FYI - Home Depot breach costs community banks $90M - Community banks took a hit in the aftermath of the Home Depot breach, absorbing more than $90 million in costs to reissue close to 7.5 million payment cards, according to the Independent Community Bankers of America (ICBA). http://www.scmagazine.com/home-depot-breach-costs-community-banks-90m/article/389705/

FYI - Security in 2015: Will you care about the next big breach? - From Target to Home Depot to JPMorgan, this year was a bad one for massive security breaches. Expect more of the same next year. http://www.cnet.com/news/security-in-2015-will-you-care-about-the-next-big-breach/

FYI - DNS attacks putting organizations at risk, survey finds - More than 75 percent of organizations in the U.S. and U.K. have experienced at least one DNS attack, and 66 percent of organizations in the U.S. experienced a DNS attack within the last 12 months. http://www.scmagazine.com/ddos-attacks-mask-crime/article/389815/

FYI - Weak server entry point in JPMorgan Chase breach - The hackers that breached JPMorgan Chase over the summer likely got in through a neglected server that the bank's IT security failed to upgrade with two-factor automation, according to a report in the New York Times.
http://www.scmagazine.com/server-not-upgraded-two-factor-authentication/article/389703/
http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0

FYI - About 13K credentials, credit cards reportedly leaked by hacker group - Roughly 13,000 usernames and passwords – as well as credit card numbers, expiration dates and video game registration codes – were reportedly leaked on the day after Christmas by a hacker group referring to itself as ‘Anonymous.' http://www.scmagazine.com/about-13k-credentials-credit-cards-reportedly-leaked-by-hacker-group/article/390183/

FYI - Nvidia asks employees to change usernames and passwords following data breach - Following “unauthorized access” to its computer network, Santa Clara, Calif.-based technology firm Nvidia is asking employees to change the usernames and passwords of their company accounts. http://www.scmagazine.com/nvidia-asks-employees-to-change-usernames-and-passwords-following-data-breach/article/390180/

FYI - DoJ's new cybersecurity office to aid in worldwide investigations - The Justice Department is taking its cyber crime-fighting efforts to a new level with the addition of a new cybersecurity unit. http://www.federalnewsradio.com/489/3769859/DoJs-new-cybersecurity-office-to-aid-in-worldwide-investigations

FYI - Watchdog Says Secret Service Misses the Bar on Cybersecurity - The Secret Service, no stranger to security lapses, is being dinged by an internal auditor for not requiring two-step verification to access agency networks and for ignoring governmentwide rules for continuously monitoring network security. http://www.nextgov.com/cybersecurity/2014/12/secret-service-misses-bar-cybersecurity/101979/?oref=ng-channeltopstory

FYI - Researchers investigate, suggest fired employees assisted in Sony hack - Researchers are saying that one or more former employees may have aided in the massive hack of Sony. http://www.scmagazine.com/one-or-more-former-employees-may-have-aided-in-hack/article/390385/

FYI - FBI searching for cyber experts to become special agents - The FBI is in search of cybersecurity professionals interested in becoming special agents. http://www.scmagazine.com/fbi-searching-for-cyber-experts-to-become-special-agents/article/390362/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyberattack fells German iron plant - A German iron plant experienced a cyberattack that caused physical damage, according to a report on Wednesday from a German federal agency. http://www.scmagazine.com/cyberattack-fells-german-iron-plant/article/389718/

FYI - Flaw in vendor database, info on more than 7,000 veterans possibly exposed - The U.S. Department of Veterans Affairs (VA) is notifying more than 7,000 individuals that their personal information may be at risk after a flaw was discovered in a database managed by a home telehealth services vendor. http://www.scmagazine.com/flaw-in-vendor-database-info-on-more-than-7000-veterans-possibly-exposed/article/390172/

FYI - ISC website compromised, possibly due to vulnerable WordPress plugin - The Internet Systems Consortium (ISC) website – a WordPress site – was quickly taken down last week after researchers at Cyphort Labs notified the open source software provider that its main page had been modified and was ultimately redirecting visitors to the Angler Exploit Kit. http://www.scmagazine.com/isc-website-compromised-possibly-due-to-vulnerable-wordpress-plugin/article/390192/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Authorization Practices for E-Banking Applications

1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.

2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.

3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.

4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.

5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.

6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.

7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Honeypots

A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1.1 Secret Key Cryptography

In secret key cryptography, two (or more) parties share the same key, and that key is used to encrypt and decrypt data. As the name implies, secret key cryptography relies on keeping the key secret. If the key is compromised, the security offered by cryptography is severely reduced or eliminated. Secret key cryptography assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification.

Secret key cryptography has been in use for centuries. Early forms merely transposed the written characters to hide the message.

The best known secret key system is the Data Encryption Standard (DES), published by NIST as Federal Information Processing Standard (FIPS) 46-2. Although the adequacy of DES has at times been questioned, these claims remain unsubstantiated, and DES remains strong. It is the most widely accepted, publicly available cryptographic system today. The American National Standards Institute (ANSI) has adopted DES as the basis for encryption, integrity, access control, and key management standards.

The Escrowed Encryption Standard, published as FIPS 185, also makes use of a secret key system.

19.1.2 Public Key Cryptography

Whereas secret key cryptography uses a single key shared by two (or more) parties, public key cryptography uses a pair of keys for each party. One of the keys of the pair is "public" and the other is "private." The public key can be made known to other parties; the private key must be kept confidential and must be known only to its owner. Both keys, however, need to be protected against modification.

Public key cryptography is particularly useful when the parties wishing to communicate cannot rely upon each other or do not share a common key. There are several public key cryptographic systems. One of the first public key systems is RSA, which can provide many different security services. The Digital Signature Standard (DSS), described later in the chapter, is another example of a public key system.