MISCELLANEOUS CYBERSECURITY NEWS:
The company you keep: your most trusted vendor could be your biggest
security risk - Cyber defenses are faltering under the pressure of
digital complexity. The interconnected nature of today’s digital
world has made it easier for users, third-party vendors, and cyber
criminals to compromise organizational security, whether
intentionally or unintentionally
https://www.cybersecuritydive.com/spons/the-company-you-keep-your-most-trusted-vendor-could-be-your-biggest-securi/732033/
Legal protections for security researchers sought in new German
draft law - A German draft law announced this week would protect
researchers who discover security vulnerabilities from potential
criminal prosecution under the nation’s computer crimes law.
https://www.scworld.com/news/legal-protections-for-security-researchers-sought-in-new-german-draft-law
Who should be in the room when purchasing cyber insurance? - Cyber
exposure should be treated just as seriously as a fire event, each
with a high potential to disrupt business for extended periods of
time, Peter Hedberg of Corvus Insurance writes.
https://www.cybersecuritydive.com/news/buying-cyber-insurance-ciso/732506/
Why you should deploy modern multi-factor authentication - No
right-thinking organization should rely on passwords alone for user
authentication. We all know that passwords can be reused, cracked or
phished.
https://www.scworld.com/resource/why-you-should-deploy-modern-multi-factor-authentication
OpenAI further expands its generative AI work with the federal
government - ChatGPT Enterprise is showing up within the Treasury
Department and the Air Force Research Laboratory, among other
places.
https://fedscoop.com/openai-expands-chatgpt-work-federal-government/
TSA floats new rules mandating cyber incident reporting for
pipelines, railroads - The Transportation Security Administration
proposed new rules this week that would codify existing temporary
directives requiring pipeline and railroad operators to report cyber
incidents and create cyber risk management (CRM) plans.
https://therecord.media/tsa-new-rules-cyber-response
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Halliburton incurs about $35M in expenses related to August
cyberattack - The company said the intrusion forced it to delay
billing and collections, but the impact is not considered material.
https://www.cybersecuritydive.com/news/halliburton-35-million-cyberattack/732397/
Ransomware Attack Disrupts Georgia Hospital’s Access to Health
Records - Memorial Hospital and Manor in Bainbridge, Georgia, can no
longer access its Electronic Health Record system after falling
victim to a ransomware attack.
https://www.securityweek.com/ransomware-attack-disrupts-georgia-hospitals-access-to-health-records/
Washington courts' systems offline following weekend cyberattack -
Court systems across Washington state have been down since Sunday
when officials said "unauthorized activity" was detected on their
networks.
https://www.bleepingcomputer.com/news/security/washington-courts-systems-offline-following-weekend-cyberattack/
Schneider Electric investigating cyber intrusion after threat actor
gains access to platform - Schneider Electric on Monday said it is
investigating a cyber incident following claims by a suspected
threat actor that it had gained access to company data.
https://www.cybersecuritydive.com/news/schneider-electric-investigating-cyber/732006/
Columbus, Ohio confirms July ransomware attack compromised data of
500K people - The city notified half a million people their personal
information was at risk following the attack it attributed to a
foreign threat actor.
https://www.cybersecuritydive.com/news/columbus-ohio-ransomware-500k/732154/
Grocery giant Ahold Delhaize’s US operations disrupted by
cyberattack - The parent company said the disruption forced it to
take certain systems offline and affected some pharmacies and
e-commerce services.
https://www.cybersecuritydive.com/news/grocery-ahold-delhaize-cyberattack/732562/
Data BreachesLaw Firm Data Breach Impacts 300,000 Presbyterian
Healthcare Patients - The information of over 300,000 Presbyterian
Healthcare Services patients was compromised as a result of a data
breach at law firm.
https://www.securityweek.com/law-firm-data-breach-impacts-300000-presbyterian-healthcare-patients/
Amazon confirms employee data breach after vendor hack - Amazon
confirmed a data breach involving employee information after data
allegedly stolen during the May 2023 MOVEit attacks was leaked on a
hacking forum.
https://www.bleepingcomputer.com/news/security/amazon-confirms-employee-data-breach-after-vendor-hack/
https://www.scworld.com/news/millions-of-records-from-moveit-hack-released-on-dark-web
Cyberattack Cost Oil Giant Halliburton $35 Million - The expenses
related to the recent cybersecurity incident suffered by US oil
giant Halliburton reached $35 million by the end of September,
according to the company’s latest financial report.
https://www.securityweek.com/cyberattack-cost-oil-giant-halliburton-35-million/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
costly litigation.
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
messages:
! A financial institution's Web page should never be accessed from a
link provided by a third party. It should only be accessed by typing
the Web site name, or URL address, into the Web browser or by using
a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail messages that
request confidential information, such as account numbers,
passwords, or PINs. Financial institution customers should be
reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
page.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
PHYSICAL
SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part
1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4.1 Human Resources
To ensure an organization has access to workers with the right
skills and knowledge, training and documentation of knowledge are
needed. During a major contingency, people will be under significant
stress and may panic. If the contingency is a regional disaster,
their first concerns will probably be their family and property. In
addition, many people will be either unwilling or unable to come to
work. Additional hiring or temporary services can be used. The use
of additional personnel may introduce security vulnerabilities.
Contingency planning, especially for emergency response, normally
places the highest emphasis on the protection of human life.
11.4.2 Processing Capability
Strategies for processing capability are normally grouped into five
categories: hot site; cold site; redundancy; reciprocal agreements;
and hybrids. These terms originated with recovery strategies for
data centers but can be applied to other platforms.
1. Hot site -- A building already equipped with processing
capability and other services.
2. Cold site -- A building for housing processors that can be
easily adapted for use.
3. Redundant site -- A site equipped and configured exactly like
the primary site. (Some organizations plan on having reduced
processing capability after a disaster and use partial redundancy.
The stocking of spare personal computers or LAN servers also
provides some redundancy.)
4. Reciprocal agreement -- An agreement that allows two
organizations to back each other up. (While this approach often
sounds desirable, contingency planning experts note that this
alternative has the greatest chance of failure due to problems
keeping agreements and plans up-to-date as systems and personnel
change.)
5. Hybrids -- Any combinations of the above such as using having a
hot site as a backup in case a redundant or reciprocal agreement
site is damaged by a separate contingency.
Recovery may include several stages, perhaps marked by increasing
availability of processing capability. Resumption planning may
include contracts or the ability to place contracts to replace
equipment. |