THANK
YOU
- Because of your help, more than 2,900 subscribers read our
e-newsletters each week. Further,
our web sites had over 3,00,000 hits
a year.
Our web site audit and vulnerability-penetration testing
clients are located in 42 states.
Your comments and suggestions are always welcome.
Please let us know how we can serve your Internet security
needs. Thank you,
Yennik, Inc., R.
Kinney Williams.
MISCELLANEOUS CYBERSECURITY NEWS:
US prohibits Chinese tech equipment sales over
security risk - Threats to national security have prompted the U.S.
Federal Communications Commission to ban sales or imports of
equipment from Chinese telecommunications firms Huawei Technologies,
ZTE, and Hytera Communications, as well as Chinese surveillance
manufacturers Dahua Technology and Hangzhou Hikvisionn Digital
Technology, according to Reuters.
https://www.scmagazine.com/brief/device-security/us-prohibits-chinese-tech-equipment-sales-over-security-risk
Security leaders need to look beyond ‘retention’ - Security teams
continue to face shortages, and that leads to headlines suggesting
companies need to focus on retaining the talent they have.
https://www.scmagazine.com/perspective/leadership/security-leaders-need-to-look-beyond-retention
Telltale signs of a network compromise: A step-by-step analysis - If
organizations are ever going to effectively manage cybersecurity
risks, especially from modern APT-style attacks, security managers
and analysts must be able to spot attackers lurking within the blind
spots created by today's complex multi-cloud environments.
https://www.scmagazine.com/resource/network-security/telltale-signs-of-a-network-compromise-a-step-by-step-analysis
US Defense Department Releases Zero Trust Strategy and Roadmap - Our
adversaries are in our networks, exfiltrating our data, and
exploiting the Department’s users. The rapid growth of these
offensive threats emphasizes the need for the Department of Defense
(DoD) to adapt and significantly improve our deterrence strategies
and cybersecurity implementations.
https://www.defense.gov/News/Releases/Release/Article/3225919/department-of-defense-releases-zero-trust-strategy-and-roadmap/
https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
Security, ESG are the top two risks for corporate audit
professionals - The tax professional services reported on Tuesday
that while cybersecurity continues as the No. 1 risk among audit
professionals, environmental, social and governance (ESG) jumped up
to No. 2 on the list of emerging risks.
https://www.scmagazine.com/news/privacy/security-esg-are-the-top-two-risks-for-corporate-audit-professionals
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Massive Twitter data breach affects over 5.4 million accounts - A
Twitter data breach reported earlier this year that affected more
than five million users is worse than initially thought.
https://www.scmagazine.com/analysis/cybercrime/massive-twitter-data-breach-affects-over-5-4-million-accounts
Pixel fallout expands: Community Health informs 1.5M of unauthorized
disclosure - Community Health Network recently informed 1.5 million
of its patients that its use of the Meta Pixel tracking tool led to
the unauthorized disclosure of their health information to the
social media giant.
https://www.scmagazine.com/analysis/breach/pixel-fallout-expands-community-health-informs-1-5m-of-unauthorized-disclosure
European Parliament Putin things back together after cyber attack -
DDoS started not long after Russia was declared a state sponsor of
terrorism - The European Parliament has experienced a cyber attack
that started not long after it declared Russia to be a state sponsor
of terrorism.
https://www.theregister.com/2022/11/24/european_parliament_russia_ddos/
Belgian Police Under Fire After Major Ransomware Leak - A notorious
ransomware group has begun leaking highly sensitive data it stole
from Belgian police, in what is being described as one of the
biggest breaches of its kind in the country.
https://www.infosecurity-magazine.com/news/belgian-police-under-fire-major/
Password app LastPass hit by cybersecurity breach but says data
remains safe - Password manager LastPass has told customers that
some of their information has been accessed in a cybersecurity
breach, but says passwords remain safe.
https://www.techspot.com/news/96820-lastpass-customer-data-exposed-data-breach.html
https://www.theguardian.com/technology/2022/dec/01/password-app-lastpass-hit-by-cybersecurity-breach-but-says-data-remains-safe
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We
begin this week reviewing the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of
10)
A. RISK DISCUSSION
Introduction
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
compliance risk.
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
- customer
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 2 of 2)
Successful implementation of any response policy
and procedure requires the assignment of responsibilities and
training. Some organizations formalize the response organization
with the creation of a computer security incident response team
(CSIRT). The CSIRT is typically tasked with performing,
coordinating, and supporting responses to security incidents. Due to
the wide range of non-technical issues that are posed by an
intrusion, typical CSIRT membership includes individuals with a wide
range of backgrounds and expertise, from many different areas within
the institution. Those areas include management, legal, public
relations, as well as information technology. Other organizations
may outsource some of the CSIRT functions, such as forensic
examinations. When CSIRT functions are outsourced, institutions
should ensure that their institution's policies are followed by the
service provider and confidentiality of data and systems are
maintained.
