FFIEC Joint Statements on Destructive Malware and Compromised
Credentials - The Federal Financial Institutions Examination Council
has issued two joint statements to alert financial institutions to
specific risk mitigation techniques related to destructive malware
and cyber attacks that compromise credentials.
Financial Institution Letters:
- Human error cited as leading contributor to breaches, study shows
- Human error accounts for 52 percent of the root cause of security
breaches, according to a new study, which surveyed individuals from
hundreds of companies in the U.S.
- PCI Council updates penetration testing guidance for merchants -
The PCI Security Standards Council has released guidance to help
merchants improve their system for regularly testing security
controls and processes impacting payment card security.
Gov't offers $3 million reward for info on alleged Carder.su
cybercriminals - The U.S. Department of State is offering up to $3
million for information leading to the arrest of two men who are
allegedly tied to the Carder.su cybercrime syndicate.
Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk - Guests
at hundreds of hotels around the world are susceptible to serious
hacks because of routers that many hotel chains depend on for their
California bill requires warrant for stingray use - Cops claim need
for warrant to access all digital devices would "undermine" them. A
California state bill that would require a warrant to access all
kinds of digital data passed its first hurdle after being approved
by the Senate Public Safety Committee on Tuesday.
Insurers’ Cybersecurity Work After Hacks - Insurers doing business
in New York State must tell a regulator there about efforts to
prevent computer hacking, detailing the precautions taken and the
personnel devoted to the task.
New York Fed Forms Team Focused on Cybersecurity Threats - The
Federal Reserve Bank of New York has formed a team dedicated to
cybersecurity threats, according to the bank’s top regulator.
Citigroup report reveals poor disclosure track record at law firms -
After reviewing an internal Citigroup report it obtained, The New
York Times revealed a trend among major law firms in the U.S. of
rarely disclosing cyberattacks.
How cyberattacks can be overlooked in America's most critical
sectors - Across some of the most crucial sectors of the American
economy, there's a lack of consensus of what exactly should be
considered a 'cyberincident' – and whether technical mishaps, even
without malicious intent, should count. That's a problem.
- 30 percent of practitioners say they would pay cyber extortionists
to retrieve their data - A recent poll of 250 security professionals
in the U.S. found that most – but not all – respondents would refuse
to negotiate with cybercriminals in an attempt to recover stolen or
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Ransomware holds schools hostage: 'Now give us Bitcoin worth $129k,
er, $124k, wait ...' - 'It's like being in 1981' says district boss
- A New Jersey school district in the US has been held hostage by
ransomware that has apparently demanded hundreds of Bitcoins to end
Slack announces breach, unauthorized access to database - Team
communication platform Slack announced on Friday that for roughly
four days in February unauthorized access was gained to a database
and suspicious activity has subsequently been detected on a small
number of accounts.
Cyberattack hits hard at popular coding site Github - A debilitating
onslaught of Internet traffic directed at Github appears to be
focused on shutting down anticensorship tools. GitHub is still
grappling with a distributed denial-of-service attack of a scale it
had never seen before and believed to originate from China.
British Airways says rewards accounts hacked, locked down - British
Airways has “locked down a number” of customers' frequent flyer
accounts after an unauthorized third party apparently tried to
access some Executive Club and Registered Customer accounts.
Puush urges users to change passwords after cyber attack - The
screen sharing platform Puush was hit by a cyber attack this weekend
that injected malware into a server.
Cyber attack hits Fairleigh Dickinson; Rutgers works to restore
internet service - As Rutgers University works to recover from a
weekend cyber attack, Fairleigh Dickinson University officials
confirm that a similar attack shut down the university's own
computer network Saturday.
- Nite Ize website attack impacts credit cards, possibly customer
database - Nite Ize is notifying customers that its online store
experienced a cyber attack, which resulted in credit card
transactions being compromised and unauthorized access possibly
being gained to a general customer database.
- Australia immigration dept. leaked 2014 G20 leaders' personal info
- Australia's Department of Immigration and Border Protection
inadvertently leaked information about world leaders who attended
the 2014 G20 Summit in Brisbane Australia.
- Fraudulent activity on payment cards used at New York car wash -
New York police have identified a pattern of fraudulent activity on
credit and debit cards used to make purchases at a car wash in
Rotterdam, according to reports.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
MONITORING AND UPDATING
A static security program provides a false sense of security and
will become increasingly ineffective over time. Monitoring and
updating the security program is an important part of the ongoing
cyclical security process. Financial institutions should treat
security as dynamic with active monitoring; prompt, ongoing risk
assessment; and appropriate updates to controls. Institutions should
continuously gather and analyze information regarding new threats
and vulnerabilities, actual attacks on the institution or others,
and the effectiveness of the existing security controls. They should
use that information to update the risk assessment, strategy, and
implemented controls. Monitoring and updating the security program
begins with the identification of the potential need to alter
aspects of the security program and then recycles through the
security process steps of risk assessment, strategy, implementation,
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Most of HGA's staff (a
mix of clerical, technical, and managerial staff) are provided with
personal computers (PCs) located in their offices. Each PC includes
hard-disk and floppy-disk drives.
The PCs are connected
to a local area network (LAN) so that users can exchange and share
information. The central component of the LAN is a LAN server,
a more powerful computer that acts as an intermediary between PCs on
the network and provides a large volume of disk storage for shared
information, including shared application programs. The server
provides logical access controls on potentially sharable information
via elementary access control lists. These access controls can be
used to limit user access to various files and programs stored on
the server. Some programs stored on the server can be retrieved via
the LAN and executed on a PC; others can only be executed on the
To initiate a session
on the network or execute programs on the server, users at a PC must
log into the server and provide a user identifier and password known
to the server. Then they may use files to which they have access.
One of the applications
supported by the server is electronic mail (e-mail), which
can be used by all PC users. Other programs that run on the server
can only be executed by a limited set of PC users.
distributed throughout HGA's building complex, are connected to the
LAN. Users at PCs may direct printouts to whichever printer is most
convenient for their use.
Since HGA must
frequently communicate with industry, the LAN also provides a
connection to the Internet via a router. The router is a
network interface device that translates between the protocols and
addresses associated with the LAN and the Internet. The router also
performs network packet filtering, a form of network access
control, and has recently been configured to disallow non-e-mail
(e.g., file transfer, remote log-in) between LAN and Internet
The LAN server also has
connections to several other devices.
- A modem pool is
provided so that HGA's employees on travel can "dial up" via
the public switched (telephone) network and read or send
e-mail. To initiate a dial-up session, a user must
successfully log in. During dial-up sessions, the LAN server
provides access only to e-mail facilities; no other
functions can be invoked.
A special console is provided for the server
administrators who configure the server, establish and
delete user accounts, and have other special privileges
needed for administrative and maintenance functions. These
functions can only be invoked from the administrator
console; that is, they cannot be invoked from a PC on
the network or from a dial-up session.
- A connection to a
government agency X.25-based wide-area network (WAN) is
provided so that information can be transferred to or from
other agency systems. One of the other hosts on the WAN is a
large multiagency mainframe system. This mainframe is used
to collect and process information from a large number of
agencies while providing a range of access controls.