- Home Depot breach costs community banks $90M - Community banks
took a hit in the aftermath of the Home Depot breach, absorbing more
than $90 million in costs to reissue close to 7.5 million payment
cards, according to the Independent Community Bankers of America
- Security in 2015: Will you care about the next big breach? - From
Target to Home Depot to JPMorgan, this year was a bad one for
massive security breaches. Expect more of the same next year.
- DNS attacks putting organizations at risk, survey finds - More
than 75 percent of organizations in the U.S. and U.K. have
experienced at least one DNS attack, and 66 percent of organizations
in the U.S. experienced a DNS attack within the last 12 months.
- Weak server entry point in JPMorgan Chase breach - The hackers
that breached JPMorgan Chase over the summer likely got in through a
neglected server that the bank's IT security failed to upgrade with
two-factor automation, according to a report in the New York Times.
- About 13K credentials, credit cards reportedly leaked by hacker
group - Roughly 13,000 usernames and passwords – as well as credit
card numbers, expiration dates and video game registration codes –
were reportedly leaked on the day after Christmas by a hacker group
referring to itself as ‘Anonymous.'
- Nvidia asks employees to change usernames and passwords following
data breach - Following “unauthorized access” to its computer
network, Santa Clara, Calif.-based technology firm Nvidia is asking
employees to change the usernames and passwords of their company
- DoJ's new cybersecurity office to aid in worldwide investigations
- The Justice Department is taking its cyber crime-fighting efforts
to a new level with the addition of a new cybersecurity unit.
- Watchdog Says Secret Service Misses the Bar on Cybersecurity - The
Secret Service, no stranger to security lapses, is being dinged by
an internal auditor for not requiring two-step verification to
access agency networks and for ignoring governmentwide rules for
continuously monitoring network security.
- Researchers investigate, suggest fired employees assisted in Sony
hack - Researchers are saying that one or more former employees may
have aided in the massive hack of Sony.
- FBI searching for cyber experts to become special agents - The FBI
is in search of cybersecurity professionals interested in becoming
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyberattack fells German iron plant - A German iron plant
experienced a cyberattack that caused physical damage, according to
a report on Wednesday from a German federal agency.
- Flaw in vendor database, info on more than 7,000 veterans possibly
exposed - The U.S. Department of Veterans Affairs (VA) is notifying
more than 7,000 individuals that their personal information may be
at risk after a flaw was discovered in a database managed by a home
telehealth services vendor.
- ISC website compromised, possibly due to vulnerable WordPress
plugin - The Internet Systems Consortium (ISC) website – a WordPress
site – was quickly taken down last week after researchers at Cyphort
Labs notified the open source software provider that its main page
had been modified and was ultimately redirecting visitors to the
Angler Exploit Kit.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Authorization Practices for E-Banking Applications
1. Specific authorization and access privileges should be
assigned to all individuals, agents or systems, which conduct
2. All e-banking systems should be constructed to ensure that they
interact with a valid authorization database.
3. No individual agent or system should have the authority to change
his or her own authority or access privileges in an e-banking
4. Any addition of an individual, agent or system or changes to
access privileges in an e-banking authorization database should be
duly authorized by an authenticated source empowered with the
adequate authority and subject to suitable and timely oversight and
5. Appropriate measures should be in place in order to make
e-banking authorization databases reasonably resistant to tampering.
Any such tampering should be detectable through ongoing monitoring
processes. Sufficient audit trails should exist to document any such
6. Any e-banking authorization database that has been tampered with
should not be used until replaced with a validated database.
7. Controls should be in place to prevent changes to authorization
levels during e-banking transaction sessions and any attempts to
alter authorization should be logged and brought to the attention of
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A honeypot is a network device that the institution uses to
attract attackers to a harmless and monitored area of the network.
Honeypots have three key advantages over network and host IDS
systems. Since the honeypot's only function is to be attacked, any
network traffic to or from the honeypot potentially signals an
intrusion. Monitoring that traffic is simpler than monitoring all
traffic passing a network IDS. Honeypots also collect very little
data, and all of that data is highly relevant. Network IDS systems
gather vast amounts of traffic which must be analyzed, sometimes
manually, to generate a complete picture of an attack. Finally,
unlike IDS, a honeypot does not pass packets without inspection when
under a heavy traffic load.
Honeypots have two key disadvantages. They are ineffective unless
they are attacked. Consequently, organizations that use honeypots
for detection usually make the honeypot look attractive to an
attacker. Attractiveness may be in the name of the device, its
apparent capabilities, or in its connectivity. Since honeypots are
ineffective unless they are attacked, they are typically used to
supplement other intrusion detection capabilities.
Honeypots also introduce the risk of being compromised without
triggering an alarm, then becoming staging grounds for attacks on
other devices. The level of risk is dependent on the degree of
monitoring, capabilities of the honeypot, and its connectivity. For
instance, a honeypot that is not rigorously monitored, that has
excellent connectivity to the rest of the institution's network, and
that has varied and easy - to - compromise services presents a high
risk to the confidentiality, integrity, and availability of the
institution's systems and data. On the other hand, a honeypot that
is rigorously monitored and whose sole capability is to log
connections and issue bogus responses to the attacker, while
signaling outside the system to the administrator, demonstrates much
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.1.1 Secret Key
In secret key cryptography, two (or more) parties share the same
key, and that key is used to encrypt and decrypt data. As the name
implies, secret key cryptography relies on keeping the key secret.
If the key is compromised, the security offered by cryptography is
severely reduced or eliminated. Secret key cryptography assumes that
the parties who share a key rely upon each other not to disclose the
key and protect it against modification.
Secret key cryptography has
been in use for centuries. Early forms merely transposed the
written characters to hide the message.
The best known secret key system is
the Data Encryption Standard (DES), published by NIST as
Federal Information Processing Standard (FIPS) 46-2. Although the
adequacy of DES has at times been questioned, these claims remain
unsubstantiated, and DES remains strong. It is the most widely
accepted, publicly available cryptographic system today. The
American National Standards Institute (ANSI) has adopted DES as the
basis for encryption, integrity, access control, and key management
The Escrowed Encryption Standard,
published as FIPS 185, also makes use of a secret key system.
19.1.2 Public Key Cryptography
Public key cryptography is a
modern invention and requires the use of advanced
Whereas secret key cryptography uses
a single key shared by two (or more) parties, public key
cryptography uses a pair of keys for each party. One of the
keys of the pair is "public" and the other is "private." The public
key can be made known to other parties; the private key must be kept
confidential and must be known only to its owner. Both keys,
however, need to be protected against modification.
Public key cryptography is
particularly useful when the parties wishing to communicate cannot
rely upon each other or do not share a common key. There are several
public key cryptographic systems. One of the first public key
systems is RSA, which can provide many different security services.
The Digital Signature Standard (DSS), described later in the
chapter, is another example of a public key system.