- DHS sweetens cyber workforce recruiting with new bonuses - In the
intense competition to hire qualified cybersecurity professionals,
the government’s advantage has always been its appeal to a sense of
mission, not necessarily large salaries.
Insider likely culprit in breach at CDOT - Fingers are pointing to
an unidentified former employee of the Colorado Department of
Transportation (CDOT) as the perp behind a breach that could lead to
a "risk of identity theft," the Denver Post reports.
17 percent of IT pros confident they can defeat cyberattacks - A
recent study conducted by IT auditing firm found that only 17
percent of IT professionals were confident in their ability to
defeat cyber attacks and too few resources may be to blame.
- Android's security patch quagmire probed by US watchdogs - Feds
finally wake up to sorry state of firmware fixes - Mobile carriers
and gadget makers will be investigated over how slow they push
important software security patches to people. The probe will be
carried out by US trade watchdog the FTC and America's internet mall
cop the FCC.
- Malware scan stalled misconfigured med software, mid-procedure -
RTFM. No, really, read it - A user or reseller who couldn't be
bothered configuring their antivirus properly has hit the headlines
for interrupting doctors trying to insert a vascular catheter into a
- Proposed Legislation Aims to Elevate HHS CISO Role - Move Would
Mirror Private Sector CISO Trend - A bipartisan bill proposing to
elevate the position of CISO within the Department of Health and
Human Services seeks to emulate moves that some larger private
sector organizations - mostly outside of healthcare - have made in
- Florida security expert demoing flaw charged for unauthorized
access - Although his intent to reveal security weaknesses seemed
honorable, a Florida man who logged into a computer system with
appropriated credentials and carried out SQL attacks now faces
- IT pros in financial services assert ability to detect breaches -
Data breaches in the worlds of banking, credit and finance have
nearly double between 2014 and 2015, according to a report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
‘Stupid’ Locky Network Breached - For the
second time in recent months, a white hat hacker appears to have
broken into a C&C server for a major malware threat.
Spearphishing attack nets $495K from investment firm - An employee
at a Troy, Mich., investment firm was tricked via a spearphishing
attack into transferring almost $500,000 to a Hong Kong bank.
Kroger warns past, present employees of possible compromise after
Equifax W-2Express breach - Kroger alerted current and former
employees this week that their data – including Social Security
numbers and birth dates – may have been compromised as a result of a
breach at Equifax's W-2Express website.
2,800 St. Agnes Medical Center workers compromised in W-2 attack -
St. Agnes Medical Center in Fresno, Calif., reported that about
2,800 staffers had their W-2 information compromised by a
spearphishing attack earlier this month.
Kiddicare suffers a data breach! 794,000
customer details are exposed - Kiddicare, a specialist child and
baby retailer in the UK, has suffered a data breach and warned close
to 800,000 customers that their personal data was exposed by
Tax payer info exposed in five breaches, FDIC -
The cases were reported only because of requirements that mandate
that the FDIC – which provides banks with deposit insurance –
disclose any breach exceeding 10,000 records.
Bangladesh bank investigators reportedly find
three separate network intruders - The investigation into the online
heist that cost Bangladesh's central bank $81 million has taken a
byzantine turn, as a new report surfaced of multiple hacking groups
infiltrating the bank's network.
300 Wendy's restaurants affected by POS malware
attack earlier this year - Wendy's executives today released some
details of its internal investigation into a hacking incident that
was discovered earlier this year when customers began reporting
unusual activity on payment cards that were used at some company
UAE InvestBank hacked, nearly 100k recycled
data records leaked? - A 10 gigabyte file holding sensitive
financial data compromised from an InvestBank in the United Arab
Emirates (UAE) has been leaked online. The file contains information
on tens of thousands of customers from a bank based in Sharjah.
Securities fraudsters who stole from 100M
people to be extradited from Israel - Two Israeli men accused of
securities fraud and hacks into media outlets and nine financial
institutions, including JPMorgan Chase, Fidelity Investments and
E*Trade Financial Corp., will be extradited to the U.S.
Scammers impersonate legit cyber-security
companies - A scammer syndicate has been caught impersonating the
services of cyber-security companies and charging high fees for
doing very little.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
"Member FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement. Conversely, subsidiary web pages
that relate to loans do not require the official advertising
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Shared Secret Systems (Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the ease
with which an attacker can discover the secret. Attack methods vary.
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and
submits passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms,
which commonly lock out access to the account after a risk - based
number of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by using
Controls include prohibiting and disabling automatic login
features, and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise
passwords. For instance, when a password is too complex to readily
memorize, the user could write the password down but not secure the
paper. Frequently, written - down passwords are readily accessible
to an attacker under mouse pads or in other places close to the
user's machines. Additionally, attackers frequently are successful
in obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar password
on particular network devices.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Computer Security Programs
While the central program addresses the entire spectrum of computer
security for an organization, system-level programs ensure
appropriate and cost-effective security for each system. This
includes influencing decisions about what controls to implement,
purchasing and installing technical controls, day-to-day computer
security administration, evaluating system vulnerabilities, and
responding to security problems. It encompasses all the areas
discussed in the handbook.
System-level computer security program personnel are the local
advocates for computer security. The system security manager/officer
raises the issue of security with the cognizant system manager and
helps develop solutions for security problems. For example, has the
application owner made clear the system's security requirements?
Will bringing a new function online affect security, and if so, how?
Is the system vulnerable to hackers and viruses? Has the contingency
plan been tested? Raising these kinds of questions will force system
managers and application owners to identify and address their