FYI - Treasury Wants to Collect More Cyber Risk Details From Banks - Agency Wants to Gather More Data to Support Security of Financial Infrastructure - The U.S. Treasury Department is proposing to collect more information from banks and financial markets about the cybersecurity risks they face, according to notices posted in the Federal Register. https://www.govinfosecurity.com/treasury-wants-to-collect-more-cyber-risk-details-from-banks-a-13642

Best practices for reducing third-party risk - The simple truth is that the security measures organizations put in place are not enough to protect them from threats. https://www.scmagazine.com/home/opinion/executive-insight/best-practices-for-reducing-third-party-risk/

Academics call for UK's Computer Misuse Act 1990 to be reformed - Report suggests public interest defences for infosec professionals, academics and journalists - Britain's main anti-hacker law, the Computer Misuse Act 1990, is "confused", "outdated" and "ambiguous", according to a group of pro-reform academics. https://www.theregister.co.uk/2020/01/22/clrnn_computer_misuse_act_reform_call/

Critical vulnerabilities found in GE medical gear - The DHS Cybersecurity and Infrastructure Security Agency has issued a warning of six critical-rated vulnerabilities in several GE medical monitoring devices. https://www.scmagazine.com/home/health-care/critical-vulnerabilities-found-in-ge-medical-gear/

New York considers bills banning ransom payments - Two bills have been introduced into the New York State Senate that if passed would ban municipalities from paying money demanded by ransomware attackers. https://www.scmagazine.com/home/security-news/government-and-defense/new-york-considers-bills-banning-ransom-payments/

Bill seeks to reform NSA surveillance, aiming at Section 215, FISA process - Congress took on dual issues of Fourth Amendment and privacy rights in a bill meant to reform the Patriot Act to end the authority of NSA’s phone recording program, as well as, reform the FISA process, addressing the problems revealed by Justice Department Inspector General Michael Horowitz last fall. https://www.scmagazine.com/home/security-news/bill-seeks-to-reform-nsa-surveillance-aiming-at-section-215-fisa-process/

Judge forces insurer to help small business to clean up after a crippling ransomware attack - least one insurance company will cover the costs from a cyberattack against one of its clients. https://www.cyberscoop.com/cyber-insurance-court-state-auto/

Another Poor Cybersecurity Audit at State Department Draws Scrutiny - Auditors have been reporting weaknesses in IT security controls for over a decade. The latest publication in a long line of reports drawing attention to the State Department’s failure to secure its information technology-dependent systems from cyberattacks reflects a general mismanagement of resources. https://www.nextgov.com/cybersecurity/2020/01/another-poor-cybersecurity-audit-state-department-draws-scrutiny/162627/

Small Town Nearly Done Recovering from Ransomware Attack - Weeks after an employee clicked on a malicious link in an email, causing a cybersecurity breach, the city of Galt in California's Central Valley is nearly done getting its phones and computers back in working order. https://www.govtech.com/news/Small-Town-Nearly-Done-Recovering-from-Ransomware-Attack.html

Federal agency offers guidelines for businesses defending against ransomware attacks - The National Institute of Standards and Technology (NIST) published draft guidelines Monday providing businesses with ways to defend against debilitating ransomware attacks. https://thehill.com/policy/cybersecurity/480146-federal-agency-publishes-guidelines-for-businesses-to-defend-against

A new way to think about security in autonomous systems: Don’t - The age of autonomy is upon us. While talk of autonomous cars in the not-too-distant future captures the imagination, the reality is that autonomous systems are very much with us in the present day. https://www.scmagazine.com/home/opinion/executive-insight/a-new-way-to-think-about-security-in-autonomous-systems-dont/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Privacy takes a hit, as storage bucket leaks cannabis dispensary POS data - A misconfigured Amazon Web Services S3 storage bucket was discovered leaking data that had been collected by a point-of-sale system used by multiple cannabis dispensaries, researchers from vpnMentor reported on Wednesday. https://www.scmagazine.com/home/security-news/database-security/privacy-takes-a-hit-as-storage-bucket-leaks-cannabis-dispensary-pos-data/

