- Zeus variant targeting Canadian banks, U.S. banks may also be a
target - A new variant of the nefarious Zeus trojan is targeting a
number of banks in Canada, including Bank of Montreal, Royal Bank of
Canada, and National Bank of Canada, according to SentinelOne.
- New Chinese cybersecurity policies require U.S. companies to hand
over source code - New Chinese regulations will require companies
who sell computer equipment to the country's banks to begin
including secret source code with the purchases. The firms will also
have to comply with audits and build backdoors into their hardware
- Researchers observe databases being encrypted, websites held for
ransom - A security firm has identified a new type of threat that is
similar in concept to ransomware; however, instead of compromising a
system with malware that encrypts files, the attack involves
compromising a website and encrypting the core databases.
- Hackers used social engineering to glean military intel on Syrian
opposition - Researchers have uncovered a hacking operation that was
focused of collecting military intelligence for Pro-Assad parties in
the Syrian conflict.
- NHS faces compulsory data protection audits from ICO - The
Information Commissioner’s Office (ICO) can now subject the NHS to
compulsory data protection audits in a move aimed at cutting the
number of data loss incidents in the health service.
- BMW fixes security flaw that left locks open to hackers - BMW has
patched a security flaw that left 2.2 million cars, including Rolls
Royce and Mini models, open to hackers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wisconsin chiropractic clinic notifies 3,000 patients of insider
breach - Wisconsin-based Harel Chiropractic & Massage is notifying
roughly 3,000 patients that a former employee and contracted
chiropractor accessed and removed their personal information –
including Social Security numbers – from the clinic, and promptly
- Government admits losing disks containing data on three police
inquiries - The government has admitted that two disks containing
highly sensitive information relating to three judicial inquiries
have been lost in the post.
- BCBS of Tennessee shares personal data on 80K in marketing
campaign - The personal information belonging to members of TRH
Health Plan, a not-for-profit service, was inappropriately used in a
marketing campaign by its administrative partner, BlueCross
BlueShield of Tennessee (BCBST).
- Target hackers steal card data from another parking company -
Security journalist has revealed that a third parking service has
been targeted by the same cybercriminals who hit Target and Home
Depot in major payment card breaches.
- UMass Memorial Medical Group announces potential insider breach -
UMass Memorial Medical Group (UMMMG) is notifying a reported roughly
14,000 patients that a former employee may have accessed their
personal information outside of normal job duties.
- Hacker comandeers baby monitor, terrifies nanny - A Houston nanny
got an IT security wake-up call this past week when an anonymous
voice came through the baby monitor of the child she was watching.
- Stolen devices contained data, 2,700 Senior Health Partners
members notified - New York-based Senior Health Partners (SHP) is
notifying roughly 2,700 members that a laptop and smartphone
containing their personal information was stolen from the apartment
of an assessment nurse employed by Premier Home Health, a business
- Internal DC Public Schools website publicly accessible, stored
variety of data - Chief of specialized instruction with the District
of Columbia Public Schools (DCPS), issued a statement on Tuesday
regarding the public being able to access an internal website that
stored a variety of data, including special education student
- Mandiant speaks on Anthem attack, custom backdoors used -
Mandiant, the incident response firm tapped by Anthem Inc. in the
wake of its massive breach, says that the “sophisticated” cyber
attack against the health care company involved the use of custom
backdoors, one indication that an “advanced attack” did indeed take
place against the company.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (2 of 12)
of an Incident Response Program
A bank's ability to respond to security incidents in a planned and
coordinated fashion is important to the success of its information
security program. While IRPs are important for many reasons, three
are highlighted in this article.
First, though incident prevention is important, focusing solely on
prevention may not be enough to insulate a bank from the effects of
a security breach. Despite the industry's efforts at identifying and
correcting security vulnerabilities, every bank is susceptible to
weaknesses such as improperly configured systems, software
vulnerabilities, and zero-day exploits. Compounding the
problem is the difficulty an organization experiences in sustaining
a "fully secured" posture. Over the long term, a large amount of
resources (time, money, personnel, and expertise) is needed to
maintain security commensurate with all potential vulnerabilities.
