FYI - Facebook Unveils Tool For Sharing Data On Malicious Botnets - Facebook noticed the attack first. But Mark Hammell and his team couldn’t stop it without help from Tumblr, Pinterest, and others. http://www.wired.com/2015/02/facebook-unveils-tool-sharing-data-malicious-botnets/

FYI - Cellphone 'kill switch' leads to sharp declines in theft - It was announced Tuesday that international efforts to implement “kill switches” in all smart phones, which allow mobiles to be turned off remotely, have led to major declines in the crime in three major cities. http://www.csmonitor.com/Innovation/2015/0211/Cellphone-kill-switch-leads-to-sharp-declines-in-theft

FYI - NIST requests final comments on ICS security guide - The National Institute of Standards and Technology (NIST) is updating its security guide for industrial control systems (ICS) to include tailored guidance for utilities, automakers, chemical firms and other companies that utilize such systems. http://www.scmagazine.com/nist-requests-final-comments-on-ics-security-guide/article/397751/

FYI - Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole - ASLR vulnerability patched today used in tandem with previously patched Flash vuln to carry out drive-by-downloads against political and economic targets. http://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059

FYI - Breach index: Mega breaches, rise in identity theft mark 2014 - A global study found that more than one billion records were compromised in data breaches last year. http://www.scmagazine.com/breach-index-mega-breaches-rise-in-identity-theft-mark-2014/article/398236/

FYI - Canada losing cybersecurity war - Canada's companies are ill-prepared to meet modern cybersecurity challenges, according to a survey by the Ponemon Institute. http://www.scmagazine.com/canada-losing-cybersecurity-war/article/397732/

FYI - To attract more women, cybersecurity industry could drop macho jargon - The cybersecurity industry has a history of hostility toward women. To make the field more welcoming, female security pros recommend moving away from the aggressive language of combat and talking about protecting people instead. http://www.csmonitor.com/World/Passcode/2015/0216/To-attract-more-women-cybersecurity-industry-could-drop-macho-jargon

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyber attack takes down Dutch government sitesDDoS - The attack, which also took down some private sites, highlighted the vulnerability of public infrastructure. http://www.bbc.com/news/technology-31440973

FYI - Defense Contract Management Agency Probes Hack - The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues. http://krebsonsecurity.com/2015/02/defense-contract-management-agency-probes-hack/

FYI - Bank Hackers Steal Millions via Malware - In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card, or touched a button. Cameras showed that the piles of money were swept up by customers who appeared lucky to be there at the right moment.
http://www.msn.com/en-us/news/technology/bank-hackers-steal-millions-via-malware/ar-AA9pTYl
http://www.scmagazine.com/attackers-used-phishing-scheme-to-distribute-malware-in-banks/article/398428/
http://www.wired.com/2015/02/kapersky-discovers-equation-group/

FYI - Tennessee healthcare group notifies employees of payroll breach - Tennessee-based State of Franklin Healthcare Associates (SoFHA) has notified all employees that their personal information was accessed during a security breach at the company's third party payroll vendor, and some if has already been used to file fraudulent tax returns. http://www.scmagazine.com/tennessee-healthcare-group-notifies-employees-of-payroll-breach/article/398240/

FYI - Data at risk following burglary at Liberty Tax Service office in California - Computer towers were stolen during a burglary at a Liberty Tax Service office in California, and now an undisclosed number of individuals are being notified that personal information – including Social Security numbers – may be at risk. http://www.scmagazine.com/data-at-risk-following-burglary-at-liberty-tax-service-office-in-california/article/398664/

FYI - Big Fish Games notifies customers of payment card breach - Big Fish Games is notifying an undisclosed number of customers that malware was installed on the billing and payment pages of its websites, and it appears to have intercepted customer payment information. http://www.scmagazine.com/big-fish-games-notifies-customers-of-payment-card-breach/article/398913/

FYI - Chesapeake suit claims former CEO stole trade secrets - In a lawsuit filed in Oklahoma County District Court, Chesapeake Energy has accused its former CEO Aubrey McClendon of making off with company data, including “highly sensitive trade secrets,” when he left the company to form a new firm, American Energy Partners. http://www.scmagazine.com/chesapeake-suit-claims-former-ceo-stole-trade-secrets/article/399073/

FYI - University of Maine laptop and media card stolen, contained student data - A University of Maine laptop computer and media card containing student information – including Social Security numbers – was stolen from the checked bag of a faculty member while on an airline flight. http://www.scmagazine.com/university-of-maine-laptop-and-media-card-stolen-contained-student-data/article/399042/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING

Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.4 Security of Cryptography Modules

Cryptography is typically implemented in a module of software, firmware, hardware, or some combination thereof. This module contains the cryptographic algorithm(s), certain control parameters, and temporary storage facilities for the key(s) being used by the algorithm(s). The proper functioning of the cryptography requires the secure design, implementation, and use of the cryptographic module. This includes protecting the module against tampering.

19.3.5 Applying Cryptography to Networks

The use of cryptography within networking applications often requires special considerations. In these applications, the suitability of a cryptographic module may depend on its capability for handling special requirements imposed by locally attached communications equipment or by the network protocols and software.

Encrypted information, MACs, or digital signatures may require transparent communications protocols or equipment to avoid being misinterpreted by the communications equipment or software as control information. It may be necessary to format the encrypted information, MAC, or digital signature to ensure that it does not confuse the communications equipment or software. It is essential that cryptography satisfy the requirements imposed by the communications equipment and does not interfere with the proper and efficient operation of the network.

Data is encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. End-to-end encryption is generally performed by the end-user organization. Although data remains encrypted when being passed through a network, routing information remains visible. It is possible to combine both types of encryption.