FYI - Zeus variant targeting Canadian banks, U.S. banks may also be a target - A new variant of the nefarious Zeus trojan is targeting a number of banks in Canada, including Bank of Montreal, Royal Bank of Canada, and National Bank of Canada, according to SentinelOne. http://www.scmagazine.com/zeus-variant-targeting-banks-spread-by-social-engineering-exploit-kits/article/395326/

FYI - New Chinese cybersecurity policies require U.S. companies to hand over source code - New Chinese regulations will require companies who sell computer equipment to the country's banks to begin including secret source code with the purchases. The firms will also have to comply with audits and build backdoors into their hardware and software.
http://www.scmagazine.com/us-firms-push-back-against-chinese-cybersecurity-policies/article/395281/
http://www.bbc.com/news/technology-31039227

FYI - Researchers observe databases being encrypted, websites held for ransom - A security firm has identified a new type of threat that is similar in concept to ransomware; however, instead of compromising a system with malware that encrypts files, the attack involves compromising a website and encrypting the core databases. http://www.scmagazine.com/ransomweb-compromises-websites-encrypts-databases/article/395558/

FYI - Hackers used social engineering to glean military intel on Syrian opposition - Researchers have uncovered a hacking operation that was focused of collecting military intelligence for Pro-Assad parties in the Syrian conflict. http://www.scmagazine.com/researchers-find-hacking-group-collecting-intel-for-pro-assad-parties/article/395962/

FYI - NHS faces compulsory data protection audits from ICO - The Information Commissioner’s Office (ICO) can now subject the NHS to compulsory data protection audits in a move aimed at cutting the number of data loss incidents in the health service. http://www.v3.co.uk/v3-uk/news/2393124/nhs-faces-compulsory-data-protection-audits-from-ico

FYI - BMW fixes security flaw that left locks open to hackers - BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers. http://www.bbc.com/news/technology-31093065

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wisconsin chiropractic clinic notifies 3,000 patients of insider breach - Wisconsin-based Harel Chiropractic & Massage is notifying roughly 3,000 patients that a former employee and contracted chiropractor accessed and removed their personal information – including Social Security numbers – from the clinic, and promptly resigned after. http://www.scmagazine.com/wisconsin-chiropractic-clinic-notifies-3000-patients-of-insider-breach/article/395128/

FYI - Government admits losing disks containing data on three police inquiries - The government has admitted that two disks containing highly sensitive information relating to three judicial inquiries have been lost in the post. http://www.v3.co.uk/v3-uk/news/2392722/government-admits-losing-disks-containing-data-on-three-police-inquiries

FYI - BCBS of Tennessee shares personal data on 80K in marketing campaign - The personal information belonging to members of TRH Health Plan, a not-for-profit service, was inappropriately used in a marketing campaign by its administrative partner, BlueCross BlueShield of Tennessee (BCBST). http://www.scmagazine.com/bcbs-of-tennessee-shares-personal-data-on-80k-in-marketing-campaign/article/395538/

FYI - Target hackers steal card data from another parking company - Security journalist has revealed that a third parking service has been targeted by the same cybercriminals who hit Target and Home Depot in major payment card breaches. http://www.scmagazine.com/report-target-hackers-steal-card-data-from-another-parking-company/article/395973/

FYI - UMass Memorial Medical Group announces potential insider breach - UMass Memorial Medical Group (UMMMG) is notifying a reported roughly 14,000 patients that a former employee may have accessed their personal information outside of normal job duties. http://www.scmagazine.com/umass-memorial-medical-group-announces-potential-insider-breach/article/395971/

FYI - Hacker comandeers baby monitor, terrifies nanny - A Houston nanny got an IT security wake-up call this past week when an anonymous voice came through the baby monitor of the child she was watching. http://www.scmagazine.com/hacker-takes-over-texas-baby-monitor/article/396232/

FYI - Stolen devices contained data, 2,700 Senior Health Partners members notified - New York-based Senior Health Partners (SHP) is notifying roughly 2,700 members that a laptop and smartphone containing their personal information was stolen from the apartment of an assessment nurse employed by Premier Home Health, a business associate. http://www.scmagazine.com/stolen-devices-contained-data-2700-senior-health-partners-members-notified/article/396221/

FYI - Internal DC Public Schools website publicly accessible, stored variety of data - Chief of specialized instruction with the District of Columbia Public Schools (DCPS), issued a statement on Tuesday regarding the public being able to access an internal website that stored a variety of data, including special education student information. http://www.scmagazine.com/internal-dc-public-schools-website-publicly-accessible-stored-variety-of-data/article/396481/

FYI - Mandiant speaks on Anthem attack, custom backdoors used - Mandiant, the incident response firm tapped by Anthem Inc. in the wake of its massive breach, says that the “sophisticated” cyber attack against the health care company involved the use of custom backdoors, one indication that an “advanced attack” did indeed take place against the company.
http://www.scmagazine.com/anthem-brings-in-mandiant-to-investigate-resolve-breach/article/396749/
http://www.scmagazine.com/experts-weigh-in-on-anthem-breach-speculate-on-how-attackers-broke-in/article/396765/
http://www.scmagazine.com/anthem-breach-what-we-know-so-far/article/396588/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2 of 12)

The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.4 User Authentication

Cryptography can increase security in user authentication techniques. As discussed in Chapter 16, cryptography is the basis for several advanced authentication methods. Instead of communicating passwords over an open network, authentication can be performed by demonstrating knowledge of a cryptographic key. Using these methods, a one-time password, which is not susceptible to eavesdropping, can be used. User authentication can use either secret or public key cryptography.

19.3 Implementation Issues

This section explores several important issues that should be considered when using (e.g., designing, implementing, integrating) cryptography in a computer system.

19.3.1 Selecting Design and Implementation Standards

NIST and other organizations have developed numerous standards for designing, implementing, and using cryptography and for integrating it into automated systems. By using these standards, organizations can reduce costs and protect their investments in technology. Standards provide solutions that have been accepted by a wide community and that have been reviewed by experts in relevant areas. Standards help ensure interopability among different vendors' equipment, thus allowing an organization to select from among various products in order to find cost-effective equipment.

Managers and users of computer systems will have to select among various standards when deciding to use cryptography. Their selection should be based on cost-effectiveness analysis, trends in the standard's acceptance, and interoperability requirements. In addition, each standard should be carefully analyzed to determine if it is applicable to the organization and the desired application. For example, the Data Encryption Standard and the Escrowed Encryption Standard are both applicable to certain applications involving communications of data over commercial modems. Some federal standards are mandatory for federal computer systems, including DES (FIPS 46-2) and the DSS (FIPS 181).