- PCI compliance not synonymous with security, panel says - None of
the companies in a soon-to-be released Verizon report that
experienced a data breach “were fully PCI [Payment Card Industry
Data Security Standard] compliant at the time of breach.”
- With crypto in UK crosshairs, secret US report says it’s vital -
Newly reported Edward Snowden document aired as UK prime minister
presses US. As UK Prime Minister David Cameron forges ahead with a
campaign pledge to ban encrypted messaging apps unless his
government is given backdoors, that country's Guardian newspaper has
aired a secret US report warning that government and private
computers were at risk because cryptographic protections aren't
being implemented fast enough.
Marriott hotels do U-turn over wi-fi hotspot blocks - Hotel group
Marriott International has announced it will stop blocking guests
from using personal wi-fi kits. The firm was fined $600,000
(£395,000) last year by a US watchdog after a complaint that it had
jammed mobile hotspots at a hotel in Nashville.
Man sentenced to 10 years over $1.2M website domain scam - A
California man has been sentenced to 10 years in prison for running
a website scam that defrauded investors for a total of $1.2 million.
- HITRUST forms working group for medical device, health system
security - The Health Information Trust Alliance (HITRUST) will
develop a working group, which will focus on improving the security
of health information technology, such as systems in use at health
care entities and medical devices.
- Judge caps Schnucks's liability to payment-processing partners in
breach case - A federal judge has capped the liability that Schnuck
Markets' is responsible to pay its payment-processing partners to
$500,000 in relation to its data breach case.
- States pen letter to JPMorgan chief privacy officer requesting
further info on breach - States investigating the data breach at
JPMorgan Chase this past summer are requesting that the bank hand
over detailed information on its security practices and are looking
to confirm whether the bank is sure that no sensitive account data
- NJ law requires health insurance carriers to encrypt sensitive
data - New Jersey has passed a law requiring health insurance
carriers to encrypt sensitive patient data.
Kansas City Fed tech staff to increase by up to 200 - To support
the work of the nation’s central bank, the Federal Reserve Bank of
Kansas City expects to hire up to 200 technology professionals over
the next three years.
Most common passwords of 2014 released; '123456' tops list,
again - Again this year, in a pool of more than 3 million leaked
passwords, “123456” and “password” topped the list of the most
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
LinkedIn credentials being harvested via bogus security
notifications - Criminals are targeting LinkedIn users with messages
masquerading as legitimate security alerts in a bid to steal log-in
- About 19K French websites attacked since last week, report says -
Since last week's attacks in France, hacking attempts have been made
against roughly 19,000 French websites, the AP reported on Thursday,
citing Admiral Arnaud Coustilliere, head of cyberdefense for the
- Payment cards targeted in attack on pet supplies website -
Tennessee-based ValuePetSupplies.com is notifying several thousand
customers that unauthorized persons accessed its servers and
installed malicious files to capture personal information –
including payment card data – entered into its website.
- US 'tapped N Korea computers in 2010' report claims - The US knew
North Korea was behind the Sony Pictures hack because it had
secretly infiltrated the country's computer networks in 2010.
- New York Post Twitter account hacked, UPI's compromised, too - The
Twitter account of the New York Post was hacked, and UPI's was also
apparently hit, the latest in a string of attacks that have hit the
social media channels of high-profile organizations.
- Malware found on POS systems at four Wingstop locations -
Texas-based restaurant chain Wingstop is notifying an undisclosed
number of customers that malware was found on point-of-sale (POS)
systems at four locations, and it could have enabled attackers to
capture customer payment card information.
- Over 870K personal records leaked following Australian insurer
breach - Information from a large-scale data breach that impacted
Australian travel insurance company Aussie Travel Cover (ATC) in
December was leaked online by a teenage hacker.
