- Trump’s Cybersecurity Chief Could Be a ‘Voice of Reason’ - Last
month, the Atlantic Council think tank held a dinner to send off Tom
Bossert, one of its fellows. President-elect Donald Trump had tapped
Bossert to be his homeland security adviser, effectively putting him
in charge of the administration’s cybersecurity efforts.
Ex-NSA contractor Harold Martin indicted: He spent 'up to 20 years
stealing top-secret files' - US prosecutors list dossiers and code
allegedly swiped - Former Booz Allen Hamilton contractor Harold
Thomas Martin III allegedly stole secret and top-secret software and
documents from American intelligence agencies for up to 20 years.
Orlando, Tampa and St. Louis have 5x's malware of US average - A
recent study found computers in Tampa, Orlando and St. Louis are
more than five times as likely to be infected with malware as the
national average in 2016.
Banks worldwide under attack from new malware, report - A variety of
banks and other financial institutions in more than 30 countries
have been targeted in a new round of watering hole attacks, perhaps
the work of the Lazarus group, according to a blog post from
'Internet of Evil Things' challenges security pros - After Mirai
shook the rafters of cybersecurity in 2016, IT security
professionals (rightfully) expect that connected devices will be a
major security headache in 2017 – but still struggle to get a grasp
on how to account for, track and monitor those devices.
How IoT hackers turned a university's network against itself - A
university found its own network turned against it - as
refrigerators and lights overwhelmed it with searches for seafood.
Data breach scheme to become law - Mandatory data breach
notification will finally become law in Australia, after the Senate
today gave the scheme the green light.
One third of U.S. companies breached last year, study - A third of
companies in the U.S. were breached in 2016, according to a study
from Bitdefender issued on Tuesday.
Almost all organizations lack the technology to defend against
cyberattacks - A new survey shows that just three percent of IT
security professionals believe their organization has the technology
in place to deal with the most common cyber problems that they face.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Arby's hit with POS breach, 1,100 stores possibly affected - The
fast food restaurant chain Arby's has suffered a breach involving
the payment card systems in up to 1,100 of its locations.
Breach compromises data of 9,000 Verity Health System patients -
About 9,000 Verity Health patients had their personal data
compromised after an unauthorized entry was discovered in the health
7,700 Manatee, Fla. school workers compromised in W-2 scam -
Thousands of Manatee (Fla.) County school employees had their W-2
tax form information compromised after a district employee fell for
a phishing scam.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 9: Banks
should ensure that clear audit trails exist for all e-banking
Delivery of financial services over the Internet can make it more
difficult for banks to apply and enforce internal controls and
maintain clear audit trails if these measures are not adapted to an
e-banking environment. Banks are not only challenged to ensure that
effective internal control can be provided in highly automated
environments, but also that the controls can be independently
audited, particularly for all critical e-banking events and
A bank's internal control environment may be weakened if it is
unable to maintain clear audit trails for its e-banking activities.
This is because much, if not all, of its records and evidence
supporting e-banking transactions are in an electronic format. In
making a determination as to where clear audit trails should be
maintained, the following types of e-banking transactions should be
1) The opening, modification or closing of a customer's account.
2) Any transaction with financial consequences.
3) Any authorization granted to a customer to exceed a limit.
4) Any granting, modification or revocation of systems access
rights or privileges.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly computed
hash to the one sent by A. If the new hash is the same as the one
sent by A, B knows that the message was not changed since the
original hash was created (integrity). Since B obtained A's public
key from the trusted CA and that key produced a matching hash, B is
assured that the message came from A and not someone else
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
Several types of automated tools monitor a system for security
problems. Some examples follow:
! Virus scanners are a popular means of checking for virus
infections. These programs test for the presence of viruses in
executable program files.
! Checksumming presumes that program files should not change
between updates. They work by generating a mathematical value based
on the contents of a particular file. When the integrity of the file
is to be verified, the checksum is generated on the current file and
compared with the previously generated value. If the two values are
equal, the integrity of the file is verified. Program checksumming
can detect viruses, Trojan horses, accidental changes to files
caused by hardware failures, and other changes to files. However,
they may be subject to covert replacement by a system intruder.
Digital signatures can also be used.
! Password crackers check passwords against a dictionary (either a
"regular" dictionary or a specialized one with easy-to-guess
passwords) and also check if passwords are common permutations of
the user ID. Examples of special dictionary entries could be the
names of regional sports teams and stars; common permutations could
be the user ID spelled backwards.
! Integrity verification programs can be used by such applications
to look for evidence of data tampering, errors, and omissions.
Techniques include consistency and reasonableness checks and
validation during data entry and processing. These techniques can
check data elements, as input or as processed, against expected
values or ranges of values; analyze transactions for proper flow,
sequencing, and authorization; or examine data elements for expected
relationships. These programs comprise a very important set of
processes because they can be used to convince people that, if they
do what they should not do, accidentally or intentionally, they will
be caught. Many of these programs rely upon logging of individual
! Intrusion detectors analyze the system audit trail, especially
log-ons, connections, operating system calls, and various command
parameters, for activity that could represent unauthorized activity.
! System performance monitoring analyzes system performance logs
in real time to look for availability problems, including active
attacks (such as the 1988 Internet worm) and system and network
slowdowns and crashes.