The HIPAA Security Rule specifically focuses on protecting the
confidentiality, integrity, and availability of electronic protected health
information (ePHI), as defined by the Security Rule. All HIPAA-regulated
entities must comply with the requirements of the Security Rule.
This draft update:
Includes a brief overview of
the HIPAA Security Rule
Provides guidance for regulated
entities on assessing and managing risks to ePHI
Identifies typical activities
that a regulated entity might consider implementing as part of an
information security program
Lists additional resources that
regulated entities may find useful in implementing the Security Rule
A public comment period is open
through September 21, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments.
Comment Period Extended
for NIST SP 1800-34, Validating the Integrity of Computing Devices
The National Cybersecurity Center of Excellence (NCCoE) has
published, for public comment, a draft of NIST SP 1800-34, Validating the
Integrity of Computing Devices. Please download the document and share your
expertise with us to strengthen the draft practice guide. The public
comment period for this draft has been extended and will now close on August 8th,
2022.
The NCCoE relies on developers, providers, and users of
cybersecurity technology and information to provide comments on our practice
guides. The public is encouraged to review the draft and provide feedback for
possible incorporation into the final version before the public comment period
closes.
If you have any questions or would like to join our Supply Chain
Community of Interest, please email us at supplychain-nccoe@nist.gov.
Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.
This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of
this work. Finally, NIST requests comments on sources of data that could
provide ground truth for these types of measurements.
The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.
NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines.
This announcement initiates the review of Federal Information Processing
Standard (FIPS) 180-4, Secure Hash
Standard (SHS), 2015.
NIST requests public
comments on all aspects of FIPS 180-4. Additionally, NIST would
appreciate feedback on the following two areas of particular concern:
SHA-1. In recent years, the cryptanalytic attacks on the SHA-1
hash function have become increasingly severe and practical (see, e.g., the 2020
paper “SHA-1 is a Shambles” by Leurent and Peyrin).
NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and
to deprecate and eventually disallow all uses of SHA-1. The Cryptographic
Module Validation Program will establish a validation
transition schedule.
* How will this plan impact fielded and
planned SHA-1 implementations?
* What should NIST consider in establishing the timeline for
disallowing SHA-1?
Interface. The “Init, Update, Final” interface was part
of the SHA-3 Competition submission requirements. Should a revision of
FIPS 180-4 discuss the “Init, Update, Final” hash function interface?
The public comment period is open through September 9, 2022. Comments
may address the concerns raised in this announcement or other issues around
security, implementation, clarity, risk, or relevance to current
applications.
Traditional business impact analyses (BIAs) have been successfully
used for business continuity and disaster recovery (BC/DR) by triaging damaged
infrastructure recovery actions that are primarily based on the duration and
cost of system outages (i.e., availability compromise). However, BIA analyses
can be easily expanded to consider other cyber-risk compromises and remedies.
This initial
public draft of NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and
Response, provides comprehensive asset confidentiality and
integrity impact analyses to accurately identify and manage asset risk
propagation from system to organization and from organization to enterprise,
which in turn better informs Enterprise Risk Management deliberations. This document
adds expanded BIA protocols to inform risk prioritization and response by
quantifying the organizational impact and enterprise consequences of
compromised IT Assets.
The public comment period for this draft is open through July 18,
2022. See the publication
details for a copy of the draft and instructions for submitting
comments.
NIST is leveraging the new Special Publication (SP) 800-53 Public
Comment Site for its first round of public comments. Participate in the
inaugural 30-day public comment period
for a minor (errata) release of SP 800-53, Revision 5, Security and Privacy Controls for
Information Systems and Organizations. The minor release will
result in corrections to the current publication but will not introduce new
technical information or requirements. Submit your comments on proposed changes using the Public Comment
Site through August 12, 2022.
All proposed changes to SP 800-53 (“candidates”) for
review and comment are available online.
Candidates can be filtered by control family, control name, and submission
date. To view the specific changes for each control or control enhancement and
provide your feedback, select the Tracking Number on the Candidates page.
The SP 800-53 Public Comment Site is designed to:
Reduce the level of effort
needed for stakeholders to review and comment on proposed changes
(“candidates”)
Feature new and updated
controls and control enhancements and highlight specific changes
Increase transparency and
promote community engagement by making comments on candidates publicly
available
Provide traceability on
submitted feedback through automatic updates
Learn more about
the SP 800-53 Comment Site, and leverage the online User Guide for
step-by-step instructions on how to participate in the public comment process,
available under “View Candidates” and “Provide comments on
candidates.”
NIST looks forward to stakeholder feedback on the proposed changes
(“candidates”) for the first minor release using the online platform.
The end result of this effort will be the second update of SP 800-53 Rev. 5.
Please direct your questions to 800-53comments@list.nist.gov.
Protecting Controlled
Unclassified Information: Pre-Draft Call for Comments on the CUI Series
NIST is seeking information for a planned update of the Controlled
Unclassified Information (CUI) series of publications, starting with Special
Publication (SP) 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations. This Pre-Draft
Call for Comments solicits feedback from interested parties to
improve SP 800-171 and its supporting publications, SP 800-171A, SP 800-172,
and SP 800-172A.
