- Cyberattacks on federal government hit record high - Federal
network cybersecurity incidents were up 15 percent in fiscal 2014
from the previous year, according to a recent government report.
Law firms to share info about cyber threats - Leading international
law firms are moving to share information on hacking threats, a step
that could revolutionize how the legal industry copes with attempted
Anthem Refuses To Let Inspector General Conduct Full Security Audit
- Security industry has mixed reactions. Anthem Healthcare initially
earned brownie points with security professionals by publicly
disclosing a major data breach well before they were obligated to do
'Domain shadowing' hijacks registrar accounts to spawn attack sites
- Industrialised hack site creation exploit on the rise - Fiends
behind the world's most infamous exploit kit Angler are stealing
login credentials to create tens of thousands of pop-up domains used
in hit-and-run -style attacks.
Man arrested for refusing to give phone passcode to border agents -
Technically Incorrect: A Quebec resident believes his cell phone is
personal. So when Canadian border agents wanted to search it, he
Spyware vendor may have helped Ethiopia target journalists – even
after it was aware of abuses, researchers say - The Ethiopian
government appears again to be using Internet spying tools to
attempt to eavesdrop on journalists based in suburban Washington,
said security researchers who call such high-tech intrusions a
serious threat to human rights and press freedoms worldwide.
Feds Indict Three in 2011 Epsilon Hack - U.S. federal prosecutors in
Atlanta today unsealed indictments against two Vietnamese men and a
Canadian citizen in connection with what’s being called “one of the
largest reported data breaches in U.S. history.”
$1.1M fine issued to firm for violating Canada's anti-spam law - The
authority in charge of regulating Canada's broadcasting and
telecommunications sector has issued the first fine to an
organization for violating the country's anti-spam law.
- 2,400 unsafe mobile apps on employee devices in average large
enterprise - The average large global enterprise has approximately
2,400 unsafe mobile applications installed on employee devices.
- Security pros felt more pressure to secure their organization in
2014 than year prior - The pressure is on IT security professionals
in the coming year, with 57 percent believing they will feel a
greater squeeze this year to keep their organization secure.
- 71 percent of orgs were successfully attacked in 2014 - The number
of successful cyber attacks against organizations is increasing,
according to the “2015 Cyberthreat Defense Report”, which surveyed
814 IT security decision makers and practitioners from organizations
– in 19 industries – across North America and Europe.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Credit Card Breach at Mandarin Oriental - In response to questions
from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel
Group today confirmed that its hotels have been affected by a credit
NEXTEP, a POS systems provider, is investigating a possible breach -
Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is
investigating a possible security compromise of customer systems,
according to a statement emailed to SCMagazine.com on Monday.
Programmer pleads guilty to stealing Federal Reserve software code -
A former top programmer for the Federal Reserve Bank of Kansas City
pleaded guilty in federal court Wednesday to stealing software code
belonging to the government.
New York private investigator pleads guilty to computer hacking
charge - A New York City-based private investigator has pled guilty
to one charge of conspiracy to commit computer hacking, which
carries a maximum sentence of five years.
convicted in ATM skimming spree that netted $5 million - A Chicago
man has been convicted for playing a lead role in an ATM skimming
spree that impacted various banks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program is
to define what constitutes an incident. This step is important as it
sharpens the organization's focus and delineates the types of events
that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
- This is the type of independent diagnostic testing that we
perform. Please refer to
http://www.internetbankingaudits.com/ for information.)
Penetration tests, audits, and assessments can use the same
set of tools in their methodologies. The nature of the tests,
however, is decidedly different. Additionally, the definitions of
penetration test and assessment, in particular, are not universally
held and have changed over time.
Penetration Tests. A penetration test subjects a system to
the real - world attacks selected and conducted by the testing
personnel. The benefit of a penetration test is to identify the
extent to which a system can be compromised before the attack is
identified and assess the response mechanism's effectiveness.
Penetration tests generally are not a comprehensive test of the
system's security and should be combined with other independent
diagnostic tests to validate the effectiveness of the security
Audits. Auditing compares current practices against a set of
standards. Industry groups or institution management may create
those standards. Institution management is responsible for
demonstrating that the standards they adopt are appropriate for
Assessments. An assessment is a study to locate security
vulnerabilities and identify corrective actions. An assessment
differs from an audit by not having a set of standards to test
against. It differs from a penetration test by providing the tester
with full access to the systems being tested. Assessments may be
focused on the security process or the information system. They may
also focus on different aspects of the information system, such as
one or more hosts or networks.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
chapter illustrates how a hypothetical government agency (HGA) deals
with computer security issues in its operating environment. It
follows the evolution of HGA's initiation of an assessment of the
threats to its computer security system all the way through to HGA's
recommendations for mitigating those risks. In the real world, many
solutions exist for computer security problems. No single solution
can solve similar security problems in all environments. Likewise,
the solutions presented in this example may not be appropriate for
This example can be used to
help understand how security issues are examined, how
some potential solutions are analyzed, how their cost
and benefits are weighed, and ultimately how management
accepts responsibility for risks
This case study is
provided for illustrative purposes only, and should not be construed
as guidance or specific recommendations to solving specific security
issues. Because a comprehensive example attempting to illustrate all
handbook topics would be inordinately long, this example necessarily
simplifies the issues presented and omits many details. For
instance, to highlight the similarities and differences among
controls in the different processing environments, it addresses some
of the major types of processing platforms linked together in a
distributed system: personal computers, local-area networks,
wide-area networks, and mainframes; it does not show how to secure
This section also
highlights the importance of management's acceptance of a particular
level of risk--this will, of course, vary from organization to
organization. It is management's prerogative to decide what level of
risk is appropriate, given operating and budget environments and
other applicable factors.