|
MISCELLANEOUS CYBERSECURITY NEWS:
CISA resource looks to help high-risk groups thwart cyberattacks -
The DHS’s Cybersecurity and Infrastructure Security Agency released
guidance on Tuesday to assist activists, journalists, human rights
workers, academics and others affiliated with civil society groups
that may face cyberthreats.
https://www.nextgov.com/cybersecurity/2024/04/cisa-resource-looks-help-high-risk-groups-thwart-cyberattacks/395409/
Are ransomware attacks declining in 2024? Depends who you ask -
There’s no question ransomware remains a top threat for businesses
and organizations around the world and across many sectors – but
with recent shakeups including the government takedown of LockBit
and apparent exit of ALPHV/BlackCat, are ransomware attacks actually
declining in 2024?
https://www.scmagazine.com/news/are-ransomware-attacks-declining-in-2024-depends-who-you-ask
Microsoft’s Security Chickens Have Come Home to Roost - There were
dark patterns everywhere. For years, we collectively groaned and
rolled our eyes as Microsoft shipped faulty and incomplete patches,
gutted its Patch Tuesday bulletins into irrelevance, fought with
hackers reporting security problems, and made baffling trade-offs
around cybersecurity transparency.
https://www.securityweek.com/microsofts-security-chickens-have-come-home-to-roost/
Health sector help desks duped by social engineering scams, HHS
warns - Healthcare and public health organizations have been warned
that hackers are attempting to breach their systems using a
sophisticated social-engineering scam targeting IT help desk staff.
https://www.scmagazine.com/news/health-sector-help-desks-duped-by-social-engineering-scams-hhs-warns
CISO role shows significant gains amid corporate recognition of
cyber risk - A report from Moody’s Ratings shows CISOs and other
senior-level cyber executives have become key decision makers within
the C-suite.
https://www.cybersecuritydive.com/news/ciso-gains-corporate-cyber-risk/712684/
Sweeping bipartisan comprehensive data privacy bill to be introduced
by congressional leaders - A comprehensive data privacy bill
unveiled Sunday would offer historic privacy protections and appears
to have momentum on both sides of the aisle.
https://therecord.media/sweeping-bipartisan-privacy-bill-to-be-introduced-congress
German state ditches Microsoft for Linux and LibreOffice - Why?
Schleswig-Holstein cites cost, security, and digital sovereignty -
though not necessarily in that order. Thanks to hardware vendors
working hand-in-glove with Microsoft, many people never realize
there are alternatives to Windows and Office.
https://www.zdnet.com/article/german-state-ditches-microsoft-for-linux-and-libreoffice/
Healthcare IT Help Desk Employees Targeted in Payment-Hijacking
Attack - Threat actors are targeting IT help desk employees at
healthcare and public health (HPH) organizations to gain access to
corporate networks and divert payments, the US Department of Health
warns.
https://www.securityweek.com/healthcare-it-help-desk-employees-targeted-in-payment-hijacking-attacks/
What’s going on with the National Vulnerability Database? - CVE
overload and a lengthy backlog has meant the federal government’s
repository of vulnerability data can’t keep up with today’s threat
landscape.
https://www.cybersecuritydive.com/news/nist-national-vulnerability-database/712826/
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Ivanti promises to address its bug problem after security failures -
After spending months grappling with a string of gateway appliance
security failures, Ivanti has vowed to reengineer its processes to
harden its products against increasingly persistent attackers.
https://www.scmagazine.com/news/ivanti-promises-to-address-its-bug-problem-after-security-failures
Omni Hotels confirms cyberattack behind ongoing IT outage - Omni
Hotels & Resorts has confirmed a cyberattack caused a nationwide IT
outage that is still affecting its locations.
https://www.bleepingcomputer.com/news/security/omni-hotels-confirms-cyberattack-behind-ongoing-it-outage/
Jackson County in state of emergency after ransomware attack -
Jackson County, Missouri, is in a state of emergency after a
ransomware attack took down some county services on Tuesday.
https://www.bleepingcomputer.com/news/security/jackson-county-in-state-of-emergency-after-ransomware-attack/
US Cancer Center Data Breach Impacting 800,000 - Cancer treatment
and research center City of Hope this week started notifying over
800,000 individuals that their personal and health information was
compromised in a data breach.
https://www.securityweek.com/us-cancer-center-data-breach-impacting-800000/
Red Hat warns of backoor in widely used Linux utility - With a CVSS
of 10, CISA urged users and developers to downgrade to an
uncompromised version, search for any malicious activity and report
findings back to the agency.
https://www.cybersecuritydive.com/news/red-hat-warning-malicious-backdoor/711875/
Omni Hotels blames cyberattack for widespread tech outages - Omni
Hotels & Resorts said a cyberattack was responsible for disruptions
to systems that caused chaos across its 50 upmarket properties over
the busy Easter period.
https://www.scmagazine.com/news/omni-hotels-blames-cyberattack-for-widespread-tech-outages
Home Depot confirms data breach via third-party vendor - Home Depot
on April 8 confirmed to SC Media that a third-party
software-as-a-service (SaaS) vendor had made public some employee
data and that they had, in effect, been breached.
