FYI - A turning point for cybersecurity? - As we
begin another year in the information security industry, I've been
mulling how far we've come...as well as how far we still have to go.
Data breaches costing some businesses 20 percent of revenue - The
cybercrime landscape underwent several changes in 2016 with
malicious actors taking a more "corporate" approach to their craft,
which helped lead to even greater losses by business hit with a
SWIFT demands action from members as threat of cyberheists looms
large - Under siege from hackers looking to steal hundreds of
millions from its user base, the financial messaging services
provider known as SWIFT has been pressuring, cajoling and even
threatening its member banks to deploy better defenses and share
Texas hospital penalized $3.2M for HIPAA violations - A hospital in
Texas was slammed with a $3.2 million penalty after it was found to
be in violation of "multiple standards of the HIPAA Security Rule,"
according to Data Breach Today.
Only 5% of FTSE companies have cyber-security expertise on the board
- An analysis of company annual returns of the FTSE 100 companies by
Deloitte finds a disturbing lack of cyber-security skills among
DHS may require social media passwords from those visiting from 7
banned countries - Gen. John Kelly, the newly minted Secretary of
the Department of Homeland Security (DHS), told Congress Tuesday his
department was considering requesting social media passwords from
people looking to enter the U.S. from the seven countries named in
President Donald Trump's controversial immigration ban.
Pennsylvania court rules UPMC not responsible for securing employee
data - The Pennsylvania Superior Court has ruled the University of
Pittsburgh Medical Center isn't responsible for protecting employee
Humans are the biggest risk to enterprise security, report - Last
year, criminals leveraged human vulnerabilities to launch more
malicious email campaigns than ever before, according to a just
DATA THEFT & LOSS
FYI - Bed-lam: 1,100 furniture company employees'
W-2 info exposed in spoofing scam - Furniture manufacturer and
retailer Mitchell Gold + Bob Williams mistakenly furnished a
cybercriminal operation with its employees' W-2 information after
falling for a phishing scam that used a spoofed email address.
Hackers place YG and Nipsey Hussle anti-Trump song on radio stations
- Anti-Trump protestors have brought their fight to the airwaves by
exploiting a known vulnerability in low power FM radio transmitters
to play a provocative tune.
Particle accelerator hacked: Boffins' hashed passwords beamed up -
The Australian Nuclear Science and Technology Organisation (ANSTO)
is investigating a computer security breach at the Australian
Synchrotron that saw hackers steal scientists' usernames and
David Beckham's emails hacked and released after ransom refusal -
International football star David Beckham has seen sensitive and
embarrassing emails published after a company he works with, Doyen
Global, rejected a hacker's ransom demand.
1.9 million Michigan government workers PII compromised - Almost 2
million Michigan residents had their names and Social Security
numbers potentially exposed due to when a software update went awry
opening the information to outsiders.
InterContinental Hotels Group announces breach at 12 U.S. properties
- A little more than a month after the InterContinental Hotel Group
said it was investigating claims of a possible breach, the chain
said a payment card breach affected 12 of its U.S. properties.
Attackers steal from ATMs after infecting banks with memory-only
malware - One or more unidentified hacker groups are leveraging free
and commonly available pen testing tools to attack enterprises in
the finance, government and telecom sectors with "fileless" malware
that resides only in a machine's RAM, making it extremely difficult
to detect and analyze.
More than 100K WordPress web pages defaced following disclosure of
patched bug - More than 100,000 WordPress web pages have been
defaced, following last week's public disclosure of a patched
vulnerability that allows attackers to remotely modify the content
of pages and posts.
Websites of foreign embassies and ministries compromised to infect
visitors - An unknown actor whose targets and tactics resemble those
of a Russian advanced persistent threat group has been compromising
the websites of foreign embassies, ministries and organizations, in
an attempt to infect certain site visitors with malware.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed
in the "Risk Management Principles for Electronic Banking" published
by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 8: Banks should
ensure that appropriate measures are in place to protect the data
integrity of e-banking transactions, records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking
may make programming errors or fraudulent activities more difficult
to detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
1) E-banking transactions should be conducted in a manner that
makes them highly resistant to tampering throughout the entire
2) E-banking records should be stored, accessed and modified in a
manner that makes them highly resistant to tampering.
3) E-banking transaction and record-keeping processes should be
designed in a manner as to make it virtually impossible to
circumvent detection of unauthorized changes.
4) Adequate change control policies, including monitoring and
testing procedures, should be in place to protect against any
e-banking system changes that may erroneously or unintentionally
compromise controls or data reliability.
5) Any tampering with e-banking transactions or records should be
detected by transaction processing, monitoring and record keeping
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC interagency Information Security
Three types of encryption exist: the cryptographic hash, symmetric
encryption, and asymmetric encryption.
A cryptographic hash reduces a variable - length input to a
fixed-length output. The fixed-length output is a unique
cryptographic representation of the input. Hashes are used to verify
file and message integrity. For instance, if hashes are obtained
from key operating system binaries when the system is first
installed, the hashes can be compared to subsequently obtained
hashes to determine if any binaries were changed. Hashes are also
used to protect passwords from disclosure. A hash, by definition, is
a one - way encryption. An attacker who obtains the password cannot
run the hash through an algorithm to decrypt the password. However,
the attacker can perform a dictionary attack, feeding all possible
password combinations through the algorithm and look for matching
hashes, thereby deducing the password. To protect against that
attack, "salt," or additional bits, are added to the password before
encryption. The addition of the bits means the attacker must
increase the dictionary to include all possible additional bits,
thereby increasing the difficulty of the attack.
Symmetric encryption is the use of the same key and algorithm by
the creator and reader of a file or message. The creator uses the
key and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is
captured by an attacker either when it is exchanged between the
communicating parties, or while one of the parties uses or stores
the key, the attacker can use the key and the algorithm to decrypt
messages, or to masquerade as a message creator.
Asymmetric encryption lessens the risk of key exposure by using two
mathematically related keys, the private key and the public key.
When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The
key that is exchanged (the public key) poses no risk if it becomes
known. For instance, if individual A has a private key and publishes
the public key, individual B can obtain the public key, encrypt a
message to individual A, and send it. As long as individual A keeps
his private key secure from discovery, only individual A will be
able to decrypt the message.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -
We continue the series on the National Institute
of Standards and Technology (NIST) Handbook.
Chapter 9 - Assurance
.4.1.4 Penetration Testing
Penetration testing can use many methods to attempt a system
break-in. In addition to using active automated tools as described
above, penetration testing can be done "manually." The most useful
type of penetration testing is to use methods that might really be
used against the system. For hosts on the Internet, this would
certainly include automated tools. For many systems, lax procedures
or a lack of internal controls on applications are common
vulnerabilities that penetration testing can target. Another method
is "social engineering," which involves getting users or
administrators to divulge information about systems, including their
9.4.2 Monitoring Methods and Tools
Security monitoring is an ongoing activity that looks for
vulnerabilities and security problems. Many of the methods are
similar to those used for audits, but are done more regularly or,
for some automated tools, in real time.
184.108.40.206 Review of Systems Logs
A periodic review of system-generated logs can detect security
problems, including attempts to exceed access authority or gain
system access during unusual hours.