- ISA presses for data to shape cyber security policy, encourages
use of NIST framework - The Internet Security Alliance Monday
encouraged the Department of Commerce to work with private sector
organizations to determine what's needed in terms of
cost-effectiveness, incentives and prioritization to stimulate use
of the NIST Framework.
- Average cost of data breach is $6.5M - In a year already
characterized by data breaches at recognizable healthcare
organizations, such as CareFirst BlueCross BlueShield, and at major
government entities, including the IRS, it's no surprise that
victims' personal information is a hot commodity.
- Google Reveals the Problem With Password Security Questions -
Google analyzed hundreds of millions of password security questions
and answers, revealing how startlingly easy it is for would-be
hackers to get into someone else's account.
- County sheriff has used stingray over 300 times with no warrant -
San Bernardino Sheriff's Department doesn't tell judges it's using
spy device. The sheriff in San Bernardino County—east of Los Angeles
County—has deployed a stingray hundreds of times without a warrant,
and under questionable judicial authority.
- Spy agencies target mobile phones, app stores to implant spyware -
Users of millions of smartphones put at risk by certain mobile
browser gaps, Snowden file shows - Canada and its spying partners
exploited weaknesses in one of the world's most popular mobile
browsers and planned to hack into smartphones via links to Google
and Samsung app stores, a top secret document obtained by CBC News
- 86 percent of websites contain at least one 'serious'
vulnerability - While high-profile vulnerabilities, including
Heartbleed and ShellShock, might have garnered more press than most
other vulnerabilities for putting websites at-risk, in reality,
these flaws are being patched and addressed more than other pressing
vulnerabilities in web application software.
- $19M breach settlement between MasterCard, Target terminated - A
proposed $19 million breach settlement between Target and MasterCard
has reportedly been terminated, since conditions of the deal were
not met by an important deadline this week.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
St. Louis Federal Reserve forces password change after DNS attack -
A branch of the U.S.'s central bank is forcing a password reset
after a cyberattack briefly redirected visitors to parts of its
website to bogus Web pages.
Carefirst Blue Cross Breach Hits 1.1M - CareFirst BlueCross
BlueShield on Wednesday said it had been hit with a data breach that
compromised the personal information on approximately 1.1 million
MSpy admits hacking and data theft - A company offering software
that allows people to spy on others has admitted it has been hacked
and had thousands of customer records leaked online.
of London Computer Centre hit by cyber attack - The University of
London Computer Centre (ULCC) was the subject of a cyber attack
yesterday that may have left millions of students unable to access
the organisation's IT services.
Patients of Privacy Incident - Medical Management, LLC (“MML”), a
medical billing company that provides coding or billing services to
Grand View Health, is in the process of notifying affected
individuals that some of their personal information may have been
compromised by a former employee of MML.
in at least 3 states affected by employee data breach - Thousands of
patients were alerted in hospitals across New York, New Jersey, and
Pennsylvania that their medical records may have been compromised by
an outside contractor.
lawmakers' information accessed in CareFirst BlueCross BlueShield
breach - House lawmakers might have had some of their personal data
compromised in the CareFirst BlueCross BlueShield data breach
earlier this week.
student hacks school computer, shares data of 113 students - An Ohio
high school student in the Southwest Licking school district gained
access to a district shared server and compromised the personal
information of 113 students.
of Bellevue Hospital Center patients notified of data breach -
Bellevue Hospital Center operator New York City Health and Hospitals
Corporation (HHC) is notifying roughly 3,300 patients that their
personal information was included in a spreadsheet that was
improperly emailed to an unauthorized recipient.
impacts more than 100,000 taxpayers - The Associated Press reported
on Tuesday that attackers used an Internal Revenue Service (IRS)
system called “Get Transcript” in order to obtain information
belonging more than 100,000 taxpayers.
Jacobi Medical Center employee improperly emails patient data -
During the same assessment that revealed a recent Bellevue Hospital
Center breach, New York City Health and Hospitals Corporation (HHC)
identified a separate incident involving a former Jacobi Medical
Center employee improperly emailing personal information on roughly
Health System notifies patients of possible data compromise -
Indiana-based Beacon Health System is notifying an undisclosed
number of patients that their personal information may have been
compromised by unauthorized individuals who gained access to
employee email accounts.
on Penn State exposes passwords of 18K people - The university's
president apologizes for a "sophisticated" security breach that it
says involved an attack launched from China. Pennsylvania State
University's College of Engineering revealed Friday that it has been
the target of two "highly sophisticated" cyberattacks over the last
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will
request that recipients "update" or "validate" their financial or
personal information in order to maintain their accounts, and direct
them to a fraudulent Web site that may look very similar to the Web
site of the legitimate business. These Web sites may include copied
or "spoofed" pages from legitimate Web sites to further trick
consumers into thinking they are responding to a bona fide request.
