|
MISCELLANEOUS CYBERSECURITY NEWS:
What is success in cybersecurity? Failing less. Defenders aren’t
measured by pure wins or losses. Intrusions will happen, and their
job is to keep a bad situation from getting worse.
https://www.cybersecuritydive.com/news/success-failing-less-cybersecurity/714372/
Licensed to Bill? Nations Mandate Certification & Licensure of
Cybersecurity Pros - Malaysia, Singapore, and Ghana are among the
first countries to pass laws that require cybersecurity firms - and
in some cases, individual consultants - to obtain licenses to do
business, but concerns remain.
https://www.darkreading.com/cyber-risk/licensed-to-bill-nations-mandate-certification-licensure-of-cybersecurity-pros
CISA Announces Winners of the 5th Annual President’s Cup
Cybersecurity Competition - The Cybersecurity and Infrastructure
Security Agency (CISA) hosted the final round of the fifth annual
President’s Cup Cybersecurity Competition this week and announced
the winners today of the three competitions.
https://www.cisa.gov/news-events/news/cisa-announces-winners-5th-annual-presidents-cup-cybersecurity-competition
FTC broadens health breach notification rule - Regulators have been
pursuing more enforcement actions against health apps sharing
consumers’ data. Friday’s final rule should give those actions more
heft.
https://www.cybersecuritydive.com/news/ftc-final-health-breach-notification-rule-apps/714591/
FCC fines carriers $200 million for illegally sharing user location
- The Federal Communications Commission (FCC) has fined the largest
U.S. wireless carriers almost $200 million for sharing their
customers' real-time location data without their consent.
https://www.bleepingcomputer.com/news/technology/fcc-fines-carriers-200-million-for-illegally-sharing-user-location/
UK lays down fresh legislation banning crummy default device
passwords - Smart device manufacturers will have to play by new
rules in the UK as of today, with laws coming into force to make it
more difficult for cybercriminals to break into hardware such as
phones and tablets.
https://www.theregister.com/2024/04/29/uk_lays_password_legislation/
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Siemens Industrial Product Impacted by Exploited Palo Alto Firewall
Vulnerability - The recently disclosed Palo Alto Networks firewall
vulnerability tracked as CVE-2024-3400, which has been exploited in
attacks for at least one month, has been found to impact one of
Siemens’ industrial products.
https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
Plasma donation company Octapharma slowly reopening as BlackSuit
gang claims attack - The plasma donation company Octapharma has
begun to reopen some of its 180 centers around the world following a
ransomware attack that forced it to shut down operations for nearly
a week.
https://therecord.media/plasma-donation-company-cyberattack-blacksuit
LA County Health Services: Patients' data exposed in phishing attack
- The Los Angeles County Department of Health Services disclosed a
data breach after thousands of patients' personal and health
information was exposed in a data breach resulting from a recent
phishing attack impacting over two dozen employees.
https://www.bleepingcomputer.com/news/security/la-county-health-services-thousands-of-patients-data-exposed-in-email-breach/
Kaiser Permanente notifies 13.4M patients of potential data exposure
- Kaiser Permanente informed 13.4 million current and former members
and patients who accessed its websites and mobile apps that certain
online tracking technologies may have transmitted personal
information to third-party vendors Google, Microsoft Bing, and X
when members accessed those websites or apps.
https://www.scmagazine.com/news/kaiser-permanente-notifies-134m-patients-of-potential-data-exposure
https://www.securityweek.com/kaiser-permanente-discloses-data-breach-impacting-13-4-million-patients/
London Drugs closes all of its pharmacies following 'cybersecurity
incident' - Canadian pharmacy chain London Drugs closed all of its
stores over the weekend until further notice following a
"cybersecurity incident."
https://www.theregister.com/2024/04/29/canada_london_drugs/
Collection Agency FBCS Says Data Breach Exposed Nearly 2 million
People - Debt collection agency Financial Business and Consumer
Solutions (FBCS) is notifying roughly 2 million individuals that
their personal information was compromised in a recent data breach.
https://www.securityweek.com/2-million-impacted-by-data-breach-at-debt-collector-fbcs/
Voter Registration System Taken Offline in Coffee County
Cyber-Incident - Coffee County in the US State of Georgia has been
hit by a cyber-incident, reportedly leading to its connection to the
state’s voter registration system being severed.
https://www.infosecurity-magazine.com/news/voter-registration-offline-coffee/
Change Healthcare, compromised by stolen credentials, did not have
MFA turned on - AlphV deployed ransomware nine days after it used
access to a Citrix portal on Change’s network to move laterally
within systems, CEO Andrew Witty said in testimony prepared for a
House subcommittee.