https://www.scmagazine.com/news/home-depot-confirms-data-breach-via-third-party-vendor
Prudential Financial: February incident exposed data of nearly 37K
customers - Prudential Financial disclosed that 36,545 individuals
had personal information stolen in an early February breach that was
claimed by ALPHV/BlackCat, the group also responsible for the Change
Healthcare ransomware attack.
https://www.scmagazine.com/news/prudential-financial-february-incident-exposed-data-of-nearly-37k-customers
Acuity confirms hackers stole non-sensitive govt data from GitHub
repos - Acuity, a federal contractor that works with U.S. government
agencies, has confirmed that hackers breached its GitHub
repositories and stole documents containing old and non-sensitive
data.
https://www.bleepingcomputer.com/news/security/acuity-confirms-hackers-stole-non-sensitive-govt-data-from-github-repos/
World's second-largest eyeglass lens-maker blinded by infosec
incident - If ever there was an incident that brings the need for
good infosec into sharp focus, this is the one: Japan's Hoya – a
maker of eyeglass and contact lenses, plus kit used to make
semiconductor manufacturing, flat panel displays, and hard disk
drives – has halted some production and sales activity after
experiencing an attack on its IT systems.
https://www.theregister.com/2024/04/05/hoya_infosec_incident/
Home Depot confirms third-party data breach exposed employee info -
Home Depot has confirmed that it suffered a data breach after one of
its SaaS vendors mistakenly exposed a small sample of limited
employee data, which could potentially be used in targeted phishing
attacks.
https://www.bleepingcomputer.com/news/security/home-depot-confirms-third-party-data-breach-exposed-employee-info/
DOJ data on 341,000 people leaked in cyberattack on consulting firm
- Medicare and other information belonging to 341,000 people was
leaked after a consulting firm working with the Department of
Justice was hacked.
https://therecord.media/doj-data-leaked-in-attack-on-consulting-firm
Russian hackers breached, sabotaged Texas water treatment plant,
cyber firm says - Group with possible ties to Kremlin military
hackers infiltrated a Texas water facility in January and caused a
system malfunction that forced a water tank to overflow, marking a
potential first-of-its-kind disruption that escalates concerns about
the cyber posture of water treatment facilities in the U.S.,
according to an analysis out Wednesday.
https://www.nextgov.com/cybersecurity/2024/04/russian-hackers-breached-sabotaged-texas-water-treatment-plant-cyber-firm-says/395807/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Board and Management Oversight - Principle
10: Banks should take appropriate measures to preserve the
confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
that:
1) All confidential bank data and records are only accessible
by duly authorized and authenticated individuals, agents or systems.
2) All confidential bank data are maintained in a secure manner
and protected from unauthorized viewing or modification during
transmission over public, private or internal networks.
3) The bank's standards and controls for data use and
protection must be met when third parties have access to the data
through outsourcing relationships.
4) All access to restricted data is logged and appropriate
efforts are made to ensure that access logs are resistant to
tampering.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC interagency Information
Security Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL
AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public
Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
user's identity.
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 9 - Assurance
Computer security assurance is the degree of confidence one has
that the security measures, both technical and operational, work as
intended to protect the system and the information it processes.
Assurance is not, however, an absolute guarantee that the measures
work as intended. Like the closely related areas of reliability and
quality, assurance can be difficult to analyze; however, it is
something people expect and obtain (though often without realizing
it). For example, people may routinely get product recommendations
from colleagues but may not consider such recommendations as
providing assurance.
Assurance is a degree of confidence, not a true measure of how
secure the system actually is. This distinction is necessary because
it is extremely difficult -- and in many cases virtually impossible
-- to know exactly how secure a system is.
Assurance is a challenging subject because it is difficult to
describe and even more difficult to quantify. Because of this, many
people refer to assurance as a "warm fuzzy feeling" that controls
work as intended. However, it is possible to apply a more rigorous
approach by knowing two things: (1) who needs to be assured and (2)
what types of assurance can be obtained. The person who needs to be
assured is the management official who is ultimately responsible for
the security of the system. Within the federal government, this
person is the authorizing or accrediting official.
There are many methods and tools for obtaining assurance. For
discussion purposes, this chapter categorizes assurance in terms of
a general system life cycle. The chapter first discusses planning
for assurance and then presents the two categories of assurance
methods and tools: (1) design and implementation assurance and (2)
operational assurance. Operational assurance is further categorized
into audits and monitoring.
The division between design and implementation assurance and
operational assurance can be fuzzy. While such issues as
configuration management or audits are discussed under operational
assurance, they may also be vital during a system's development. The
discussion tends to focus more on technical issues during design and
implementation assurance and to be a mixture of management,
operational, and technical issues under operational assurance. The
reader should keep in mind that the division is somewhat artificial
and that there is substantial overlap.
Security assurance is the degree of confidence one has that the
security controls operate correctly and protect the system as
intended. |
