- Insurer sues web designer in bank breach - In an effort to shift
financial responsibility for a data breach at a community bank,
Travelers Casualty and Surety Co. of America has filed suit against
the bank's web designer, claiming its negligence and “substandard”
maintenance of a website set the stage for a breach.
- FCC warns businesses: Wi-Fi blocking prohibited - After paying a
$600,000 fine for blocking guests' personal Wi-Fi networks, Marriott
International said it still wanted clarification from the Federal
Communications Commission (FCC) on the matter.
- Study: 11 percent of banking-related Android apps flagged
suspicious - Security firm tested more than 350,000 Android apps
used for banking-related purposes and found that more than 11
percent were suspicious.
Judge gives Home Depot till July to respond to class-action lawsuit
allegations - Home Depot has until July to respond to lawsuit
allegations surrounding the retailer's major data breach this past
summer, a judge determined in a Georgia court hearing.
Doubts Persist Over North Korean Link to Sony Hack Despite NSA Claim
- Despite documents showing the U.S. National Security Agency has
infiltrated North Korean networks, security experts continue to
doubt the country orchestrated the cyber-attack on Sony Pictures.
NSA Report: How To Defend Against Destructive Malware - In the wake
of the Sony breach, spy agency's Information Assurance Directorate (IAD)
arm provides best practices to mitigate damage of data annihilation
Australian traffic lights need better security says auditor-general
- The Auditor-General of the Australian State of New South Wales
(NSW) and the state's roads bureaucrats are at loggerheads over
whether or not traffic signal infrastructure is vulnerable to
attacks over the Internet.
Fuel tank gauges vulnerable to attackers - The serial port
interfaces of nearly 6,000 automated tank gauges (ATG) — 5,300 of
them in the U.S. — aren't password protected, leaving them
vulnerable to attackers, who with access to the interfaces, could
shut down filling stations across the country.
Most U.S. weapons programs contain 'significant vulnerabilities' -
An annual report released by the Pentagon's chief weapons tester
indicates that a majority of the government's weapons programs
contain “significant vulnerabilities.”
Changes made to Healthcare.gov regarding personal data sent to third
parties - Changes made to the Healthcare.gov website have scaled
back the amount of consumers' personal data sent to third parties.
- China blocks virtual private network use - China has blocked
several popular services that let citizens skirt state censorship
- CyberPatriot Reveals Top 28 Teams Advancing to National Finals
Competition - The Air Force Association today announced 28 National
Finalist teams selected to compete at the CyberPatriot National
Finals Competition as the culminating event of the seventh season of
the nation's largest youth cyber defense competition.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Two Illinois teenage students reportedly face felony charges for
hacking - Two male teenagers face felony charges after authorities
alleged that the 16-year-old Bartlett High School students in
Illinois hacked into their school's computer system.
Grill parts website experiences system intrusion, payment card
breach - Florida-based Barbecue Renew – which sells grill parts
through its website www.grillparts.com – is notifying an undisclosed
number of individuals that their payment card data may have been
compromised as a result of a series of cyber attacks on its web
20 million users' information compromised on Russian dating site -
The personal information of up to 20 million users on a Russian
dating site could be at-risk after their email addresses and
usernames were stolen and put up for sale online.
Albany health system notifies more than 5,000 patients of data
breach - Albany, NY-based St. Peter's Health Partners is notifying
more than 5,000 patients at St. Peter's Medical Associates P.C., one
of the system's physician groups, that a manager's cell phone –
which contained their personal information – was stolen.
- Spam Campaign Business E-mail Compromise Pilfers $215 Million -
The FBI and Internet Crime Complaint Center warns of a very
profitable spam campaign that has already claimed more than 2,000
- Malaysia Airlines website 'compromised' by hackers - Hackers
claiming to be from the "Lizard Squad - Official Cyber Caliphate"
group have attacked the official website of Malaysia Airlines.
