- CISO salaries may soon hit £1 million - but few qualified for top
roles - CISO salaries have long pointed upwards and may soon hit £1
million. New data has highlighted the central importance of the CISO
to the enterprise, reflected in their ever increasing pay packets.
PATCH Act introduced to improve federal cybersecurity and
transparency - In the wake of the high-profile WanaCryptor
ransomware attack, a bipartisan group of elected officials from both
Congressional Houses have introduced the Protecting our Ability To
Counter Hacking (PATCH) Act to improve cybersecurity and
transparency at the federal level.
Target breach settlement payout held up by lone consumer - Although
Target agreed to compensate consumers affected in its 2013 data
breach from a pool of $10 million, a lone consumer is halting
payouts due to a dispute in how the class action suit was handled.
Shift in password strategy from NIST - Buried deep in a new draft of
NIST guidelines is a shift in password strategy from periodic
changes to use of a long "memorized secret," according to a post on
the site of security a blogger.
Medical Identity Theft on The Rise - 5 Tips to Protect Your
Employees and Clients - Medical identity theft is on the rise and
hackers are being more creative about obtaining personal medical
information. In fact, a recent study by researchers at Michigan
State University found nearly 1,800 incidences of large data
breaches in patient information over a seven-year period from
October 2009 to December 2016.
DDoS attacks shorter and more frequent: 80% now take less than an
hour - During Q1 2017, a reduction in average DDoS attack duration
was witnessed, thanks to the prevalence of botnet-for-hire services
that commonly used short, low-volume bursts.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 'Combo list' database of previously breached accounts contains
over 560M credentials - An unknown individual has compiled a huge
online data set comprised of approximately 560 million emails and
their corresponding credentials, over 243 million of which are
Zomato breach leaves bad taste in mouth of 17 million users - Zomato,
an online restaurant search and review service, has notified its
customers of a data breach, after a dark web vendor was discovered
selling data belonging to millions of the company's users.
Panic CEO pwned, has company source code stolen - Apple app maker
Panic's CEO Steven Frank said he mistakenly downloaded the
malware-laced DVD-ripping app HandBrake resulting in some of the
company's source code being stolen.
Breach at DocuSign Led to Targeted Email Malware Campaign - DocuSign,
a major provider of electronic signature technology, acknowledged
today that a series of recent malware phishing attacks targeting its
customers and users was the result of a data breach at one of its
Breach at Equifax subsidiary illustrates risks consumers face - The
number of those affected by a breach into an Equifax subsidiary
remains unclear, but what is known is that intruders were able to
access customers' W-2 tax data.
Passengers facing delays at airports in Australia due to passport
software failure - It’s believed the system went down about 7.30am
(AEDT) before being restored about 11am.
Brazilian criminals rig ATMs to steal payment card chips - In an
effort to work around the security measures built into EMV credit
cards, a Brazilian criminal gang has created a skimmer-type device
that steals the chip right out of the card when it is inserted into
a compromised ATM.
Breach of Florida agency exposes SSNs and concealed weapons license
holders - A data breach at the Florida's Department of Agriculture
and Consumer Services (FDACS) has put the personal information of
thousands of people at risk.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next 12 weeks will
will cover the recently released FDIC Supervisory Insights regarding
Response Programs. (1of 12)
Incident Response Programs: Don't Get Caught Without One
Everyone is familiar with the old adage "Time is money." In the
Information Age, data may be just as good. Reports of data
compromises and security breaches at organizations ranging from
universities and retail companies to financial institutions and
government agencies provide evidence of the ingenuity of Internet
hackers, criminal organizations, and dishonest insiders obtaining
and profiting from sensitive customer information. Whether a network
security breach compromising millions of credit card accounts or a
lost computer tape containing names, addresses, and Social Security
numbers of thousands of individuals, a security incident can damage
corporate reputations, cause financial losses, and enable identity
Banks are increasingly becoming prime targets for attack because
they hold valuable data that, when compromised, may lead to identity
theft and financial loss. This environment places significant
demands on a bank's information security program to identify and
prevent vulnerabilities that could result in successful attacks on
sensitive customer information held by the bank. The rapid adoption
of the Internet as a delivery channel for electronic commerce
coupled with prevalent and highly publicized vulnerabilities in
popular hardware and software have presented serious security
challenges to the banking industry. In this high-risk environment,
it is very likely that a bank will, at some point, need to respond
to security incidents affecting its customers.
To mitigate the negative effects of security breaches,
organizations are finding it necessary to develop formal incident
response programs (IRPs). However, at a time when organizations
need to be most prepared, many banks are finding it challenging to
assemble an IRP that not only meets minimum requirements (as
prescribed by Federal bank regulators), but also provides for an
effective methodology to manage security incidents for the benefit
of the bank and its customers. In response to these challenges, this
article highlights the importance of IRPs to a bank's information
security program and provides information on required content and
best practices banks may consider when developing effective response
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
LOGGING AND DATA COLLECTION (Part 1 of 2)
Financial institutions should take reasonable steps to ensure that
sufficient data is collected from secure log files to identify and
respond to security incidents and to monitor and enforce policy
compliance. Appropriate logging controls ensure that security
personnel can review and analyze log data to identify unauthorized
access attempts and security violations, provide support for
personnel actions, and aid in reconstructing compromised systems.
An institution's ongoing security risk assessment process should
evaluate the adequacy of the system logging and the type of
information collected. Security policies should address the proper
handling and analysis of log files. Institutions have to make
risk-based decisions on where and when to log activity. The
following data are typically logged to some extent including
! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative
or root access),
! Application access (especially users and objects with write -
and execute privileges), and
! Remote access.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.6 Cost Considerations
There are many security costs under the category of user issues.
Among these are:
Screening -- Costs of initial background screening and
periodic updates, as appropriate.
Training and Awareness -- Costs of training needs
assessments, training materials, course fees, and so forth.
User Administration -- Costs of managing identification and
authentication, which, particularly for large distributed systems,
may be rather significant.
Access Administration -- Particularly beyond the initial
account set-up, are ongoing costs of maintaining user accesses
currently and completely.
Auditing -- Although such costs can be reduced somewhat when
using automated tools, consistent, resource-intensive human review
is still often necessary to detect and resolve security anomalies.