- Net neutrality rules passed by US regulator - New rules on how the
internet should be governed have been approved by the Federal
ICO fines travel insurance firm £175,000 for website hack - An
online travel insurance firm has been fined £175,000 by the
Information Commissioner’s Office (ICO) for poor website security
that let hackers easily access its systems and steal sensitive
Breach Detection Time Is Dropping, FireEye Finds - FireEye's
Mandiant M-Trends report reveals that most breaches are not found by
enterprises on their own.
- GAO - FAA Needs to Address Weaknesses in Air Traffic Control
- NIST outlines guidance for security of copiers, scanners - The
National Institute of Standards and Technology announced its
internal report 8023: Risk Management for Replication Devices is now
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Anthem breach by the numbers - While a whopping 78.8 million
consumers may have had personal information viewed by “hackers who
had accessed our database,” an Anthem spokesperson confirmed in a
statement emailed to SCMagazine.com on Thursday, about 60 to 70
million individuals are current or former Anthem members.
Gemalto Confirms It Was Hacked But Insists the NSA Didn’t Get Its
Crypto Keys - Gemalto, the Dutch maker of billions of mobile phone
SIM cards, confirmed this morning that it was the target of attacks
in 2010 and 2011—attacks likely perpetrated by the NSA and British
spy agency GCHQ.
- Uber breach could affect the data of 50K drivers - The
ride-hailing service says it was the victim of a hack last May that
could have exposed thousands of driver names and driver's license
- Attempts made to access Toys"R"Us reward program profiles -
Unnamed attackers attempted to gain access to some Toys“R”Us reward
program members' profiles in January, prompting the company to send
email notifications and request users change their passwords.
- North Carolina credit union notification says laptop containing
data missing - North Carolina-based Piedmont Advantage Credit Union
is notifying an undisclosed number of individuals that one of its
laptops containing personal information – including Social Security
numbers – cannot be located.
- Bulk Reef Supply website compromised, credit cards at risk -
Saltwater aquarium supplies seller Bulk Reef Supply announced that
its website was compromised for about six months, and the company is
notifying an undisclosed number of customers that their personal
data – including credit c
ard information – could be at risk.
- Laptop stolen from employee contained data on Pioneer Bank
customers - New York-based Pioneer Bank is notifying an undisclosed
number of customers that their personal information was on a laptop
that was stolen from an employee.
exploit router flaws in unusual pharming attack - An email-based
attack spotted in Brazil recently employed an unusual but potent
technique to spy on a victim's Web traffic.
Grocers Investigating Card Breach - Sources in the financial
industry tell KrebsOnSecurity they have traced a pattern of fraud on
customer credit and debit cards suggesting that hackers have tapped
into cash registers at Natural Grocers locations across the country.
down mystery hack attack - Firm that makes machines that make chips
makes statement - Semiconductor supplier ASML has admitted that
unnamed hackers broke into its systems.
exposes personal data on 50,000 Uber drivers - An investigation
revealed a database had been accessed last May - The names and
license plate numbers of about 50,000 Uber drivers were compromised
in a security breach last year, the company revealed Friday.
trojan aimed at Japanese banking customers - Japanese banking
customers have been the target of newly discovered financial
malware, dubbed Tsukuba, a member of the proxy changers family.
Oriental Hotel Group is investigating a credit card breach -
Mandarin Oriental Hotel Group is investigating a credit card breach,
according to a statement emailed to SCMagazine.com on Wednesday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (6 of 12)
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum requirements
and incorporate industry best practices into its IRP. As each bank
tailors its IRP to match its administrative, technical, and
organizational complexity, it may find some of the following best
practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Measurement and Interpretation of Test Results.
Institutions should design tests to produce results that are logical
and objective. Results that are reduced to metrics are potentially
more precise and less subject to confusion, as well as being more
readily tracked over time. The interpretation and significance of
test results are most useful when tied to threat scenarios.
Traceability. Test results that indicate an unacceptable risk in an
institution's security should be traceable to actions subsequently
taken to reduce the risk to an acceptable level.
Thoroughness. Institutions should perform tests sufficient to
provide a high degree of assurance that their security plan,
strategy and implementation is effective in meeting the security
objectives. Institutions should design their test program to draw
conclusions about the operation of all critical controls. The scope
of testing should encompass all systems in the institution's
production environment and contingency plans and those systems
within the institution that provide access to the production
Frequency. Test frequency should be based on the risk that
critical controls are no longer functioning. Factors to consider
include the nature, extent, and results of prior tests, the value
and sensitivity of data and systems, and changes to systems,
policies and procedures, personnel, and contractors. For example,
network vulnerability scanning on highrisk systems can occur at
least as frequently as significant changes are made to the network.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 19 - CRYPTOGRAPHY
19.5 Cost Considerations
Using cryptography to
protect information has both direct and indirect costs. Cost is
determined in part by product availability; a wide variety of
products exist for implementing cryptography in integrated circuits,
add-on boards or adapters, and stand-alone units.
19.5.1 Direct Costs
The direct costs of
Acquiring or implementing the cryptographic
module and integrating it into the computer system. The medium
(i.e., hardware, software, firmware, or combination) and various
other issues such as level of security, logical and physical
configuration, and special processing requirements will have an
impact on cost.
- Managing the
cryptography and, in particular, managing the cryptographic
keys, which includes key generation, distribution, archiving,
and disposition, as well as security measures to protect the
keys, as appropriate
The indirect costs of
A decrease in system or network
performance, resulting from the additional overhead of applying
cryptographic protection to stored or communicated data.
- Changes in the
way users interact with the system, resulting from more
stringent security enforcement. However, cryptography can be
made nearly transparent to the users so that the impact is