Inevitably, an organization faces a point of diminishing returns
whereby the extra resources applied to incident prevention bring a
lesser amount of security value. Even the best information security
program may not identify every vulnerability and prevent every
incident, so banks are best served by incorporating formal incident
response planning to complement strong prevention measures. In the
event management's efforts do not prevent all security incidents
(for whatever reason), IRPs are necessary to reduce the sustained
damage to the bank.
Second, regulatory agencies have recognized the value of IRPs and
have mandated that certain incident response requirements be
included in a bank's information security program. In March 2001,
the FDIC, the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Board of Governors of
the Federal Reserve System (FRB) (collectively, the Federal bank
regulatory agencies) jointly issued guidelines establishing
standards for safeguarding customer information, as required by the
Gramm-Leach-Bliley Act of 1999. These standards require banks
to adopt response programs as a security measure. In April 2005, the
Federal bank regulatory agencies issued interpretive guidance
regarding response programs. This additional guidance
describes IRPs and prescribes standard procedures that should be
included in IRPs. In addition to Federal regulation in this area, at
least 32 states have passed laws requiring that individuals be
notified of a breach in the security of computerized personal
information. Therefore, the increased regulatory attention
devoted to incident response has made the development of IRPs a
Finally, IRPs are in the best interests of the bank. A
well-developed IRP that is integrated into an overall information
security program strengthens the institution in a variety of ways.
Perhaps most important, IRPs help the bank contain the damage
resulting from a security breach and lessen its downstream effect.
Timely and decisive action can also limit the harm to the bank's
reputation, reduce negative publicity, and help the bank identify
and remedy the underlying causes of the security incident so that
mistakes are not destined to be repeated.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Financial institutions have used insurance coverage as an effective
method to transfer risks from themselves to insurance carriers.
Insurance coverage is increasingly available to cover risks from
security breaches or denial of service attacks. For example, several
insurance companies offer e - commerce insurance packages that can
reimburse financial institutions for losses from fraud, privacy
breaches, system downtime, or incident response. When evaluating the
need for insurance to cover information security threats, financial
institutions should understand the following points:
! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses
related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic
environment for these factors.
! Insurance cannot adequately cover the reputation and compliance
risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that
certain security practices are in place.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 19 - CRYPTOGRAPHY
19.2.4 User Authentication
increase security in user authentication techniques. As discussed in
Chapter 16, cryptography is the basis for several advanced
authentication methods. Instead of communicating passwords over an
open network, authentication can be performed by demonstrating
knowledge of a cryptographic key. Using these methods, a one-time
password, which is not susceptible to eavesdropping, can be used.
User authentication can use either secret or public key
This section explores
several important issues that should be considered when using (e.g.,
designing, implementing, integrating) cryptography in a computer
Design and Implementation Standards
Applicable security standards
provide a common level of security and interoperability
NIST and other
organizations have developed numerous standards for designing,
implementing, and using cryptography and for integrating it into
automated systems. By using these standards, organizations can
reduce costs and protect their investments in technology. Standards
provide solutions that have been accepted by a wide community and
that have been reviewed by experts in relevant areas. Standards help
ensure interopability among different vendors' equipment, thus
allowing an organization to select from among various products in
order to find cost-effective equipment.
Managers and users of
computer systems will have to select among various standards when
deciding to use cryptography. Their selection should be based on
cost-effectiveness analysis, trends in the standard's acceptance,
and interoperability requirements. In addition, each standard should
be carefully analyzed to determine if it is applicable to the
organization and the desired application. For example, the Data
Encryption Standard and the Escrowed Encryption Standard are both
applicable to certain applications involving communications of data
over commercial modems. Some federal standards are mandatory for
federal computer systems, including DES (FIPS 46-2) and the DSS