FYI - NJ law requires health insurance carriers to
encrypt sensitive data - New Jersey has passed a law requiring
health insurance carriers to encrypt sensitive patient data.
FYI - Warning over data
grabbed by smart gadgets - A "deeply personal" picture of every
consumer could be grabbed by futuristic smart gadgets, the chair of
the US Federal Trade Commission has warned.
FYI - Manhattan District
Attorney speaks out against default device encryption -
Device-makers should be required to give law enforcement access to
users' data, Manhattan District Attorney Cyrus Vance said earlier
FYI - Congressman presses
KeyPoint for answers following data breach - A ranking member of the
House Committee on Oversight and Government Reform is seeking for
answers regarding the KeyPoint Government Solutions data breach that
impacted more than 40,000 federal workers.
FYI - Zappos must pay $106K
post-breach - Zappos must pay nine states $106,000 in a settlement
reached after a 2012 data breach potentially exposed data on a
server that contained information on the online shoe retailer's 24
FYI - Obama to call for
national breach notification law, student privacy bill - President
Obama will continue to apply his influence (and pen) to jump-start
the legislative process on key issues, this time by proposing a pair
of laws aimed at creating federal data breach legislation as well as
protecting the privacy of student data.
FYI - UK PM looking to outlaw
encrypted online communication - UK Prime Minister David Cameron
wants to legislate against forms of communication that cannot be
read by law-enforcement and intelligence agencies.
FYI - Energy Department
releases energy sector cybersecurity framework - Energy companies
and utilities should develop risk management strategies and
incorporate cyber best practices into their security procedures,
according to voluntary guidance released by the Energy Department.
FYI - Ex-Microsoft Bug Bounty
dev forced to decrypt laptop for Paris airport official - Airside
Clouseau in search of something, anything - Paris airport security
went one step further than simply asking a security expert to power
up her laptop - they requested she type in her password to decrypt
her hard drive and log into the machine.
FYI - Track down hacks with
log files - Any system can collect logs, but most security
operations do a poor job of filtering them to find evidence of
malicious activity. Here's where to start - Most malicious computer
attacks leave telltale evidence in the victim's security event logs.
The Verizon Data Breach Investigation Reports have been bringing
word on this for many years.
FYI - Survey: most orgs not
very prepared to recover IT assets following a disaster - A cloud
services company conducted its “2015 Disaster Recovery & Business
Continuity Survey” with more than 2,000 executive and IT
professionals, and, in the end, learned that less than half feel
very prepared to recover their IT and related assets following a
disaster or other incident.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Got an Asus router?
Someone on your network can probably hack it - Root command
execution bug invades most wireless routers. If you're running an
Asus wireless router, chances are good that someone inside your
network can take full administrative control of it thanks to a
currently unpatched vulnerability in virtually all versions of the
firmware, a security researcher said.
FYI - Hackers steal $5M in
bitcoin currency during Bitstamp exchange attack - Attackers made
off with approximately $5 million worth of bitcoins after hacking
the Bitstamp exchange over the weekend.
FYI - Pro-ISIS attackers
compromise U.S. Central Command Twitter and YouTube accounts - U.S.
Central Command confirmed to SCMagazine.com that two of its social
media accounts were hacked on Monday afternoon.
FYI - Computer stolen,
contained info on 1,000 Inland Empire Health Plan members -
California-based Inland Empire Health Plan (IEHP) is notifying more
than a thousand members that an unencrypted, password protected
desktop computer containing personal information was stolen from
Children's Eyewear Sight, a participating provider with IEHP that
provides vision services.
FYI - A Cyberattack Has Caused
Confirmed Physical Damage for the Second Time Ever - Amid all the
noise the Sony hack generated over the holidays, a far more
troubling cyber attack was largely lost in the chaos. Unless you
follow security news closely, you likely missed it.
FYI - Stolen credentials used
to access United Airlines' MileagePlus accounts - The login
credentials came from an unidentified third party - Three dozen
loyalty accounts belonging to United Airlines customers saw
fraudulent transactions after hackers used login credentials
collected from an unknown source.
FYI - POS malware threatens
payment cards used at Marriott in California - Texas-based hotel
management company Presidian is notifying an undisclosed number of
individuals that malware was found on three point-of-sale (POS)
terminals used at food and beverage outlets in the Visalia Marriott
at the Convention Center in California, and their payment card
information may have been compromised.
FYI - Payment cards used on
Park 'N Fly website are at risk - Georgia-based parking operator
Park ‘N Fly (PNF) is notifying an undisclosed number of individuals
of a security compromise involving payment card data processed
through the PNF e-commerce website.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Sound Practices to Help Maintain the Privacy of Customer
1. Banks should employ appropriate cryptographic techniques,
specific protocols or other security controls to ensure the
confidentiality of customer e-banking data.
2. Banks should develop appropriate procedures and controls to
periodically assess its customer security infrastructure and
protocols for e-banking.