Some consumers will mistakenly submit financial and personal
information to the perpetrator who will use it to gain access to
financial records or accounts, commit identity theft or engage in
other illegal acts.
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
the top of the newsletter
FFIEC IT SECURITY
We continue our coverage of the
FDIC's "Guidance on Managing Risks Associated With Wireless Networks
and Wireless Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should
institute policies and standards requiring that information and
transactions be encrypted throughout the link between the customer
and the institution. Financial institutions should carefully
consider the impact of implementing technologies requiring that a
third party have control over unencrypted customer information and
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular
independent security testing performed on its wireless customer
access application. Specific testing goals would include the
verification of appropriate security settings, the effectiveness of
the wireless application security implementation and conformity to
the institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Payroll Fraud and Errors: Time and Attendance
Application (1 of 2)
The time and attendance
application plays a major role in protecting against payroll fraud
and errors. Since the time and attendance application is a component
of a larger automated payroll process, many of its functional and
security requirements have been derived from both governmentwide and
HGA-specific policies related to payroll and leave. For example, HGA
must protect personal information in accordance with the Privacy
Act. Depending on the specific type of information, it should
normally be viewable only by the individual concerned, the
individual's supervisors, and personnel and payroll department
employees. Such information should also be timely and accurate.
Each week, employees
must sign and submit a time sheet that identifies the number of
hours they have worked and the amount of leave they have taken. The
Time and Attendance Clerk enters the data for a given group of
employees and runs an application on the LAN server to verify the
data's validity and to ensure that only authorized users with access
to the Time and Attendance Clerk's functions can enter time and
attendance data. The application performs these security checks by
using the LAN server's access control and identification and
authentication (I&A) mechanisms. The application compares the data
with a limited database of employee information to detect incorrect
employee identifiers, implausible numbers of hours worked, and so
forth. After correcting any detected errors, the clerk runs another
application that formats the time and attendance data into a report,
flagging exception/out-of-bound conditions (e.g., negative leave
are responsible for reviewing the correctness of the time sheets of
the employees under their supervision and indicating their approval
by initialing the time sheets. If they detect significant
irregularities and indications of fraud in such data, they must
report their findings to the Payroll Office before submitting the
time sheets for processing. In keeping with the principle of
separation of duty, all data on time sheets and corrections on the
sheets that may affect pay, leave, retirement, or other benefits of
an individual must be reviewed for validity by at least two
authorized individuals (other than the affected individual).
Only users with access
to Time and Attendance Supervisor functions may approve and submit
time and attendance data -- or subsequent corrections thereof -- to
the mainframe. Supervisors may not approve their own time and
Only the System
Administrator has been granted access to assign a special access
control privilege to server programs. As a result, the server's
operating system is designed to prevent a bogus time and attendance
application created by any other user from communicating with the
WAN and, hence, with the mainframe.
The time and attendance
application is supposed to be configured so that the clerk and
supervisor functions can only be carried out from specific PCs
attached to the LAN and only during normal working hours.
Administrators are not authorized to exercise functions of the time
and attendance application apart from those concerned with
configuring the accounts, passwords, and access permissions for
clerks and supervisors. Administrators are expressly prohibited by
policy from entering, modifying, or submitting time and attendance
data via the time and attendance application or other mechanisms.
unauthorized execution of the time and attendance application
depends on I&A and access controls. While the time and attendance
application is accessible from any PC, unlike most programs run by
PC users, it does not execute directly on the PC's processor.
Instead, it executes on the server, while the PC behaves as a
terminal, relaying the user's keystrokes to the server and
displaying text and graphics sent from the server. The reason for
this approach is that common PC systems do not provide I&A and
access controls and, therefore, cannot protect against unauthorized
time and attendance program execution. Any individual who has
access to the PC could run any program stored there.
approach is for the time and attendance program to perform I&A and
access control on its own by requesting and validating a password
before beginning each time and attendance session. This approach,
however, can be defeated easily by a moderately skilled programming
attack, and was judged inadequate by HGA during the application's
early design phase.
Recall that the server
is a more powerful computer equipped with a multiuser operating
system that includes password-based I&A and access controls.
Designing the time and attendance application program so that it
executes on the server under the control of the server's operating
system provides a more effective safeguard against unauthorized
execution than executing it on the user's PC.