https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/
Verizon’s 2024 Data Breach Investigations Report: 5 key takeaways -
Verizon published its 2024 Data Breach Investigations Report (DBIR)
Wednesday, highlighting the interplay between actions and attack
vectors that provide the initial pathway for breaches.
https://www.scmagazine.com/news/verizons-2024-data-breach-investigations-report-5-key-takeaways
Every Dropbox Sign user, account holders or not, stung in
cyberattack - An attacker intruded the electronic signature
platform’s production environment and accessed a trove of user data,
including OAuth tokens.
https://www.cybersecuritydive.com/news/dropbox-sign-cyberattack/714999/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We
continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Board
and Management Oversight - Principle
13: Banks should have effective capacity, business continuity and
contingency planning processes to help ensure the availability of
e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking system capacity and future scalability are
analyzed in light of the overall market dynamics for e-commerce and
the projected rate of customer acceptance of e-banking products and
services.
2) E-banking transaction processing capacity estimates are
established, stress tested and periodically reviewed.
3) Appropriate business continuity and contingency plans for
critical e-banking processing and delivery systems are in place and
regularly tested.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Biometrics
(Part 1 of 2)
Biometrics can be implemented in many forms, including tokens.
Biometrics verifies the identity of the user by reference to unique
physical or behavioral characteristics. A physical characteristic
can be a thumbprint or iris pattern. A behavioral characteristic is
the unique pattern of key depression strength and pauses made on a
keyboard when a user types a phrase. The strength of biometrics is
related to the uniqueness of the physical characteristic selected
for verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature. For
example, the iris typically provides many more characteristics to
store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a biometric
authenticator does not rely on a user's memory or possession of a
token to be effective. Additional strengths are that biometrics do
not rely on people to keep their biometric secret or physically
secure their biometric. Biometrics is the only authentication
methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user's physical characteristics must be reliably
recorded. Reliability may require several samples of the
characteristic and a recording device free of lint, dirt, or other
interference. The enrollment device must be physically secure from
tampering and unauthorized use.
When enrolled, the user's biometric is stored as a template.
Subsequent authentication is accomplished by comparing a submitted
biometric against the template, with results based on probability
and statistical confidence levels. Practical usage of biometric
solutions requires consideration of how precise systems must be for
positive identification and authentication. More precise solutions
increase the chances a person is falsely rejected. Conversely, less
precise solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate). The
equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean more
consistent operations. However, EER is typically based upon
laboratory testing and may not be indicative of actual results due
to factors that can include the consistency of biometric readers to
capture data over time, variations in how a user presents their
biometric sample (e.g., occasionally pressing harder on a finger
scanner), and environmental factors.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the National
Institute of Standards and Technology (NIST) Handbook.
Chapter 9 - Assurance
9.3
Design and Implementation Assurance
Design and implementation assurance addresses whether the features
of a system, application, or component meets security requirements
and specifications and whether they are they are well designed and
well built. Design and implementation assurance examines system
design, development, and installation. Design and implementation
assurance is usually associated with the development/acquisition and
implementation phase of the system life cycle; however, it should
also be considered throughout the life cycle as the system is
modified.
As stated earlier, assurance can address whether the product or
system meets a set of security specifications, or it can provide
other evidence of quality. This section outlines the major methods
for obtaining design and implementation assurance.
Design and implementation assurance should be examined from two
points of view: the component and the system. Component assurance
looks at the security of a specific product or system component,
such as an operating system, application, security add-on, or
telecommunications module. System assurance looks at the security of
the entire system, including the interaction between products and
modules.
9.3.1 Testing and Certification
Testing can address the quality of the system as built, as
implemented, or as operated. Thus, it can be performed throughout
the development cycle, after system installation, and throughout its
operational phase. Some common testing techniques include functional
testing (to see if a given function works according to its
requirements) or penetration testing (to see if security can be
bypassed). These techniques can range from trying several test cases
to in-depth studies using metrics, automated tools, or multiple
detailed test cases.
Certification is a formal process for testing components or systems
against a specified set of security requirements. Certification is
normally performed by an independent reviewer, rather than one
involved in building the system. Certification is more often
cost-effective for complex or high-risk systems. Less formal
security testing can be used for lower-risk systems. Certification
can be performed at many stages of the system design and
implementation process and can take place in a laboratory, operating
environment, or both. |
