|
MISCELLANEOUS CYBERSECURITY NEWS:
US govt launches cybersecurity safety label for smart devices -
Today, the White House announced the launch of the U.S. Cyber Trust
Mark, a new cybersecurity safety label for internet-connected
consumer devices.
https://www.bleepingcomputer.com/news/security/us-govt-launches-cybersecurity-safety-label-for-smart-devices/
Misconfigured license plate readers are leaking data and video in
real time - In just 20 minutes this morning, an automated
license-plate-recognition (ALPR) system in Nashville, Tennessee,
captured photographs and detailed information from nearly 1,000
vehicles as they passed by.
https://arstechnica.com/security/2025/01/misconfigured-license-plate-readers-are-leaking-data-and-video-in-real-time/
Consumers are becoming apathetic to cyber incidents, research finds
- Despite an increase in cyber incidents, breaches had less impact
on consumer trust in 2024.
https://www.cybersecuritydive.com/news/consumer-trust-cyber-incident-data-breach/737145/
Pastor indicted for Christian-themed cryptocurrency pyramid scam - A
church pastor is facing more than two dozen criminal charges in
connection with a cryptocurrency pyramid scheme.
https://www.scworld.com/news/pastor-indicted-for-christian-themed-cryptocurrency-pyramid-scam
HIPPA Updates Loom as Healthcare Breaches Boom: Prevent and Protect
with Microsegmentation - In a landmark move, the U.S. Department of
Health and Human Services (HHS) has issued a new proposal to
strengthen the HIPAA Security Rule, calling for stringent
cybersecurity measures to protect electronic protected health
information (ePHI).
https://www.scworld.com/perspective/hippa-updates-loom-as-healthcare-breaches-boom-prevent-and-protect-with-microsegmentation
Cyber disruptions remain top business risk concern in US, globally -
A report shows the global disruption caused by CrowdStrike’s IT
mishap added to longtime concerns about data breaches and ransomware.
https://www.cybersecuritydive.com/news/cyber-business-risk-us-globally/737447/
The double-edged sword of AI in cybersecurity: driving efficiency
gains, meeting compliance requirements and navigating greater risk -
The cyber threat landscape is constantly evolving, but one thing
remains consistent - cyber threats are rising, and so is their price
tag. Industry analysts predicted cybercrime damage to cost $9.5
trillion in 2024, more than triple what it was less than a decade
ago.
https://www.cybersecuritydive.com/spons/the-double-edged-sword-of-ai-in-cybersecurity-driving-efficiency-gains-me/736239/
Four take guilty pleas in US government IT bribery scam - Four
people pled guilty to offering and accepting bribes to government
officials in exchange for IT service contracts.
https://www.scworld.com/news/four-take-guilty-pleas-in-us-government-it-bribery-scam
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
PowerSchool data breach possibly exposed student, staff data - The
cloud-based K-12 software provider confirmed a compromised
credential was used to access its PowerSource customer support
portal.
https://www.cybersecuritydive.com/news/powerschool-data-breach/737024/
Chinese hackers breach office that reviews foreign investments in US
- U.S. officials on Jan. 10 said that as part of the recent
cyberattack on the Treasury Department, Chinese hackers breached an
interagency government office that reviews foreign investments for
national security risks, according to CNN.
https://www.scworld.com/news/chinese-hackers-breach-office-that-reviews-foreign-investments-in-us
Medical Billing Firm Medusind Says Data Breach Impacts 360,000
People - Florida-based medical and dental billing and revenue cycle
management company Medusind has revealed that a data breach
discovered in December 2023 impacts over 360,000 individuals.
https://www.securityweek.com/medical-billing-firm-medusind-says-data-breach-impacts-360000-people/
Casio says data of 8,500 people exposed in October ransomware attack
- Japanese electronics manufacturer Casio says that the October 2024
ransomware incident exposed the personal data of approximately 8,500
people.
https://www.bleepingcomputer.com/news/security/casio-says-data-of-8-500-people-exposed-in-october-ransomware-attack/
Hack of Rhode Island social services platform impacted at least 709K,
officials say - State officials received reports from Deloitte and a
third-party forensic firm showing the threat to the database has
been mitigated and restoration efforts are underway.
https://www.cybersecuritydive.com/news/rhode-island-social-services-breach-709k/737111/
Infostealer Infections Lead to Telefonica Ticketing System Breach -
Information stealer malware allowed threat actors to compromise the
credentials of multiple Telefonica employees and access the
telecommunication giant’s internal ticketing system.
https://www.securityweek.com/infostealer-infections-lead-to-telefonica-internal-ticketing-system-breach/
UN aviation agency ICAO confirms its recruitment database was hacked
- The International Civil Aviation Organization (ICAO), a part of
the United Nations, confirmed on Wednesday a hack of its recruitment
systems involving the compromise of more than 40,000 records
containing personal information.
