MISCELLANEOUS CYBERSECURITY NEWS:

1 in 4 high-risk CVEs are exploited within 24 hours of going public - In a Tuesday research blog by the Qualys, researchers spotted a number of trends tied to the release of Common Vulnerabilities and Exposures (CVEs) reported over the past year. https://www.scmagazine.com/news/1-in-4-high-risk-cves-are-exploited-within-24-hours-of-going-public

NIST Seeking Comment on Post-Quantum Crypto Migration Practice Guides - The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released two preliminary draft practice guides “to share insights and findings to ease migration from current public-key cryptographic algorithms to soon-to-be standardized” post-quantum cryptography (PQC) algorithms. https://www.meritalk.com/articles/nist-seeking-comment-on-post-quantum-crypto-migration-practice-guides/

3,500 arrested, $300M seized in global cybercrime crackdown - Police in 34 countries arrested 3,500 people and seized assets worth $300 million in the latest iteration of what has become an annual coordinated global crackdown on cybercrime. https://www.scmagazine.com/news/3500-arrested-300m-seized-in-global-cybercrime-crackdown

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

2.7M medical records exposed in double-extortion ransomware attack - A ransomware attack against medical software company ESO Solutions has exposed personal details and healthcare information belonging to 2.7 million U.S. patients. https://www.scmagazine.com/news/eso-solutions-says-2-7m-medical-records-exposed-in-oct-ransomware-attack

Xfinity Data Breach Impacts 36 Million Individuals - The incident was disclosed by the telecommunications and smart home solutions provider on December 18, when it admitted that hackers gained access to customer usernames and hashed passwords, as well as names, dates of birth, contact information, secret questions and answers, and the last four digits of social security numbers in some cases. https://www.securityweek.com/xfinity-data-breach-impacts-36-million-individuals/

Mr. Cooper breach goes from bad to worse: 14.6M current, former customers exposed - Mr. Cooper, a major U.S. mortgage servicer, says an October data breach affected nearly 14.7 million people, including all its current and former customers. https://www.scmagazine.com/news/mr-cooper-breach-affects-more-than-14-6m-all-current-former-customers

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    Risk management principles (Part 1 of 2)
    
    Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.
    
    To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.
    
    These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.
    
    The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INFORMATION SECURITY RISK ASSESSMENT
    
    PRIORITIZE RESPONSES
    
    This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.
    
    In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.5.3 Training
  
  All personnel should be trained in their contingency-related duties. New personnel should be trained as they join the organization, refresher training may be needed, and personnel will need to practice their skills.
  
  Training is particularly important for effective employee response during emergencies. There is no time to check a manual to determine correct procedures if there is a fire. Depending on the nature of the emergency, there may or may not be time to protect equipment and other assets. Practice is necessary in order to react correctly, especially when human safety is involved.
  
  11.6    Step 6: Testing and Revising
  
  A contingency plan should be tested periodically because there will undoubtedly be flaws in the plan and in its implementation. The plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned. The extent and frequency of testing will vary between organizations and among systems. There are several types of testing, including reviews, analyses, and simulations of disasters.
  
  Contingency plan maintenance can be incorporated into procedures for change management so that upgrades to hardware and software are reflected in the plan.
  
  A review can be a simple test to check the accuracy of contingency plan documentation. For instance, a reviewer could check if individuals listed are still in the organization and still have the responsibilities that caused them to be included in the plan. This test can check home and work telephone numbers, organizational codes, and building and room numbers. The review can determine if files can be restored from backup tapes or if employees know emergency procedures.
  
  An analysis may be performed on the entire plan or portions of it, such as emergency response procedures. It is beneficial if the analysis is performed by someone who did not help develop the contingency plan but has a good working knowledge of the critical function and supporting resources. The analyst(s) may mentally follow the strategies in the contingency plan, looking for flaws in the logic or process used by the plan's developers. The analyst may also interview functional managers, resource managers, and their staff to uncover missing or unworkable pieces of the plan.
  
  Organizations may also arrange disaster simulations. These tests provide valuable information about flaws in the contingency plan and provide practice for a real emergency. While they can be expensive, these tests can also provide critical information that can be used to ensure the continuity of important functions. In general, the more critical the functions and the resources addressed in the contingency plan, the more cost-beneficial it is to perform a disaster simulation.
  
  The results of a "test" often implies a grade assigned for a specific level of performance, or simply pass or fail. However, in the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden and uncorrected.