some organizations have just one plan for the entire organization, and others have a plan for every distinct computer system, application, or other resource. Other approaches recommend a plan for each business or mission function, with separate plans, as needed, for critical resources.
 
 The answer to the question, therefore, depends upon the unique circumstances for each organization. But it is critical to coordinate between resource managers and functional managers who are responsible for the mission or business.
 
 Who Prepares the Plan?
 
 If an organization decides on a centralized approach to contingency planning, it may be best to name a contingency planning coordinator. The coordinator prepares the plans in cooperation with various functional and resource managers. Some organizations place responsibility directly with the functional and resource managers.
 
 Relationship Between Contingency Plans and Computer Security Plans
 
 For small or less complex systems, the contingency plan may be a part of the computer security plan. For larger or more complex systems, the computer security plan could contain a brief synopsis of the contingency plan, which would be a separate document.
 
 11.5.2 Documenting
 
 The contingency plan needs to be written, kept up-to-date as the system and other factors change, and stored in a safe place. A written plan is critical during a contingency, especially if the person who developed the plan is unavailable. It should clearly state in simple language the sequence of tasks to be performed in the event of a contingency so that someone with minimal knowledge could immediately begin to execute the plan. It is generally helpful to store up-to-date copies of the contingency plan in several locations, including any off-site locations, such as alternate processing sites or backup data storage facilities.