3. Banks should ensure that its third-party service providers have
confidentiality and privacy policies that are consistent with their
4. Banks should take appropriate steps to inform e-banking customers
about the confidentiality and privacy of their information. These
steps may include:
on the bank's website. Clear, concise language in such statements is
essential to assure that the customer fully understands the privacy
policy. Lengthy legal descriptions, while accurate, are likely to go
unread by the majority of customers.
b) Instructing customers on the need to protect their
passwords, personal identification numbers (PINs) and other banking
and/or personal data.
c) Providing customers with information regarding the general
security of their personal computer, including the benefits of using
virus protection software, physical access controls and personal
firewalls for static Internet connections.
the top of the newsletter
FFIEC IT SECURITY - We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 1 of 2)
Intrusion detection by itself does not mitigate risks of an
intrusion. Risk mitigation only occurs through an effective and
timely response. The goal of the response is to minimize damage to
the institution and its customers through containment of the
intrusion, and restoration of systems.
The response primarily involves people rather then technologies. The
quality of intrusion response is a function of the institution's
culture, policies and procedures, and training.
Preparation determines the success of any intrusion response.
Preparation involves defining the policies and procedures that guide
the response, assigning responsibilities to individuals and
providing appropriate training, formalizing information flows, and
selecting, installing, and understanding the tools used in the
response effort. Key considerations that directly affect the
institution's policies and procedures include the following:
! How to balance concerns regarding availability, confidentiality,
and integrity, for devices and data of different sensitivities. This
consideration is a key driver for a containment strategy and may
involve legal and liability considerations. An institution may
decide that some systems must be disconnected or shut down at the
first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response
activities, and how to ensure the proper personnel are available and
! How to control the frequently powerful intrusion identification
and response tools.
! When to involve outside experts and how to ensure the proper
expertise will be available when needed. This consideration
addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators,
customers, and law enforcement. This consideration drives certain
monitoring decisions, decisions regarding evidence-gathering and
preservation, and communications considerations.
! Which personnel have authority to perform what actions in
containment of the intrusion and restoration of the systems. This
consideration affects the internal communications strategy, the
commitment of personnel, and procedures that escalate involvement
and decisionswithin the organization.
! How and what to communicate outside the organization, whether to
law enforcement, customers, service providers, potential victims,
and others. This consideration drives the communication strategy,
and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions
! What criteria must be met before compromised services, equipment
and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve
the institution's security.
! How and when to prepare and file a Suspicious Activities Report
Return to the top of
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 19 - CRYPTOGRAPHY
19.2 Uses of Cryptography
Cryptography is used to
protect data both
inside and outside the boundaries of a computer system. Outside the
computer system, cryptography is sometimes the
only way to protect
data. While in a computer system, data is normally protected with
logical and physical access controls (perhaps supplemented by
cryptography). However, when in transit across communications lines
or resident on someone else's computer, data cannot be protected by
the originator's logical or physical access controls. Cryptography
provides a solution by protecting data even when the data is no
longer in the control of the originator.
19.2.1 Data Encryption
One of the best ways to obtain
cost-effective data confidentiality is through the use of
encryption. Encryption transforms intelligible data, called
plaintext, into an
unintelligible form, called ciphertext.
This process is reversed through the process of decryption. Once
data is encrypted, the ciphertext does not have to be protected
against disclosure. However, if ciphertext is modified, it will not
Both secret key and public key cryptography can be
used for data encryption although not all public key algorithms
provide for data encryption.
To use a secret key algorithm, data is encrypted
using a key. The same key must be used to decrypt the data.
When public key cryptography is used for
encryption, any party may use any other party's public key to
encrypt a message; however, only the party with the corresponding
private key can decrypt, and thus read, the message.
Since secret key encryption is typically much
faster, it is normally used for encrypting larger amounts of data.
In computer systems, it is not always
possible for humans to scan information to determine if data has
been erased, added, or modified. Even if scanning were possible, the
individual may have no way of knowing what the correct data should
be. For example, "do" may be changed to "do not," or $1,000 may be
changed to $10,000. It is therefore desirable to have an automated
means of detecting both
intentional and unintentional modifications of data.
While error detecting codes have long been used in
communications protocols (e.g., parity bits), these are more
effective in detecting (and correcting) unintentional modifications.
They can be defeated by adversaries. Cryptography can effectively
detect both intentional and unintentional modification; however,
cryptography does not protect files from being modified. Both secret
key and public key cryptography can be used to ensure integrity.
Although newer public key methods may offer more flexibility than
the older secret key method, secret key integrity verification
systems have been successfully integrated into many applications.
When secret key cryptography is used, a
message authentication code (MAC) is calculated from and appended to
the data. To verify that the data has not been modified at a later
time, any party with access to the correct secret key can
recalculate the MAC. The new MAC is compared with the original MAC,
and if they are identical, the verifier has confidence that the data
has not been modified by an unauthorized party. FIPS 113,
Computer Data Authentication,
specifies a standard technique for calculating a MAC for integrity
Public key cryptography verifies integrity by
using of public key signatures and secure hashes. A secure hash
algorithm is used to create a message digest. The message digest,
called a hash, is a short form of the message that changes if the
message is modified. The hash is then signed with a private key.
Anyone can recalculate the hash and use the corresponding public key
to verify the integrity of the message.