- Army Reserve pilots management tool for cyber talent - While many
agencies struggle to find and hire cybersecurity workers, the Army
Reserve is working on a way to identify the cyber skills already
present in its current cadre.
Two researchers report 200 bugs in Trend Micro tools - Trend Micro
may be one of the world's biggest vendors of cybersecurity
solutions, but that hasn't made it immune from hacks into its
software, according to a report on Forbes.
Ethical hackers: A question of choice - Traditionally, ethical
hackers disclosed their findings for a nod and, perhaps, a bug
bounty. With stakes only getting higher, might they be lured with
big payouts from questionable sources?
Americans don't trust others to secure their data, neglect to secure
themselves - A recent study found that despite their distrust in
companies to properly secure personal data, Americans frequently
neglect to follow best practices when securing data themselves.
Organizations deploying emerging tech without ensuring data security
first - In a classic case of putting the cart before the horse, too
many organizations are deploying emerging technologies before they
can shore up appropriate levels of data security.
Houston home to the most infected computers - The old saying that
everything is bigger in Texas unfortunately also holds true when it
comes to the number of malware infected computers.
Federal agencies leasing in foreign owned buildings may cause
cyberespionage risks - Several federal agencies may be at risk of
cyberespionage as a result of leasing space in foreign-owned
buildings, a recent Government Accountability Office (GAO) report
Acer fined $115K for breach - Following a breach, the Taiwan-based
computer manufacturer Acer will pay $115,000 and improve its
security practices in a settlement with the New York State Attorney
General (NYSAG) Eric T. Schneiderman.
Bank Account-ability SWIFT demands action from members as threat of
cyberheists looms large - Under siege from hackers looking to steal
hundreds of millions from its user base, the financial messaging
services provider known as SWIFT has been pressuring, cajoling and
even threatening its member banks to deploy better defenses and
share cyber intelligence.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Delta cancels 110 flights this morning, in after-effect of
computer disruption - Delta passengers wait in line at
Hartsfield-Jackson International Airport after Delta Air Lines
grounded all domestic flights due to automation issues, Sunday, Jan.
29, 2017, in Atlanta.
Police camera system in D.C. hit with ransomware - The CCTV cameras
that police in D.C. use to monitor public areas were shuttered for
three days - a week before the presidential inauguration - when a
cyberattack hit the system's network of recorders.
Telemarketing firm leaks 400K call recordings, some containing
payment data - The firm has previously gotten in trouble for the
mishandling of customer data. As a result of a misconfigured
database which was left open, Florida-based telemarketing firm VICI
Marketing has leaked around 400,000 phone call recordings.
Hotel hit by ransomware attack, report of guests trapped untrue -
Some reports surfaced which claimed that guests of the hotel were
locked in their room but the hotel manager refuted such claims
saying that hotel building regulations don't allow this to happen.
Sunrun hit with spearphishing attack, W-2 forms compromised - Solar
panel maker Sunrun was hit with a spearphishing attack that got away
with the company employee W-2 information.
Unsealed docs shed new light on St. Louis Cardinals MLB hacking case
- Newly unsealed court documents have revealed the extensive case
that U.S. prosecutors had built against Chris Correa, the former St.
Louis Cardinals front-office executive who last year pleaded guilty
to hacking into the Houston Astros' email and player scouting
Texas cops lose evidence going back eight years in ransomware attack
- Updated Cockrell Hill, Texas has a population of just over 4,000
souls and a police force that managed to lose eight years of
evidence when a departmental server was compromised by ransomware.
Cyber Attack Confirmed to Be the Cause of the Power Outage in the
Ukraine over Christmas 2016 - Preliminary results of a probe into
the events that led to the 2016 Christmas power outage in the
Ukraine reveal that hackers were indeed involved, says Ukrenergo.
1,300 Lexington County (S.C.) School District Two employees
compromised - The Lexington (S.C.) School District Two was hit with
a speakphishing email attack in late January that may have exposed
the W-2 information of current and former school district staffers.
4K W-2 compromised in Scotty's Brewhouse phishing attack - An
employee payroll manager responded to a phishing email requesting
2.5 million XBOX 360 and PSP ISO forum accounts breached - An
unidentified hacker reportedly breached the XBOX 360 and PlayStation
Portable ISO forums compromising 2.5 million gamer accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 7: Banks
should ensure that proper authorization controls and access
privileges are in place for e-banking systems, databases and
In order to maintain segregation of duties, banks need to strictly
control authorization and access privileges. Failure to provide
adequate authorization control could allow individuals to alter
their authority, circumvent segregation and gain access to e-banking
systems, databases or applications to which they are not privileged.
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
ENCRYPTION KEY MANAGEMENT
Since security is primarily based on the encryption keys, effective
key management is crucial. Effective key management systems are
based on an agreed set of standards, procedures, and secure methods
! Generating keys for different cryptographic systems and different
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be
activated when received;
! Storing keys, including how authorized users obtain access to
! Changing or updating keys including rules on when keys should be
changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or
! Recovering keys that are lost or corrupted as part of business
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting
the usage period of keys.
Secure key management systems are characterized by the following
! Key management is fully automated (e.g. personnel do not have the
opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by
! Key - encrypting keys are separate from data keys. No data ever
appears in clear text that was encrypted using a key - encrypting
key. (A key - encrypting key is used to encrypt other keys, securing
them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used,
the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises
linearly while the cost of attacking the keys rises exponentially.
Therefore, all other factors being equal, changing keys increases
the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well -
! Key generating equipment is physically and logically secure from
construction through receipt, installation, operation, and removal
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
188.8.131.52 Internal Controls Audit
An auditor can review controls in place and determine whether they
are effective. The auditor will often analyze both computer and
noncomputer-based controls. Techniques used include inquiry,
observation, and testing (of both the controls themselves and the
data). The audit can also detect illegal acts, errors,
irregularities, or a lack of compliance with laws and regulations.
Security checklists and penetration testing, discussed below, may be
184.108.40.206 Security Checklists
Within the government, the computer security plan provides a
checklist against which the system can be audited. This plan
outlines the major security considerations for a system, including
management, operational, and technical issues. One advantage of
using a computer security plan is that it reflects the unique
security environment of the system, rather than a generic list of
controls. Other checklists can be developed, which include national
or organizational security policies and practices (often referred to
as baselines). Lists of "generally accepted security practices" (GSSPs)
can also be used. Care needs to be taken so that deviations from the
list are not automatically considered wrong, since they may be
appropriate for the system's particular environment or technical
Checklists can also be used to verify that changes to the system
have been reviewed from a security point of view. A common audit
examines the system's configuration to see if major changes (such as
connecting to the Internet) have occurred that have not yet been
analyzed from a security point of view.
Warning: Security Checklists that are passed (e.g., with a B+ or
better score) are often used mistakenly as proof (instead of an
indication) that security is sufficient. Also, managers of systems
which "fail" a checklist often focus too much attention on "getting
the points," rather than whether the security measures makes sense
in the particular environment and are correctly implemented.