FYI - FBI alert: Ransomware attacks becoming increasingly targeted and costly - The FBI yesterday issued a new public service announcement regarding the ongoing ransomware epidemic, emphasizing that attacks are becoming more targeted since early 2018, with losses increasingly significantly in that time. https://www.scmagazine.com/home/security-news/ransomware/fbi-alert-ransomware-attacks-becoming-increasingly-targeted-and-costly/

FYI - How ready are you to respond to a ransomware attack? - ansomware is by far and away the fastest growing attack method in cybercrime. It’s a trend that has only continued in 2019, with a serious uptick in the number of ransomware incidents and insurance claims in just the last couple of months. https://www.scmagazine.com/home/opinion/executive-insight/how-ready-are-you-to-respond-to-a-ransomware-attack/

VPN to world: Reports of my death are greatly exaggerated - While some in the industry are making the argument that enterprises don’t need VPNs anymore (principally vendors that don’t offer VPN solutions), nothing could be further from the truth. To mangle Mark Twain’s famous quote, press reports of the death of VPN are greatly exaggerated. https://www.scmagazine.com/home/opinion/executive-insight/vpn-to-world-reports-of-my-death-are-greatly-exaggerated/

DHS asks Congress for subpoena authority to contact vulnerable asset owners - The Department of Homeland Security has asked lawmakers for subpoena authority in order to directly contact organizations vulnerable to hacking rather than having to rely on outside parties to communicate with the private sector. https://www.cyberscoop.com/dhs-cisa-subpoena-authority-vulnerable-asset-owners/

Hospital Operations Back to Normal After Paying Ransom - Ten days after a ransomware attack forced DCH Health Systems offline, officials announced that their hospitals are resuming normal operations. An undisclosed amount was paid to obtain a decryption key. https://www.govtech.com/security/Hospital-Operations-Back-to-Normal-After-Paying-Ransom.html

HHS Proposes Stark Law and Anti-Kickback Statute Reforms to Support Value-Based and Coordinated Care - Today, the Department of Health and Human Services (HHS) announced proposed changes to modernize and clarify the regulations that interpret the Physician Self-Referral Law (the “Stark Law”) and the Federal Anti-Kickback Statute. https://www.hhs.gov/about/news/2019/10/09/hhs-proposes-stark-law-anti-kickback-statute-reforms.html

France warns of cyberattacks against service providers and engineering offices - French cyber-security agency warns of ongoing cyber-espionage campaign after Airbus and Expleo hacks. https://www.zdnet.com/article/france-warns-of-cyberattacks-against-service-providers-and-engineering-offices/

The FBI is investigating West Virginia’s blockchain-based midterm elections - During the 2018 midterm elections, somebody tried to hack Voatz, the blockchain-based voting system used by West Virginia. The attack was unsuccessful, but is under investigation by the FBI, said Andrew Warner, West Virginia’s secretary of state in an Oct. 1 press conference. https://qz.com/1574671/the-fbi-is-investigating-west-virginias-blockchain-based-midterm-elections/

Pentagon ‘Hack the Proxy’ program uncovers 31 vulnerabilities, one critical - Ethical hackers found 31 vulnerabilities – one rated critical while nine got a high severity rating – during the Pentagon’s Hack the Proxy program on the HackerOne platform. https://www.scmagazine.com/home/security-news/vulnerabilities/pentagon-hack-the-proxy-program-uncovers-31-vulnerabilities-one-critical/

Baltimore belatedly buys cyberinsurance - In what could be the poster child case for closing the barn door after the horse has left, the Baltimore City Council has approved the purchase of cyber insurance, six months after the municipality suffered a damaging ransomware attack. https://www.scmagazine.com/home/security-news/data-breach/baltimore-belatedly-buys-cyberinsurance/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Magecart attack on e-commerce service impacts Sesame Street store and many more - Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code. https://www.scmagazine.com/home/security-news/magecart-attack-on-e-commerce-service-impacts-sesame-street-store-and-many-more/