https://therecord.media/icao-un-confirms-recruitment-systems-data-breach
Slovakia’s land registry hit by biggest cyberattack in country’s
history, minister says - A cyberattack that hit Slovakia’s land
registry earlier this week was the biggest in the country’s history,
the minister of agriculture said on Friday.
https://therecord.media/slovakia-registry-cyberattack-land-agriculture
Chinese cyber-spies peek over shoulder of officials probing
real-estate deals near American military bases - Chinese cyber-spies
who broke into the US Treasury Department also stole documents from
officials investigating real-estate sales near American military
bases, it's reported.
https://www.theregister.com/2025/01/10/china_treasury_foreign_investment/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Some considerations for contracting with service providers are
discussed below. This listing is not all-inclusive and the
institution may need to evaluate other considerations based on its
unique circumstances. The level of detail and relative importance of
contract provisions varies with the scope and risks of the services
outsourced.
Scope of Service
The contract should clearly describe the rights and responsibilities
of parties to the contract.
Considerations include:
• Timeframes and
activities for implementation and assignment of responsibility.
Implementation provisions should take into consideration other
existing systems or interrelated systems to be developed by
different service providers (e.g., an Internet banking system
being integrated with existing core applications or systems
customization).
• Services to be performed by the service provider including
duties such as software support and maintenance, training of
employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services
performed under the contract.
• Guidelines for adding new or different services and for
contract re-negotiation.
Performance Standards
Institutions should generally include performance standards defining
minimum service level requirements and remedies for failure to meet
standards in the contract. For example, common service level metrics
include percent system uptime, deadlines for completing batch
processing, or number of processing errors. Industry standards for
service levels may provide a reference point. The institution should
periodically review overall performance standards to ensure
consistency with its goals and objectives.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
appropriately.
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Requirements
Financial institutions should develop security control
requirements for new systems, system revisions, or new system
acquisitions. Management will define the security control
requirements based on their risk assessment process evaluating the
value of the information at risk and the potential impact of
unauthorized access or damage. Based on the risks posed by the
system, management may use a defined methodology for determining
security requirements, such as ISO 15408, the Common Criteria.23
Management may also refer to published, widely recognized industry
standards as a baseline for establishing their security
requirements. A member of senior management should document
acceptance of the security requirements for each new system or
system acquisition, acceptance of tests against the requirements,
and approval for implementing in a production environment.
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series
on the National Institute of Standards and Technology (NIST)
Handbook.
Chapter 12 - COMPUTER
SECURITY INCIDENT HANDLING
12.2.1 Defining the Constituency to Be Served
The constituency includes computer users and program managers. Like
any other customer-vendor relationship, the constituency will tend
to take advantage of the capability if the services rendered are
valuable.
The constituency is not always the entire organization. For
example, an organization may use several types of computers and
networks but may decide that its incident handling capability is
cost-justified only for its personal computer users. In doing so,
the organization may have determined that computer viruses pose a
much larger risk than other malicious technical threats on other
platforms. Or, a large organization composed of several sites may
decide that current computer security efforts at some sites do not
require an incident handling capability, whereas other sites do
(perhaps because of the criticality of processing).
The focus of a computer security incident handling capability may
be external as well as internal. An incident that affects an
organization may also affect its trading partners, contractors, or
clients. In addition, an organization's computer security incident
handling capability may be able to help other organizations and,
therefore, help protect the community as a whole.
12.2.2 Educated Constituency
Users need to know about, accept, and trust the incident handling
capability or it will not be used. Through training and awareness
programs, users can become knowledgeable about the existence of the
capability and how to recognize and report incidents. Users trust in
the value of the service will build with reliable performance.
12.2.3 Centralized Reporting and Communications
Successful incident handling requires that users be able to report
incidents to the incident handling team in a convenient,
straightforward fashion; this is referred to as centralized
reporting. A successful incident handling capability depends on
timely reporting. If it is difficult or time consuming to report
incidents, the incident handling capability may not be fully used.
Usually, some form of a hotline, backed up by pagers, works well.
Centralized communications is very useful for accessing or
distributing information relevant to the incident handling effort.
For example, if users are linked together via a network, the
incident handling capability can then use the network to send out
timely announcements and other information. Users can take advantage
of the network to retrieve security information stored on servers
and communicate with the incident response team via e-mail.
Managers need to know details about incidents, including who
discovered them and how, so that they can prevent similar incidents
in the future. However users will not be forthcoming if they fear
reprisal or that they will become scapegoats. Organizations may need
to offer incentives to employees for reporting incidents and offer
guarantees against reprisal or other adverse actions. It may also be
useful to consider anonymous reporting.
|
