- AFA, AT&T to host CyberCamps for teens - Summer camp typically
conjures up images of campfires, swimming and fishing in picturesque
lakes and fending off swarms of bugs, but at the CyberCamps hosted
this summer by AT&T and the Air Force Association (AFA), the bugs
that teens will battle won't require a can of Off and the phishing
won't include a pole, just some basic cybersecurity skills.
FBI - 2016 Internet Crime Report - IC3 Releases Annual Report
Highlighting Trends in Internet Crime.
Email compromise scams rack up greatest financial losses in new IC3
report - Among all incidents reported to the Internet Crime
Complaint Center in 2016, email compromise scams targeting
businesses and individuals were responsible for the greatest
financial loss totals, according the IC3's newly released annual
Why So Many Top Hackers Hail from Russia - Conventional wisdom says
one reason so many hackers seem to hail from Russia and parts of the
former Soviet Union is that these countries have traditionally
placed a much greater emphasis than educational institutions in the
West on teaching information technology in middle and high schools,
and yet they lack a Silicon Valley-like pipeline to help talented IT
experts channel their skills into high-paying jobs.
South Korean hosting co. pays $1m ransom to end eight-day outage - A
South Korean web hosting company is forking out just over US$1
million to ransomware scum after suffering more than eight days of
Anthem to pay record $115M to settle data breach suit - To settle
litigation over a hacking incident in 2015 that compromised the
personal information of 80 million customers, Anthem, the nation's
largest health insurer, has agreed to a $115 million charge to
settle a class action suit.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Japanese Honda factory hit with WannaCry ransomware, halts
production - A Honda plant in Sayama, Japan was forced to halt
domestic production for a day after its network was hit with
MPs and Virgin Media customers both caught in password snafu - It
would appear both need a lesson on password-hygiene: government
ministers are re-using government credentials for social media
accounts, and Virgin Media customers aren't changing their default
2,200 Aetna customers in Ohio and Texas suffer data breach - More
than 2,000 Ohio and Texas Aetna customers had some of their personal
information compromised when the information was accidentally
exposed to unauthorized individuals.
Hackers threaten South Korean banks with DDoS attacks following
record ransomware payment - The Armada Collective hacking group has
issued a ransom demand of approximately $315,000 to seven South
Korean banks, threatening to launch distributed denial of service
attacks against each of their organizations.
Airway Oxygen hit by ransomware, data of 550K customers at risk - A
ransomware attack in mid-April resulted in the compromise of
customer and employee data at Airway Oxygen, a Grand Rapids,
Mich.-based provider of home medical equipment.
Global ransomware attack causes turmoil - Companies across the globe
are reporting that they have been struck by a major ransomware
UK parliamentary email compromised after 'sustained and determined
cyber attack' - The Parliament of the United Kingdom has admitted it
experienced a “sustained and determined cyber attack” over the
weekend and says <90 email accounts have been compromised as a
600 Southern Illinois Healthcare patients exposed in data breach -
About 600 patients belonging to Southern Illinois Healthcare had
their data exposed after third-party vendor Experian Health
compromised the data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (6 of 12)
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum requirements
and incorporate industry best practices into its IRP. As each bank
tailors its IRP to match its administrative, technical, and
organizational complexity, it may find some of the following best
practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is that
a signature must exist for an alert to be generated. Attacks that
generate different signatures from what the institution includes in
its IDS will not be detected. This problem can be particularly acute
if the institution does not continually update its signatures to
reflect lessons learned from attacks on itself and others, as well
as developments in attack tool technologies. It can also pose
problems when the signatures only address known attacks, rather than
both known attacks and anomalous traffic. Another general weakness
is in the capacity of the IDS to read traffic. If the IDS falls
behind in reading network traffic, traffic may be allowed to bypass
the IDS. That traffic may contain attacks that would otherwise cause
the IDS to issue an alert.
Proper placement of network IDS is a strategic decision determined
by the information the institution is trying to obtain. Placement
outside the firewall will deliver IDS alarms related to all attacks,
even those that are blocked by the firewall. With this information,
an institution can develop a picture of potential adversaries and
their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4 Step 4:
Selecting Contingency Planning Strategies
The next step is to plan how to recover needed resources. In
evaluating alternatives, it is necessary to consider what controls
are in place to prevent and minimize contingencies. Since no set of
controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts.
A contingency planning strategy normally consists of three parts:
emergency response, recovery, and resumption.89 Emergency response
encompasses the initial actions taken to protect lives and limit
damage. Recovery refers to the steps that are taken to continue
support for critical functions. Resumption is the return to normal
operations. The relationship between recovery and resumption is
important. The longer it takes to resume normal operations, the
longer the organization will have to operate in the recovery mode.
The selection of a strategy needs to be based on practical
considerations, including feasibility and cost. The different
categories of resources should each be considered. Risk assessment
can be used to help estimate the cost of options to decide on an
optimal strategy. For example, is it more expensive to purchase and
maintain a generator or to move processing to an alternate site,
considering the likelihood of losing electrical power for various
lengths of time? Are the consequences of a loss of computer-related
resources sufficiently high to warrant the cost of various recovery
strategies? The risk assessment should focus on areas where it is
not clear which strategy is the best.
In developing contingency planning strategies, there are many
factors to consider in addressing each of the resources that support
critical functions. Some examples are:
Example 1: If the system administrator for a LAN has to be out of
the office for a long time (due to illness or an accident),
arrangements are made for the system administrator of another LAN to
perform the duties. Anticipating this, the absent administrator
should have taken steps beforehand to keep documentation current.
This strategy is inexpensive, but service will probably be
significantly reduced on both LANs which may prompt the manager of
the loaned administrator to partially renege on the agreement.
Example 2: An organization depends on an on-line information
service provided by a commercial vendor. The organization is no
longer able to obtain the information manually (e.g., from a
reference book) within acceptable time limits and there are no other
comparable services. In this case, the organization relies on the
contingency plan of the service provider. The organization pays a
premium to obtain priority service in case the service provider has
to operate at reduced capacity.
Example #3: A large mainframe data center has a contract with a hot
site vendor, has a contract with the telecommunications carrier to
reroute communications to the hot site, has plans to move people,
and stores up-to-date copies of data, applications and needed paper
records off-site. The contingency plan is expensive, but management
has decided that the expense is fully justified.
Example #4. An organization distributes its processing among two
major sites, each of which includes small to medium processors
(personal computers and minicomputers). If one site is lost, the
other can carry the critical load until more equipment is purchased.
Routing of data and voice communications can be performed
transparently to redirect traffic. Backup copies are stored at the
other site. This plan requires tight control over the architectures
used and types of applications that are developed to ensure
compatibility. In addition, personnel at both sites must be
cross-trained to perform all functions.