Phishing campaign leads to UPS Store data breach - In a data breach notification letter to customers, The UPS Store has disclosed that an unauthorized party successfully devised a phishing scheme to gain entry into the email accounts of numerous store locations. https://www.scmagazine.com/home/security-news/data-breach/phishing-campaign-leads-to-ups-store-data-breach/

Microsoft discloses security breach of customer support database - Five servers storing customer support analytics were accidentally exposed online in December 2019. https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/

Travelex hackers strike again, closes German automotive firm - German car parts maker Gedia Automotive Group has had to shut down its IT operations following a massive cyber attack. https://www.scmagazineuk.com/travelex-hackers-strike-again-closes-german-automotive-firm/article/1672019

Cyberattack takes down Tillamook County’s computers, phones, website - Tillamook County on the Oregon coast was struggling Thursday to get its computer and telephone systems running again after it was hit by a cyberattack. https://www.oregonlive.com/news/2020/01/cyberattack-takes-down-tillamook-countys-computers-phones-website.html

Tampa Bay Times hit by Ryuk, new variant of stealer aimed at gov’t, finance - On the heels of a Ryuk ransomware attack on the Tampa Bay Times, researchers reported a new variant of the Ryuk stealer being aimed at government, financial and law enforcement targets. https://www.scmagazine.com/home/security-news/tampa-bay-times-hit-by-ryuk-new-variant-of-stealer-aimed-at-govt-finance/

City of Potsdam Servers Offline Following Cyberattack - The City of Potsdam severed the administration servers' Internet connection following a cyberattack that took place earlier this week. Emergency services including the city's fire department fully operational and payments are not affected. https://www.bleepingcomputer.com/news/security/city-of-potsdam-servers-offline-following-cyberattack/

OurMine hackers intercept NFL teams’ social media accounts - Over a dozen NFL teams may want to consider hiring a cyber defensive coordinator after their Twitter, Instagram and Facebook accounts were reportedly hijacked and defaced on Sunday and Monday by the mischievous OurMine hacker group, which has emerged from hibernation. https://www.scmagazine.com/password-management/ourmine-hackers-intercept-nfl-teams-social-media-accounts/

LabCorp suffers second data incident, patient PHI potentially exposed - LabCorp has confirmed that its internal system was accessed by an unauthorized person but would not give any further details pertaining to the number of people or types of data possibly affected. https://www.scmagazine.com/home/health-care/labcorp-suffers-second-data-incident-patient-phi-potentially-exposed/

Cornerstone Payment Systems leaves database open, exposes 6.7M records - Cornerstone Payment Systems, which processes payments for pro-life groups, churches, ministries and other organizations with a similar Christian bent, left a database unprotected, exposing 6.7 million records from 2013 until the present. https://www.scmagazine.com/home/security-news/cloud-security/cornerstone-payment-systems-leaves-database-open-exposes-6-7m-records/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)
   
   Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
   Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.
   
   In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.
   
   Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
   Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:
   
   !  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
   !  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
   !  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
   
   "Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.
   
   Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).
   
   Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.
   
   Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.3 Employee Sabotage
 
 Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge, who may retain potential system access (e.g., if system accounts are not deleted in a timely manner). The number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high.
 
 Martin Sprouse, author of Sabotage in the American Workplace, reported that the motivation for sabotage can range from altruism to revenge:
 As long as people feel cheated, bored, harassed, endangered, or betrayed at work, sabotage will be used as a direct method of achieving job satisfaction -- the kind that never has to get the bosses' approval.
 
 Common examples of computer-related employee sabotage include:
 1)  destroying hardware or facilities,
 2)  planting logic bombs that destroy programs or data,
 3)  entering data incorrectly,
 4)  "crashing" systems,
 5)  deleting data,
 6)  holding data hostage, and
 7)  changing data.
 
 Chapter 4.4 Loss of Physical and Infrastructure Support
 
 The loss of supporting infrastructure includes power failures (outages, spikes, and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, and strikes. These losses include such dramatic events as the explosion at the World Trade Center and the Chicago tunnel flood, as well as more common events, such as broken water pipes. Many of these issues are covered in Chapter. A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional.