|
FYI
- Examining the Current State of Database Security - Considering
that database systems hold extremely valuable and sensitive
information, one would assume that most organizations would fiercely
protect these “crown jewels” with great care. Unfortunately, that is
not the case.
https://www.scmagazine.com/examining-the-current-state-of-database-security/article/636758/
50 banking smartphone apps fail on security - Anaysis of mobile
applications of 50 of the world's top 100 banks has found all to be
vulnerable to several security threats.
https://www.scmagazine.com/50-banking-smartphone-apps-fail-on-security/article/639775/
Fingerprints to unlock iPhone? Judge says no. A federal judge in
Chicago issued an opinion on February 16 that would deny the
government's attempt to force Apple device owners from providing a
fingerprint to unlock their device.
https://www.scmagazine.com/fingerprints-to-unlock-iphone-judge-says-no/article/639939/
Survey explores the minds of hackers: 81% claim they can compromise
target in under 12 hours - Eighty-eight percent of hackers surveyed
at the 2016 DEF CON conference in Las Vegas last August claimed that
they can compromise a target in less than 12 hours, while 81 percent
said they can identify and exfiltrate a target's data in the same
amount of time.
https://www.scmagazine.com/survey-explores-the-minds-of-hackers-81-claim-they-can-compromise-target-in-under-12-hours/article/640255/
New York's new cybersecurity requirements: Are you ready - The New
York State Department of Financial Services (DFS), has implemented a
new regulation requiring all its supervised companies to comply with
the Financial Services' Cybersecurity Requirements which goes into
effect March 1, 2017.
https://www.scmagazine.com/new-yorks-new-cybersecurity-requirements-are-you-ready/article/639683/
French and German MPs ask for encryption backdoors, industry says
'no' - French and German ministers ask for greater security
measures, including encryption backdoors - to fight terrorism in
Europe, but tech industry says it isn't possible.
https://www.scmagazine.com/french-and-german-mps-ask-for-encryption-backdoors-industry-says-no/article/640693/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- John Legend calls his Twitter hacker hilarious - Singer John
Legend took having his Twitter account hacked with a positive
attitude saying that while the hacker was vulgar he was also “kinda
hilarious”.
https://www.scmagazine.com/john-legend-calls-his-twitter-hacker-hilarious/article/640395/
How sweet it isn't: W-2s of 3K Amalgamated Sugar workers exposed -
Nearly three thousand workers at Boise, Idaho-based Amalgamated
Sugar have received notifications of an intruder accessing the
company's network and their personal information being disclosed.
https://www.scmagazine.com/how-sweet-it-isnt-w-2s-of-3k-amalgamated-sugar-workers-exposed/article/640540/
Man suspected of DT router DDoS attack arrested in Luton airport - A
man has been arrested by agents from the National Crime Agency (NCA)
following a European Arrest Warrant put out by Germany's federal
police. Germans are to seek extradition of the suspect under charges
of computer sabotage.
https://www.scmagazine.com/man-suspected-of-dt-router-ddos-attack-arrested-in-luton-airport/article/640104/
Security lapse exposed New York airport's critical servers for a
year - Exclusive: The files included gigabytes of emails, sensitive
government files, and a password list, which researchers say could
give hackers "full access" to the airport's systems.
http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year/
'Data security incident' affects 36K Boeing workers - While a Nov.
21 gaffe by a Boeing employee who, seeking Excel formatting
assistance, emailed a spreadsheet containing personal data of 36,000
company employees to his spouse has not led to exposure of the data
as of yet, the Seattle-based aerospace company, as required by law,
issued a disclosure to Washington State Attorney General Bob
Ferguson.
https://www.scmagazine.com/data-security-incident-affects-36k-boeing-workers/article/640731/
vBulletin targeted yet again, 800K accounts compromised - Once again
hackers have targeted vBulletin users, this time leaking information
from 819,977 user accounts.
https://www.scmagazine.com/hacker-leaks-800k-accounts-after-exploiting-vbulletin-forums/article/640911/
Singapore MoD computer breached, 850 lose PII - The personally
identifiable information of 850 Singapore military service members
and Ministry of Defense staffers was compromised in what is being
called a targeted and carefully planned attack on the MOD's I-net
computer system.
https://www.scmagazine.com/singapore-mod-computer-breached-850-lose-pii/article/640722/
1,000 Redmond (Ore.) school district workers affected by W-2 breach
- The Redmond (Ore.) school district reported that one of its
workers fell for a phishing scam and emailed the W-2 forms for all
district employees to an unauthorized person.
https://www.scmagazine.com/1000-redmond-ore-school-district-workers-affected-by-w-2-breach/article/641046/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Board and Management Oversight
- Principle 11: Banks
should ensure that adequate information is provided on their
websites to allow potential customers to make an informed conclusion
about the bank's identity and regulatory status of the bank prior to
entering into e-banking transactions.
To minimize legal and reputational risk associated with e-banking
activities conducted both domestically and cross-border, banks
should ensure that adequate information is provided on their
websites to allow customers to make informed conclusions about the
identity and regulatory status of the bank before they enter into
e-banking transactions.
Examples of such information that a bank could provide on its own
website include:
1) The name of the bank and the location of its head office (and
local offices if applicable).
2) The identity of the primary bank supervisory authority(ies)
responsible for the supervision of the bank's head office.
3) How customers can contact the bank's customer service center
regarding service problems, complaints, suspected misuse of
accounts, etc.
4) How customers can access and use applicable Ombudsman or
consumer complaint schemes.
5) How customers can obtain access to information on applicable
national compensation or deposit insurance coverage and the level of
protection that they afford (or links to websites that provide such
information).
6) Other information that may be appropriate or required by
specific jurisdictions.
Return to
the top of the newsletter
FFIEC IT SECURITY
-
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
update.
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
transfers.
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
files.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Section III. Operational Controls - Chapter 10 - PERSONNEL/USERS
ISSUES
Many important issues in computer security involve human users,
designers, implementers, and managers. A broad range of security
issues relate to how these individuals interact with computers and
the access and authorities they need to do their job. No computer
system can be secured without properly addressing these security
issues.
This chapter examines issues concerning the staffing of positions
that interact with computer systems; the administration of users on
a system, including considerations for terminating employee access;
and special considerations that may arise when contractors or the
public have access to systems. Personnel issues are closely linked
to logical access controls.
10.1 Staffing
The staffing process generally involves at least four steps and can
apply equally to general users as well as to application managers,
system management personnel, and security personnel. These four
steps are: (1) defining the job, normally involving the development
of a position description; (2) determining the sensitivity of the
position; (3) filling the position, which involves screening
applicants and selecting an individual; and (4) training.
|
®