Stolen credentials used to access TransUnion Canada’s consumer credit files - A malicious actor used stolen credentials to access a web portal operated by credit reporting agency TransUnion Canada and then used that portal to access consumer files. https://www.scmagazine.com/home/security-news/stolen-credentials-used-to-access-transunion-canadas-consumer-credit-files/

Imperva CTO: Breach caused by mishandled database migration - The data breach that recently affected certain customers of Imperva’s Cloud Web Application Firewall (WAF) product was made possible by a series of missteps as the cybersecurity company migrated to a cloud-based database service, the firm’s chief technology officer disclosed yesterday in a blog post. https://www.scmagazine.com/home/security-news/imperva-cto-breach-caused-by-mishandled-database-migration/

Mississippi gov’t agencies fall short of cybersecurity compliance standards - Mississippi government institutions by and large are failing to comply with standard cybersecurity practices – only 71 of 125 state agencies, boards, commissions, and universities responded to a survey by the Office of the State Auditor (OSA) and only 53 of those have an articulated cybersecurity policy in place. https://www.scmagazine.com/home/government/mississippi-govt-agencies-fall-short-of-cybersecurity-compliance-standards/

Malware takes down some Pitney Bowes systems - Pitney Bowes reported today that it was hit with malware that has made some files inaccessible, but stopped short of calling it a ransomware attack. https://www.scmagazine.com/home/security-news/malware/malware-takes-down-some-pitney-bowes-systems/

Major software vendor compromised with previously undocumented PortReuse backdoor - A thorough investigation into reputed Chinese APT actor Winnti Group turned up a previously undocumented backdoor that was used to compromise a popular Asian mobile hardware and software vendor - perhaps as a prelude to launching a major supply chain attack against its users. https://www.scmagazine.com/home/security-news/gaming/major-software-vendor-compromised-with-previously-undocumented-portreuse-backdoor/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (5 of 12)
  
  Notification Procedures
  
  An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.
  
  Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.
  
  Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Development and Support
  
  Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:
  
  ! Restricting changes to authorized users,
  ! Reviewing the impact changes will have on security controls,
  ! Identifying all system components that are impacted by the changes,
  ! Ensuring the application or system owner has authorized changes in advance,
  ! Maintaining strict version control of all software updates, and
  ! Maintaining an audit trail of all changes.
  
  Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.
  
  When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - This is the last Chapter on the National Institute of Standards and Technology (NIST) Handbook.  Next week we start Chapter 1.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.7 Summary

This chapter has illustrated how many of the concepts described in previous chapters might be applied in a federal agency. An integrated example concerning a Hypothetical Government Agency (HGA) has been discussed and used as the basis for examining a number of these concepts. HGA's distributed system architecture and its uses were described. The time and attendance application was considered in some detail.

For context, some national and agency-level policies were referenced. Detailed operational policies and procedures for computer systems were discussed and related to these high-level policies. HGA assets and threats were identified, and a detailed survey of selected safeguards, vulnerabilities, and risk mitigation actions were presented. The safeguards included a wide variety of procedural and automated techniques, and were used to illustrate issues of assurance, compliance, security program oversight, and inter-agency coordination.

As illustrated, effective computer security requires clear direction from upper management. Upper management must assign security responsibilities to organizational elements and individuals and must formulate or elaborate the security policies that become the foundation for the organization's security program. These policies must be based on an understanding of the organization's mission priorities and the assets and business operations necessary to fulfill them. They must also be based on a pragmatic assessment of the threats against these assets and operations. A critical element is assessment of threat likelihoods. These are most accurate when derived from historical data, but must also anticipate trends stimulated by emerging technologies.

A good security program relies on an integrated, cost-effective collection of physical, procedural, and automated controls. Cost-effectiveness requires targeting these controls at the threats that pose the highest risks while accepting other residual risks. The difficulty of applying controls properly and in a consistent manner over time has been the downfall of many security programs. This chapter has provided numerous examples in which major security vulnerabilities arose from a lack of assurance or compliance. Hence, periodic compliance audits, examinations of the effectiveness of controls, and reassessments of threats are essential to the success of any organization's security program.