- Minnesota university warns of 'likely' breach - Minnesota-based
Metropolitan State University has issued a notification, alerting
faculty, staff and students that an attacker may have breached its
web server to access a database that contained their personal
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Capacity, Business Continuity and Contingency Planning
Practices for E-Banking
1. All e-banking services and applications, including those provided
by third-party service providers, should be identified and assessed
2. A risk assessment for each critical e-banking service and
application, including the potential implications of any business
disruption on the bank's credit, market, liquidity, legal,
operational and reputation risk should be conducted.
3. Performance criteria for each critical e-banking service and
application should be established, and service levels should be
monitored against such criteria. Appropriate measures should be
taken to ensure that e-banking systems can handle high and low
transaction volume and that systems performance and capacity is
consistent with the bank's expectations for future growth in
4. Consideration should be given to developing processing
alternatives for managing demand when e-banking systems appear to be
reaching defined capacity checkpoints.
5. E-banking business continuity plans should be formulated to
address any reliance on third-party service providers and any other
external dependencies required achieving recovery.
6. E-banking contingency plans should set out a process for
restoring or replacing e-banking processing capabilities,
reconstructing supporting transaction information, and include
measures to be taken to resume availability of critical e-banking
systems and applications in the event of a business disruption.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 2 of 2)
Successful implementation of any response policy and
procedure requires the assignment of responsibilities and training.
Some organizations formalize the response organization with the
creation of a computer security incident response team (CSIRT). The
CSIRT is typically tasked with performing, coordinating, and
supporting responses to security incidents. Due to the wide range of
non-technical issues that are posed by an intrusion, typical CSIRT
membership includes individuals with a wide range of backgrounds and
expertise, from many different areas within the institution. Those
areas include management, legal, public relations, as well as
information technology. Other organizations may outsource some of
the CSIRT functions, such as forensic examinations. When CSIRT
functions are outsourced, institutions should ensure that their
institution's policies are followed by the service provider and
confidentiality of data and systems are maintained.
Institutions can assess best the adequacy of their preparations
While containment strategies between institutions can vary, they
typically contain the following broad elements:
! Isolation of compromised systems, or enhanced monitoring of
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are
included in individual agency guidance); and
! Communication with effected parties.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.2.3 Electronic Signatures
What Is an Electronic Signature?
An electronic signature is a cryptographic
mechanism that performs a similar function to a written
signature. It is used to verify the origin and contents of a
message. For example, a recipient of data (e.g., an e-mail
message) can verify who signed the data and that the data
was not modified after being signed. This also means that
the originator (e.g., sender of an e-mail message) cannot
falsely deny having signed the data.
Today's computer systems store and process
increasing numbers of paper-based documents in electronic form.
Having documents in electronic form permits rapid processing and
transmission and improves overall efficiency. However, approval of a
paper document has traditionally been indicated by a written
signature. What is needed, therefore, is the electronic equivalent
of a written signature that can be recognized as having the same
legal status as a written signature. In addition to the integrity
protections, discussed above, cryptography can provide a means of
linking a document with a particular person, as is done with a
written signature. Electronic signatures can use either secret key
or public key cryptography; however, public key methods are
generally easier to use.
signatures provide extremely strong proof that a message has not
been altered and was signed by a specific key.137
However, there are other mechanisms besides cryptographic-based
electronic signatures that perform a similar function. These
mechanisms provide some assurance of the origin of a message, some
verification of the message's integrity, or both.138
- Examination of the
transmission path of a message. When messages are sent across a
network, such as the Internet, the message source and the
physical path of the message are recorded as a part of the
message. These can be examined electronically or manually to
help ascertain the origin of a message.
- Use of a
value-added network provider. If two or more parties are
communicating via a third party network, the network provider
may be able to provide assurance that messages originate from a
given source and have not been modified.
statements. The recipient of an electronic message may confirm
the message's origin and contents by sending back an
- Use of audit trails. Audit trails can track
the sending of messages and their contents for later reference.
Simply taking a digital picture of a written
signature does not provide adequate security. Such a digitized
written signature could easily be copied from one electronic
document to another with no way to determine whether it is
legitimate. Electronic signatures, on the other hand, are unique to
the message being signed and will not verify if they are copied to