- Facebook Unveils Tool For Sharing Data On Malicious Botnets -
Facebook noticed the attack first. But Mark Hammell and his team
couldn’t stop it without help from Tumblr, Pinterest, and others.
Cellphone 'kill switch' leads to sharp declines in theft - It was
announced Tuesday that international efforts to implement “kill
switches” in all smart phones, which allow mobiles to be turned off
remotely, have led to major declines in the crime in three major
NIST requests final comments on ICS security guide - The National
Institute of Standards and Technology (NIST) is updating its
security guide for industrial control systems (ICS) to include
tailored guidance for utilities, automakers, chemical firms and
other companies that utilize such systems.
Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole -
ASLR vulnerability patched today used in tandem with previously
patched Flash vuln to carry out drive-by-downloads against political
and economic targets.
- Breach index: Mega breaches, rise in identity theft mark 2014 - A
global study found that more than one billion records were
compromised in data breaches last year.
- Canada losing cybersecurity war - Canada's companies are
ill-prepared to meet modern cybersecurity challenges, according to a
survey by the Ponemon Institute.
- To attract more women, cybersecurity industry could drop macho
jargon - The cybersecurity industry has a history of hostility
toward women. To make the field more welcoming, female security pros
recommend moving away from the aggressive language of combat and
talking about protecting people instead.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber attack takes down Dutch government sitesDDoS - The attack,
which also took down some private sites, highlighted the
vulnerability of public infrastructure.
Defense Contract Management Agency Probes Hack - The Defense
Contract Management Agency, the U.S. federal government entity
responsible for performing contract administration services for the
Department of Defense, is responding to a suspected cybersecurity
breach and has pulled a number of its servers offline while the
Bank Hackers Steal Millions via Malware - In late 2013, an A.T.M. in
Kiev started dispensing cash at seemingly random times of day. No
one had put in a card, or touched a button. Cameras showed that the
piles of money were swept up by customers who appeared lucky to be
there at the right moment.
- Tennessee healthcare group notifies employees of payroll breach -
Tennessee-based State of Franklin Healthcare Associates (SoFHA) has
notified all employees that their personal information was accessed
during a security breach at the company's third party payroll
vendor, and some if has already been used to file fraudulent tax
- Data at risk following burglary at Liberty Tax Service office in
California - Computer towers were stolen during a burglary at a
Liberty Tax Service office in California, and now an undisclosed
number of individuals are being notified that personal information –
including Social Security numbers – may be at risk.
- Big Fish Games notifies customers of payment card breach - Big
Fish Games is notifying an undisclosed number of customers that
malware was installed on the billing and payment pages of its
websites, and it appears to have intercepted customer payment
- Chesapeake suit claims former CEO stole trade secrets - In a
lawsuit filed in Oklahoma County District Court, Chesapeake Energy
has accused its former CEO Aubrey McClendon of making off with
company data, including “highly sensitive trade secrets,” when he
left the company to form a new firm, American Energy Partners.
- University of Maine laptop and media card stolen, contained
student data - A University of Maine laptop computer and media card
containing student information – including Social Security numbers –
was stolen from the checked bag of a faculty member while on an
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (4 of 12)
Assessing security incidents and identifying the unauthorized access
to or misuse of customer information essentially involve organizing
and developing a documented risk assessment process for determining
the nature and scope of the security event. The goal is to
efficiently determine the scope and magnitude of the security
incident and identify whether customer information has been
Containing and controlling the security incident involves preventing
any further access to or misuse of customer information or customer
information systems. As there are a variety of potential threats to
customer information, organizations should anticipate the ones that
are more likely to occur and develop response and containment
procedures commensurate with the likelihood of and the potential
damage from such threats. An institution's information security risk
assessment can be useful in identifying some of these potential
threats. The containment procedures developed should focus on
responding to and minimizing potential damage from the threats
identified. Not every incident can be anticipated, but institutions
should at least develop containment procedures for reasonably
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Information security is an integrated process that reduces
information security risks to acceptable levels. The entire process,
including testing, is driven by an assessment of risks. The greater
the risk, the greater the need for the assurance and validation
provided by effective information security testing.
In general, risk increases with system accessibility and the
sensitivity of data and processes. For example, a high-risk system
is one that is remotely accessible and allows direct access to
funds, fund transfer mechanisms, or sensitive customer data.
Information only Web sites that are not connected to any internal
institution system or transaction capable service are lower-risk
systems. Information systems that exhibit high risks should be
subject to more frequent and rigorous testing than low-risk systems.
Because tests only measure the security posture at a point in time,
frequent testing provides increased assurance that the processes
that are in place to maintain security over time are functioning.
A wide range of tests exists. Some address only discrete controls,
such as password strength. Others address only technical
configuration, or may consist of audits against standards. Some
tests are overt studies to locate vulnerabilities. Other tests can
be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete
picture of the effectiveness of the institution's security
processes. Management is responsible for selecting and designing
tests so that the test results, in total, support conclusions about
whether the security control objectives are being met.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.3.4 Security of Cryptography Modules
Security Requirements for Cryptographic Modules,
specifies the physical and logical security requirements for
cryptographic modules. The standard defines four security
levels for cryptographic modules, with each level providing
a significant increase in security over the preceding level.
The four levels allow for cost-effective solutions that are
appropriate for different degrees of data sensitivity and
different application environments. The user can select the
best module for any given application or system, avoiding
the cost of unnecessary security features.
Cryptography is typically
implemented in a module of software, firmware, hardware, or
some combination thereof. This module contains the cryptographic
algorithm(s), certain control parameters, and temporary storage
facilities for the key(s) being used by the algorithm(s). The proper
functioning of the cryptography requires the secure design,
implementation, and use of the cryptographic module. This includes
protecting the module against tampering.
19.3.5 Applying Cryptography to
The use of cryptography within
networking applications often requires special considerations. In
these applications, the suitability of a cryptographic module may
depend on its capability for handling special requirements imposed
by locally attached communications equipment or by the network
protocols and software.
Encrypted information, MACs, or
digital signatures may require transparent communications protocols
or equipment to avoid being misinterpreted by the communications
equipment or software as control information. It may be necessary to
format the encrypted information, MAC, or digital signature to
ensure that it does not confuse the communications equipment or
software. It is essential that cryptography satisfy the requirements
imposed by the communications equipment and does not interfere with
the proper and efficient operation of the network.
Data is encrypted on a network using
either link or end-to-end encryption. In general, link encryption
is performed by service providers, such as a data communications
provider. Link encryption encrypts all of the data along a
communications path (e.g., a satellite link, telephone circuit, or
T1 line). Since link encryption also encrypts routing data,
communications nodes need to decrypt the data to continue routing.
End-to-end encryption is generally performed by the end-user
organization. Although data remains encrypted when being passed
through a network, routing information remains visible. It is
possible to combine both types of encryption.