- Former California pharmacist employee accessed data without
business or treatment purpose - California Pacific Medical Center (CPMC)
is notifying more than 800 patients that a former pharmacist
employee may have accessed their records without a business or
- Malware infects payment card system at French Lick Resort -
Indiana-based French Lick Resort announced on Tuesday that malware
had infected its payment card system, and any guest who used their
credit and debit cards at any venue at the resort between April 23,
2014, and Jan. 21 may have had their personal information
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next 12 weeks will
will cover the recently released FDIC Supervisory Insights regarding
Response Programs. (1of 12)
Incident Response Programs: Don't Get Caught Without One
Everyone is familiar with the old adage "Time is money." In the
Information Age, data may be just as good. Reports of data
compromises and security breaches at organizations ranging from
universities and retail companies to financial institutions and
government agencies provide evidence of the ingenuity of Internet
hackers, criminal organizations, and dishonest insiders obtaining
and profiting from sensitive customer information. Whether a network
security breach compromising millions of credit card accounts or a
lost computer tape containing names, addresses, and Social Security
numbers of thousands of individuals, a security incident can damage
corporate reputations, cause financial losses, and enable identity
Banks are increasingly becoming prime targets for attack because
they hold valuable data that, when compromised, may lead to identity
theft and financial loss. This environment places significant
demands on a bank's information security program to identify and
prevent vulnerabilities that could result in successful attacks on
sensitive customer information held by the bank. The rapid adoption
of the Internet as a delivery channel for electronic commerce
coupled with prevalent and highly publicized vulnerabilities in
popular hardware and software have presented serious security
challenges to the banking industry. In this high-risk environment,
it is very likely that a bank will, at some point, need to respond
to security incidents affecting its customers.
To mitigate the negative effects of security breaches, organizations
are finding it necessary to develop formal incident response
programs (IRPs). However, at a time when organizations need to be
most prepared, many banks are finding it challenging to assemble an
IRP that not only meets minimum requirements (as prescribed by
Federal bank regulators), but also provides for an effective
methodology to manage security incidents for the benefit of the bank
and its customers. In response to these challenges, this article
highlights the importance of IRPs to a bank's information security
program and provides information on required content and best
practices banks may consider when developing effective response
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
BUSINESS CONTINUITY CONSIDERATIONS
Events that trigger the implementation of a business continuity plan
may have significant security considerations. Depending on the
event, some or all of the elements of the security environment may
change. Different people may be involved in operations, at a
different physical location, using similar but different machines
and software which may communicate over different communications
lines. Depending on the event, different tradeoffs may exist between
availability, integrity, confidentiality, and accountability, with a
different appetite for risk on the part of management.
Business continuity plans should be reviewed as an integral part of
the security process. Risk assessments should consider the changing
risks that appear in business continuity scenarios and the different
security posture that may be established. Strategies should consider
the different risk environment and the degree of risk mitigation
necessary to protect the institution in the event the continuity
plans must be implemented. The implementation should consider the
training of appropriate personnel in their security roles, and the
implementation and updating of technologies and plans for back - up
sites and communications networks. Testing these security
considerations should be integrated with the testing of business
continuity plan implementations.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
188.8.131.52 Secret Key Electronic
An electronic signature can be
implemented using secret key message authentication codes (MACs).
For example, if two parties share a secret key, and one party
receives data with a MAC that is correctly verified using the shared
key, that party may assume that the other party signed the data.
This assumes, however, that the two parties trust each other. Thus,
through the use of a MAC, in addition to data integrity, a form of
electronic signature is obtained. Using additional controls, such as
key notarization and key attributes, it is possible to provide an
electronic signature even if the two parties do not trust each
Systems incorporating message authentication technology have been
approved for use by the federal government as a replacement for
written signatures on electronic documents.
184.108.40.206 Public Key Electronic
Another type of electronic signature
called a digital signature is implemented using public key
cryptography. Data is electronically signed by applying the
originator's private key to the data. (The exact mathematical
process for doing this is not important for this discussion.) To
increase the speed of the process, the private key is applied to a
shorter form of the data, called a "hash" or "message digest,"
rather than to the entire set of data. The resulting digital
signature can be stored or transmitted along with the data. The
signature can be verified by any party using the public key of the
signer. This feature is very useful, for example, when distributing
signed copies of virus-free software. Any recipient can verify that
the program remains virus-free. If the signature verifies properly,
then the verifier has confidence that the data was not modified
after being signed and that the owner of the public key was the
NIST has published standards for a
digital signature and a secure hash for use by the federal
government in FIPS 186, Digital Signature Standard and FIPS
180, Secure Hash Standard.