FYI - FBI alert: Ransomware attacks becoming increasingly targeted and costly - The FBI yesterday issued a new public service announcement regarding the ongoing ransomware epidemic, emphasizing that attacks are becoming more targeted since early 2018, with losses increasingly significantly in that time. https://www.scmagazine.com/home/security-news/ransomware/fbi-alert-ransomware-attacks-becoming-increasingly-targeted-and-costly/

State of Ransomware in the U.S.: 2019 Report for Q1 to Q3 - In the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware. https://blog.emsisoft.com/en/34193/state-of-ransomware-in-the-u-s-2019-report-for-q1-to-q3/

ANU incident report on massive data breach is a must-read - The Australian National University has set a new standard for transparent data breach reporting. They didn't lose all 19 years of data, but they're no closer to understanding the attacker's motives. https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/

Feds to boost scrutiny of airliner cybersecurity vulnerabilities - The Department of Homeland Security, Pentagon and Department of Transportation plan to bolster an established program that investigates airliner cybersecurity vulnerabilities. https://www.scmagazine.com/home/security-news/vulnerabilities/feds-to-boost-scrutiny-of-airliner-cybersecurity-vulnerabilities/

DCH Health System pays ransomware attackers in bid to restore operations - Forced to turn away certain patients following a ransomware infection, West Alabaman medical center operator DCH Health System announced this past weekend that it has purchased a decryption key from the attackers in order to expedite recovery. https://www.scmagazine.com/home/security-news/ransomware/dch-health-system-pays-ransomware-attackers-in-bid-to-restore-operations/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware attack forces DCH Health Systems to turn away patients - DCH Health Systems is turning away all but the most critical patients from its three hospitals in response to its computer network being rendered unusable by a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-forces-dch-health-systems-to-turn-away-patients/

Some Victorian hospitals are offline after ransomware hit - The incident uncovered on Monday has hit Gippsland Health Alliance and South West Alliance of Rural Health. https://www.zdnet.com/article/some-victorian-hospitals-are-offline-after-ransomware-hit/

Hy-Vee details 2019 POS data breach incident - Mid-Western supermarket chain Hy-Vee issued an update regarding the POS data breach it reported in August, including when it happened on the locations involved. https://www.scmagazine.com/home/security-news/data-breach/hy-vee-details-2019-pos-data-breach-incident/

1,600 Electronic Arts FIFA 20 players’ reg data compromised - An Electronic Arts website for its EA Sports FIFA 20 Global Series operated for about 30 minutes with a glitch during which time 1,600 users had their personal information exposed. https://www.scmagazine.com/home/security-news/privacy-compliance/1600-electronic-arts-fifa-20-players-reg-data-compromised/

Data on 92M Brazilians found for sale on underground forums - Several members-only dark web forums are reportedly auctioning what appears to be a stolen government database featuring the personal information of 92 million Brazilian citizens. https://www.scmagazine.com/home/security-news/data-breach/data-on-92m-brazilians-found-for-sale-on-underground-forums/

Stolen credentials used to access TransUnion Canada’s consumer credit files - A malicious actor used stolen credentials to access a web portal operated by credit reporting agency TransUnion Canada and then used that portal to access consumer files. https://www.scmagazine.com/home/security-news/stolen-credentials-used-to-access-transunion-canadas-consumer-credit-files/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (4 of 12)
  
  Reaction Procedures
  
  Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.
  
  Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Security Controls in Application Software
  
  Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).
  
  Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.5 Mitigating Network-Related Threats

The assessment recommended that HGA:

As with previous risk assessment recommendations, HGA's management tasked COG to analyze the costs, benefits, and impacts of addressing the vulnerabilities identified in the risk assessment. HGA eventually adopted some of the risk assessment's recommendations, while declining others. In addition, HGA decided that its policy on handling time and attendance information needed to be clarified, strengthened, and elaborated, with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping. Thus, HGA developed and issued a revised policy, stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of HGA's facilities via e-mail or other means. It also prohibited them from examining or transmitting e-mail containing such information during dial-in sessions and developed and promulgated penalties for noncompliance.