Institutions can assess best the adequacy of their preparations
through testing.
While containment strategies between institutions can vary, they
typically contain the following broad elements:
! Isolation of compromised systems, or enhanced monitoring of
intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and
law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing
are included in individual agency guidance); and
! Communication with effected parties.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
(HGA)20.5.1
Vulnerabilities Related to Payroll Fraud
Falsified Time
Sheets
The primary safeguards
against falsified time sheets are review and approval by supervisory
personnel, who are not permitted to approve their own time and
attendance data. The risk assessment has concluded that, while
imperfect, these safeguards are adequate. The related requirement
that a clerk and a supervisor must cooperate closely in creating
time and attendance data and submitting the data to the mainframe
also safeguards against other kinds of illicit manipulation of time
and attendance data by clerks or supervisors acting independently.
Unauthorized Access
When a PC user enters a
password to the server during I&A, the password is sent to the
server by broadcasting it over the LAN "in the clear." This allows
the password to be intercepted easily by any other PC connected to
the LAN. In fact, so-called "password sniffer" programs that capture
passwords in this way are widely available. Similarly, a malicious
program planted on a PC could also intercept passwords before
transmitting them to the server. An unauthorized individual who
obtained the captured passwords could then run the time and
attendance application in place of a clerk or supervisor. Users
might also store passwords in a log-on script file.
Bogus Time and
Attendance Applications
The server's access
controls are probably adequate for protection against bogus time and
attendance applications that run on the server. However, the
server's operating system and access controls have only been in
widespread use for a few years and contain a number of
security-related bugs. And the server's access controls are
ineffective if not properly configured, and the administration of
the server's security features in the past has been notably lax.
Unauthorized
Modification of Time and Attendance Data
Protection against
unauthorized modification of time and attendance data requires a
variety of safeguards because each system component on which the
data are stored or transmitted is a potential source of
vulnerabilities.
First, the time and
attendance data are entered on the server by a clerk. On occasion,
the clerk may begin data entry late in the afternoon, and complete
it the following morning, storing it in a temporary file between the
two sessions. One way to avoid unauthorized modification is to store
the data on a diskette and lock it up overnight. After being
entered, the data will be stored in another temporary file until
reviewed and approved by a supervisor. These files, now stored on
the system, must be protected against tampering. As before, the
server's access controls, if reliable and properly configured, can
provide such protection (as can digital signatures, as discussed
later) in conjunction with proper auditing.
Second, when the
Supervisor approves a batch of time and attendance data, the time
and attendance application sends the data over the WAN to the
mainframe. The WAN is a collection of communications equipment and
special-purpose computers called "switches" that act as relays,
routing information through the network from source to destination.
Each switch is a potential site at which the time and attendance
data may be fraudulently modified. For example, an HGA PC user might
be able to intercept time and attendance data and modify the data
enroute to the payroll application on the mainframe. Opportunities
include tampering with incomplete time and attendance input files
while stored on the server, interception and tampering during WAN
transit, or tampering on arrival to the mainframe prior to
processing by the payroll application.
Third, on arrival at
the mainframe, the time and attendance data are held in a temporary
file on the mainframe until the payroll application is run.
Consequently, the mainframe's I&A and access controls must provide a
critical element of protection against unauthorized modification of
the data.
According to the risk
assessment, the server's access controls, with prior caveats,
probably provide acceptable protection against unauthorized
modification of data stored on the server. The assessment concluded
that a WAN-based attack involving collusion between an employee of
HGA and an employee of the WAN service provider, although unlikely,
should not be dismissed entirely, especially since HGA has only
cursory information about the service provider's personnel security
practices and no contractual authority over how it operates the WAN.
The greatest source of
vulnerabilities, however, is the mainframe. Although its operating
system's access controls are mature and powerful, it uses
password-based I&A. This is of particular concern, because it serves
a large number of federal agencies via WAN connections. A number of
these agencies are known to have poor security programs. As a
result, one such agency's systems could be penetrated (e.g., from
the Internet) and then used in attacks on the mainframe via the WAN.
In fact, time and attendance data awaiting processing on the
mainframe would probably not be as attractive a target to an
attacker as other kinds of data or, indeed, disabling the system,
rendering it unavailable. For example, an attacker might be able to
modify the employee data base so that it disbursed paychecks or
pensions checks to fictitious employees. Disclosure-sensitive law
enforcement databases might also be attractive targets.
The access control on
the mainframe is strong and provides good protection against
intruders breaking into a second application after they have broken
into a first. However, previous audits have shown that the
difficulties of system administration may present some opportunities
for intruders to defeat access controls.
|