NIST seeks your feedback on the use, potential updates, and
opportunities for ongoing improvement to the CUI series. Potential topics for
comments and feedback range from how organizations are currently using the CUI
series of publications – including how the series is being used with other
frameworks and standards (e.g., NIST Risk Management Framework, NIST
Cybersecurity Framework, GSA Federal Risk and Authorization Management Program
[FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) – to
suggestions for features of the CUI series that should be modified, added, or
removed.
A Florida-based CEO was charged with selling
$1 billion worth of counterfeit Cisco equipment imported from China, according
to the Department of Justice.
The Justice Department announced in a release
on Friday that they arrested 38-year-old Onur Aksoy for allegedly running
multiple stores that sold fraudulent Cisco hardware. The DOJ alleged that Aksoy
imported the fake equipment from China and resold them to included hospitals,
schools, government agencies, and the military under the company name “Pro
Network” to make it appear legitimate.
According to a DOJ complaint filed in 2013,
Aksoy bought counterfeit hardware at “95 to 98%” lower than authentic
Cisco products. The counterfeit hardware malfunctioned, damaging the users’
network and operations and costing them tens of thousands of dollars.
Aksoyn”allegedly ran at least 19
companies formed in New Jersey and Florida as well as at least 15 Amazon
storefronts, at least 10 eBay storefronts, and multiple other entities,”
the
According to the DOJ statement, between 2014
and 2022, Customs and Border Protection seized 180 shipments of counterfeit
Cisco devices being shipped to Pro Network. Under the alias of “Dave
Durden,” Aksoy falsely submitted paperwork to CBP to avoid investigation.
In July 2021, federal agents obtained a warrant to search Aksoy’s warehouse,
where they seized 1,156 counterfeit Cisco hardware valued at over 7 million
dollars.
“We are committed to maintaining the
integrity and quality of Cisco products and services. Cisco is grateful to law
enforcement and customs officials for their tremendous collaboration in this
investigation and to the DOJ for bringing the perpetrator to justice,”
Cisco said in a statement to PC Mag.
According to the DOJ, Aksoy is charged with
conspiracy to traffic in counterfeit goods and to commit mail and wire fraud,
three counts of mail fraud, four counts of wire fraud, and three counts of
trafficking in counterfeit goods. Prosecutors have set up a website for anyone
who believed they were a victim of Aksoy’s companies.
The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has
published volume B of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is
seeking the public’s comments on its contents. This guide summarizes how the
NCCoE and its collaborators are using commercially available technology to
build interoperable, open standards-based ZTA example implementations that
align to the concepts and principles in NIST Special Publication (SP) 800-207,
Zero Trust Architecture. As the project progresses, the preliminary draft will
be updated, and additional volumes will also be released for comment.
As an enterprise’s data and resources have become distributed
across the on-premises environment and multiple clouds, protecting them has
become increasingly challenging. Many users need access from anywhere, at any
time, from any device. The NCCoE is addressing these challenges by
collaborating with industry participants to demonstrate several approaches to a
zero trust architecture applied to a conventional, general purpose
enterprise IT infrastructure on premises and in the cloud.
We Want to Hear from You!
The NCCoE is making volume B available as a preliminary draft for
public comment while work continues on the project. Review the preliminary
draft and submit comments online on or before August 8th, 2022.
We welcome your input and look forward to your comments. We invite
you to join nccoe-zta-coi@list.nist.gov to receive
news and updates about this project.
This Public Service Announcement is an update and companion piece to Business Email Compromise PSA I-091019-PSA posted on www.ic3.gov. This PSA includes new Internet Crime Complaint Center complaint information and updated statistics from October 2013 to December 2021.
DEFINITION
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.
STATISTICAL DATA
The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars. This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.
The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers. Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.
The following BEC/EAC statistics were reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021:
Domestic and international incidents:
241,206
Domestic and international exposed dollar loss:
$43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total U.S. victims:
116,401
Total U.S. exposed dollar loss:
$14,762,978,290
Total non-U.S. victims:
5,260
Total non-U.S. exposed dollar loss:
$1,277,131,099
The following statistics were reported in victim complaints to the IC3 between June 2016 and December 2021:
Total U.S. financial recipients:
59,324
Total U.S. financial recipient exposed dollar loss:
$9,153,274,323
Total non-U.S. financial recipients:
19,731
Total non-U.S. financial recipient exposed dollar loss:
$7,859,268,158
BEC AND CRYPTOCURRENCY
The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency. Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.
The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
DIRECT TRANSFER – Mirrors the traditional pattern of BEC incidents in the past.
SECOND HOP TRANSFER – Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver’s licenses, passports, etc., that are used to open cryptocurrency wallets in their names.
In the past, the use of cryptocurrency was regularly reported in other crime types seen at the IC3 (e.g., tech support, ransomware, employment), however, it was not identified in BEC-specific crimes until 2018. By 2019, reports had increased, culminating in the highest numbers to-date in 2021 with just over $40M in exposed losses. Based on the increasing data received, the IC3 expects this trend to continue growing in the coming years.
SUGGESTIONS FOR PROTECTION
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds. Regardless of the amount lost, file a complaint withwww.ic3.govor, for BEC/EAC victims,BEC.ic3.gov, as soon as possible.
