FYI - Net neutrality rules passed by US regulator - New rules on how the internet should be governed have been approved by the Federal Communications Commission. http://www.bbc.com/news/technology-31638528

FYI - ICO fines travel insurance firm £175,000 for website hack - An online travel insurance firm has been fined £175,000 by the Information Commissioner’s Office (ICO) for poor website security that let hackers easily access its systems and steal sensitive information. http://www.v3.co.uk/v3-uk/news/2396987/ico-fines-travel-insurance-firm-gbp175-000-for-website-hack

FYI - Breach Detection Time Is Dropping, FireEye Finds - FireEye's Mandiant M-Trends report reveals that most breaches are not found by enterprises on their own. http://www.eweek.com/security/breach-detection-time-is-dropping-fireeye-finds.html

FYI - GAO - FAA Needs to Address Weaknesses in Air Traffic Control Systems.  http://www.gao.gov/products/GAO-15-221

FYI - NIST outlines guidance for security of copiers, scanners - The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available. http://gcn.com/articles/2015/02/25/nist-replication-device-security.aspx?admgarea=TC_SecCybersSec

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Anthem breach by the numbers - While a whopping 78.8 million consumers may have had personal information viewed by “hackers who had accessed our database,” an Anthem spokesperson confirmed in a statement emailed to SCMagazine.com on Thursday, about 60 to 70 million individuals are current or former Anthem members.
http://www.scmagazine.com/victims-of-the-anthem-breach-stretch-across-multiple-states/article/400489/
http://www.bloomberg.com/news/articles/2015-02-24/fbi-is-close-to-finding-hackers-in-anthem-health-care-data-theft

FYI - Gemalto Confirms It Was Hacked But Insists the NSA Didn’t Get Its Crypto Keys - Gemalto, the Dutch maker of billions of mobile phone SIM cards, confirmed this morning that it was the target of attacks in 2010 and 2011—attacks likely perpetrated by the NSA and British spy agency GCHQ. http://www.wired.com/2015/02/gemalto-confirms-hacked-insists-nsa-didnt-get-crypto-keys/

FYI - Uber breach could affect the data of 50K drivers - The ride-hailing service says it was the victim of a hack last May that could have exposed thousands of driver names and driver's license numbers. http://www.cnet.com/news/uber-breach-could-affect-the-data-of-50k-drivers/

FYI - Attempts made to access Toys"R"Us reward program profiles - Unnamed attackers attempted to gain access to some Toys“R”Us reward program members' profiles in January, prompting the company to send email notifications and request users change their passwords. http://www.scmagazine.com/attacks-attempt-to-access-rewardsrus-accounts/article/401160/

FYI - North Carolina credit union notification says laptop containing data missing - North Carolina-based Piedmont Advantage Credit Union is notifying an undisclosed number of individuals that one of its laptops containing personal information – including Social Security numbers – cannot be located. http://www.scmagazine.com/north-carolina-credit-union-notification-says-laptop-containing-data-missing/article/401139/

FYI - Bulk Reef Supply website compromised, credit cards at risk - Saltwater aquarium supplies seller Bulk Reef Supply announced that its website was compromised for about six months, and the company is notifying an undisclosed number of customers that their personal data – including credit c
ard information – could be at risk. http://www.scmagazine.com/bulk-reef-supply-website-compromised-credit-cards-at-risk/article/400727/

FYI - Laptop stolen from employee contained data on Pioneer Bank customers - New York-based Pioneer Bank is notifying an undisclosed number of customers that their personal information was on a laptop that was stolen from an employee. http://www.scmagazine.com/laptop-stolen-from-employee-contained-data-on-pioneer-bank-customers/article/401433/

FYI - Hackers exploit router flaws in unusual pharming attack - An email-based attack spotted in Brazil recently employed an unusual but potent technique to spy on a victim's Web traffic. http://www.computerworld.com/article/2889841/hackers-exploit-router-flaws-in-unusual-pharming-attack.html

FYI - Natural Grocers Investigating Card Breach - Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. http://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-breach/

FYI - ASML‬ plays down mystery hack attack - Firm that makes machines that make chips makes statement - ‪Semiconductor supplier ASML‬ has admitted that unnamed hackers broke into its systems. http://www.theregister.co.uk/2015/03/02/asml_hack_china_semiconductor/

FYI - Breach exposes personal data on 50,000 Uber drivers - An investigation revealed a database had been accessed last May - The names and license plate numbers of about 50,000 Uber drivers were compromised in a security breach last year, the company revealed Friday. http://www.computerworld.com/article/2890493/breach-exposes-personal-data-on-50000-uber-drivers.html

FYI - Tsukuba trojan aimed at Japanese banking customers - Japanese banking customers have been the target of newly discovered financial malware, dubbed Tsukuba, a member of the proxy changers family. http://www.scmagazine.com/banking-trojan-is-member-of-proxy-changers-family/article/401666/

FYI - Mandarin Oriental Hotel Group is investigating a credit card breach - Mandarin Oriental Hotel Group is investigating a credit card breach, according to a statement emailed to SCMagazine.com on Wednesday. http://www.scmagazine.com/mandarin-oriental-hotel-group-is-investigating-a-credit-card-breach/article/401725/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (6 of 12)

Best Practices-Going Beyond the Minimum

Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.

Preparation

Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.

Establish an incident response team.

A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.5 Cost Considerations

Using cryptography to protect information has both direct and indirect costs. Cost is determined in part by product availability; a wide variety of products exist for implementing cryptography in integrated circuits, add-on boards or adapters, and stand-alone units.

19.5.1 Direct Costs

The direct costs of cryptography include:

• Acquiring or implementing the cryptographic module and integrating it into the computer system. The medium (i.e., hardware, software, firmware, or combination) and various other issues such as level of security, logical and physical configuration, and special processing requirements will have an impact on cost.
  
• Managing the cryptography and, in particular, managing the cryptographic keys, which includes key generation, distribution, archiving, and disposition, as well as security measures to protect the keys, as appropriate

19.5.2 Indirect Costs

The indirect costs of cryptography include:

• A decrease in system or network performance, resulting from the additional overhead of applying cryptographic protection to stored or communicated data.
  
• Changes in the way users interact with the system, resulting from more stringent security enforcement. However, cryptography can be made nearly transparent to the users so that the impact is minimal.