FYI - AFA, AT&T to host CyberCamps for teens - Summer camp typically conjures up images of campfires, swimming and fishing in picturesque lakes and fending off swarms of bugs, but at the CyberCamps hosted this summer by AT&T and the Air Force Association (AFA), the bugs that teens will battle won't require a can of Off and the phishing won't include a pole, just some basic cybersecurity skills. https://www.scmagazine.com/afa-att-to-host-cybercamps-for-teens/article/670556/

FBI - 2016 Internet Crime Report - IC3 Releases Annual Report Highlighting Trends in Internet Crime. https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report

Email compromise scams rack up greatest financial losses in new IC3 report - Among all incidents reported to the Internet Crime Complaint Center in 2016, email compromise scams targeting businesses and individuals were responsible for the greatest financial loss totals, according the IC3's newly released annual report. https://www.scmagazine.com/email-compromise-scams-rack-up-greatest-financial-losses-in-new-ic3-report/article/670561/

Why So Many Top Hackers Hail from Russia - Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. http://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/

South Korean hosting co. pays $1m ransom to end eight-day outage - A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare. http://www.theregister.co.uk/2017/06/20/south_korean_webhost_nayana_pays_ransom/

Anthem to pay record $115M to settle data breach suit - To settle litigation over a hacking incident in 2015 that compromised the personal information of 80 million customers, Anthem, the nation's largest health insurer, has agreed to a $115 million charge to settle a class action suit. https://www.scmagazine.com/anthem-to-pay-record-115m-to-settle-data-breach-suit/article/671231/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Japanese Honda factory hit with WannaCry ransomware, halts production - A Honda plant in Sayama, Japan was forced to halt domestic production for a day after its network was hit with WannaCry ransomware. https://www.scmagazine.com/wannacry-attacks-halts-honda-production/article/670273/

MPs and Virgin Media customers both caught in password snafu - It would appear both need a lesson on password-hygiene: government ministers are re-using government credentials for social media accounts, and Virgin Media customers aren't changing their default router password. https://www.scmagazine.com/mps-and-virgin-media-customers-both-caught-in-password-snafu/article/670692/

2,200 Aetna customers in Ohio and Texas suffer data breach - More than 2,000 Ohio and Texas Aetna customers had some of their personal information compromised when the information was accidentally exposed to unauthorized individuals. https://www.scmagazine.com/2200-aetna-customers-in-ohio-and-texas-suffer-data-breach/article/671226/

Hackers threaten South Korean banks with DDoS attacks following record ransomware payment - The Armada Collective hacking group has issued a ransom demand of approximately $315,000 to seven South Korean banks, threatening to launch distributed denial of service attacks against each of their organizations. https://www.scmagazine.com/hackers-threaten-south-korean-banks-with-ddos-attacks-following-record-ransomware-payment/article/671377/

Airway Oxygen hit by ransomware, data of 550K customers at risk - A ransomware attack in mid-April resulted in the compromise of customer and employee data at Airway Oxygen, a Grand Rapids, Mich.-based provider of home medical equipment. https://www.scmagazine.com/airway-oxygen-hit-by-ransomware-data-of-550k-customers-at-risk/article/671551/

Global ransomware attack causes turmoil - Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack. http://www.bbc.com/news/technology-40416611

UK parliamentary email compromised after 'sustained and determined cyber attack' - The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attack” over the weekend and says <90 email accounts have been compromised as a result. http://www.theregister.co.uk/2017/06/26/uk_parliamentary_email_compromised_after_sustained_and_determined_cyber_attack/

600 Southern Illinois Healthcare patients exposed in data breach - About 600 patients belonging to Southern Illinois Healthcare had their data exposed after third-party vendor Experian Health compromised the data. https://www.scmagazine.com/600-southern-illinois-healthcare-patients-exposed-in-data-breach/article/671740/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (6 of 12)
 
 Best Practices-Going Beyond the Minimum
 
 Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.
 
 Preparation
 
 Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.
 
 Establish an incident response team.
 
 A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
  
  Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.
  
  A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.
  
  Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.
  
  Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4 Step 4: Selecting Contingency Planning Strategies
 
 The next step is to plan how to recover needed resources. In evaluating alternatives, it is necessary to consider what controls are in place to prevent and minimize contingencies. Since no set of controls can cost-effectively prevent all contingencies, it is necessary to coordinate prevention and recovery efforts.
 
 A contingency planning strategy normally consists of three parts: emergency response, recovery, and resumption.89 Emergency response encompasses the initial actions taken to protect lives and limit damage. Recovery refers to the steps that are taken to continue support for critical functions. Resumption is the return to normal operations. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode.
 
 The selection of a strategy needs to be based on practical considerations, including feasibility and cost. The different categories of resources should each be considered. Risk assessment can be used to help estimate the cost of options to decide on an optimal strategy. For example, is it more expensive to purchase and maintain a generator or to move processing to an alternate site, considering the likelihood of losing electrical power for various lengths of time? Are the consequences of a loss of computer-related resources sufficiently high to warrant the cost of various recovery strategies? The risk assessment should focus on areas where it is not clear which strategy is the best.
 
 In developing contingency planning strategies, there are many factors to consider in addressing each of the resources that support critical functions. Some examples are:
 
 Example 1: If the system administrator for a LAN has to be out of the office for a long time (due to illness or an accident), arrangements are made for the system administrator of another LAN to perform the duties. Anticipating this, the absent administrator should have taken steps beforehand to keep documentation current. This strategy is inexpensive, but service will probably be significantly reduced on both LANs which may prompt the manager of the loaned administrator to partially renege on the agreement.
 
 Example 2: An organization depends on an on-line information service provided by a commercial vendor. The organization is no longer able to obtain the information manually (e.g., from a reference book) within acceptable time limits and there are no other comparable services. In this case, the organization relies on the contingency plan of the service provider. The organization pays a premium to obtain priority service in case the service provider has to operate at reduced capacity.
 
 Example #3: A large mainframe data center has a contract with a hot site vendor, has a contract with the telecommunications carrier to reroute communications to the hot site, has plans to move people, and stores up-to-date copies of data, applications and needed paper records off-site. The contingency plan is expensive, but management has decided that the expense is fully justified.
 
 Example #4. An organization distributes its processing among two major sites, each of which includes small to medium processors (personal computers and minicomputers). If one site is lost, the other can carry the critical load until more equipment is purchased. Routing of data and voice communications can be performed transparently to redirect traffic. Backup copies are stored at the other site. This plan requires tight control over the architectures used and types of applications that are developed to ensure compatibility. In addition, personnel at both sites must be cross-trained to perform all functions.