FYI - Including gender balance in security: The Journey of a CSO team - Over 40 percent of personnel on the Akamai InfoSec team are women. That’s in an industry where, depending on who you ask and how you measure, somewhere between 10percent and 15percent of entry-level positions are filled by women. https://www.scmagazine.com/home/security-news/women-in-security/including-gender-balance-in-security-the-journey-of-a-cso-team/

Girls’ cybersecurity contest aims to promote equity, fill worker shortage - Hundreds of girls in Texas are taking part in a nationwide cybersecurity competition that starts Monday. https://www.kxan.com/news/local/travis-county/girls-cybersecurity-contest-aims-to-promote-equity-fill-worker-shortage/

FBI announces new policy to give election officials 'timely' notification of cyber breaches - The FBI on Thursday announced a new policy intended to “clarify and guide timely” notification of state and local election officials of any cyber intrusions, marking a major shift three years after Russian intrusions during the 2016 elections. https://thehill.com/policy/cybersecurity/478669-fbi-announces-new-policy-for-notifying-state-local-election-officials-of

Travelex says some in-store systems are back up and running after ransomware attack - Currency exchange company is gradually bringing systems back online, and said no customer data has been stolen in the attack. https://www.zdnet.com/article/travelex-says-some-in-store-systems-are-back-up-and-running-18-days-after-ransomware-attack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Aussie P&N bank suffers data breach - The Australian P&N Bank reported a data breach that exposed detailed and sensitive financial information on an unspecified number of customers. https://www.scmagazine.com/home/security-news/data-breach/aussie-pn-bank-suffers-data-breach/

Russia’s Fancy Bear successfully hacked Burisma during impeachment probe - As the House Intelligence Committee held impeachment hearings last fall, members of the Russian GRU, known as Fancy Bear, successfully hacked Burisma, the Ukrainian energy company at the center of the impeachment investigation. https://www.scmagazine.com/home/security-news/russias-fancy-bear-successfully-hacked-burisma-during-impeachment-probe/

Mitsubishi Electric discloses June 2019 breach; Tick hacking group reportedly blamed - Japanese manufacturer Mitsubishi Electric has acknowledged its discovery last June of a data breach perpetrated by an unauthorized third party that accessed both personal employee information and corporate materials. https://www.scmagazine.com/home/security-news/apts-cyberespionage/mitsubishi-electric-discloses-june-2019-breach-tick-hacking-group-reportedly-blamed/

Hacker leaks more than 515,000 Telnet credentials in forum - A hacker posted a trove of Telnet credentials for more than 515,000 servers, IoT devices and routers on a hacking forum. https://www.scmagazine.com/home/security-news/hacker-leaks-more-than-515000-telnet-credentials-in-forum/

Phishing campaign leads to UPS Store data breach - In a data breach notification letter to customers, The UPS Store has disclosed that an unauthorized party successfully devised a phishing scheme to gain entry into the email accounts of numerous store locations. https://www.scmagazine.com/home/security-news/data-breach/phishing-campaign-leads-to-ups-store-data-breach/

Microsoft database misconfiguration exposes 250M customer support records - Microsoft last December misconfigured five Elasticsearch servers – each one containing the same data set of 250 million customer support records – leaving their information publicly exposed on the internet, according to researchers. https://www.scmagazine.com/home/security-news/database-security/microsoft-database-misconfiguration-exposes-250m-customer-support-records/

Malware redirecting visitors found on 2,000 WordPress sites - More than 2,000 WordPress sites have been infected with malicious JavaScript that redirects visitors to scam websites and sets the stage for additional malware to be downloaded at a later time. https://www.scmagazine.com/home/security-news/malware/malware-redirecting-visitors-found-on-2000-wordpress-sites/

Bezos iPhone compromised by Saudi prince, report finds - An iPhone belonging to Amazon CEO Jeff Bezos likely was hacked by Saudi Arabian prince Mohammed bin Salman (MBS) or operatives working on his behalf, a technical report indicated. https://www.scmagazine.com/home/security-news/bezos-iphone-compromised-by-saudi-prince-report-finds/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)
   
   E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
   
   In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.
   
   The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
   
   Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.
   
   A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.
   
   Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.
   
   Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.2 Fraud and Theft
 
 Computer systems can be exploited for both fraud and theft both by "automating" traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, assuming that small discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems that control access to any resource are targets (e.g., time and attendance systems, inventory systems, school grading systems, and long-distance telephone systems).
 
 Computer fraud and theft can be committed by insiders or outsiders. Insiders (i.e., authorized users of a system) are responsible for the majority of fraud. A 1993 InformationWeek/Ernst and Young study found that 90 percent of Chief Information Officers viewed employees "who do not need to know" information as threats. The U.S. Department of Justice's Computer Crime Unit contends that "insiders constitute the greatest threat to computer systems." Since insiders have both access to and familiarity with the victim computer system (including what resources it controls and its flaws), authorized system users are in a better position to commit crimes. Insiders can be both general users (such as clerks) or technical staff members. An organization's former employees, with their knowledge of an organization's operations, may also pose a threat, particularly if their access is not terminated promptly.
 
 In addition to the use of technology to commit fraud and theft, computer hardware and software may be vulnerable to theft. For example, one study conducted by Safeware Insurance found that $882 million worth of personal computers was lost due to theft in 1992.