- Information Technology Risk Examination (InTREx) Program -
The FDIC updated its information technology and operations risk (IT)
examination procedures to provide a more efficient, risk-focused
approach. This enhanced program also provides a cybersecurity
preparedness assessment and discloses more detailed examination
results using component ratings.
- GAO - Information Security: FDIC Implemented Controls over
Financial Systems, but Further Improvements are Needed.
- Fed weighs enhanced scrutiny on transfers after $81M cyberheist -
The Federal Reserve is considering “enhanced monitoring” for certain
kinds of transactions, after hackers stole $81 million from the
Bangladesh central bank’s account at the New York branch, Fed
chairman Janet Yellen told lawmakers Wednesday.
Foreign Government Hackers Are the Gravest and Most Common Threat,
Agencies Say - The gravest attacks -- and most common -- perpetrated
against agency networks involved nation states, according to an
audit that happened to be released amid accusations the Russian
government allegedly hacked the Democratic National Committee.
Naval Academy grads spread cyber awareness servicewide - Just as
cyber permeates every other domain of warfare, the Naval Academy’s
first class of cybersecurity graduates pervades every community in
the service, from Navy SEALs to submariners to Marines.
Hacker selling 655,000 patient records from 3 hacked healthcare
organizations - A hacker is reportedly trying to sell more than half
a million patient records, obtained from exploiting RDP, on a dark
Payout of $10,000 for Windows 10 update - Microsoft has agreed to
pay a Californian woman $10,000 (£7,500) after an automatic Windows
10 update left her computer unusable.
Medicos could be world's best security bypassers, study finds -
Hospitals plastered with password sticky notes - Medicos are so
adept at mitigating security controls that their bypassing exploits
have become official policy, a university-backed study has revealed.
British teen admits to cyberattack on SeaWorld - A British teenager
has admitted to instigating cyber attacks on SeaWorld in Florida,
but has denied launching bomb threats to airlines in the U.S. via
Twitter, according to BBC News.
- Top 10 cyber-weapons; weaponised IT the preferred attack vehicle
once inside - The Cyber Weapons Report 2016 from LightCyber Inc
issued today catalogues the top ten weapons used in various
categories of cyber-attack, however its main thrust is that once an
attacker is on your system, they rarely use malware and what you
need to monitor is anomalous behaviour using legitimate tools.
- Recycled hard drives rich with residual data, study - Owing to a
decrease in the sale of PCs and laptops, consumers and businesses in
need of additional storage are buying up more recycled hard drives –
and the amount of digital information stored on these devices is
staggering, according to a new study.
- Hackers investing 40% of crime proceeds in new criminal techniques
- Cyber-criminals are investing up to 40 percent of their stolen
funds in improving and modernising their techniques and criminal
schemes according to a recent report issued by cyber-experts at the
Russian Ministry of Communications.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Online Backup Firm Carbonite Hit by Password Reuse Attack -
Boston-based backup services provider Carbonite is the latest
company whose users have been targeted by hackers leveraging
credentials leaked recently from major websites.
Technology director arrested in Abingdon-Avon School District on
electronic eavesdropping charges - Law enforcement officials in Knox
County, Ill. earlier this week arrested a longtime IT employee of
Abingdon-Avon School District #276 on electronic eavesdropping
charges in connection with a recent data breach, according to local
How 154M U.S. voter records will affect Americans' security -
industry reacts - A security researcher discovered an unencrypted
database containing 154 million records of U.S. voters that included
addresses, phone numbers, political party, income range, ethnicity,
age, and voting history.
Microsoft Office 365 hit with massive Cerber ransomware attack,
report - Millions of Microsoft Office 365 users were potentially
exposed to a massive zero-day Cerber ransomware attack last week
that not only included a ransom note, but an audio warning informing
victims that their files were encrypted.
Google CEO Sundar Pichai Quora account hijacked by Zuckerberg
hackers - Three weeks after hijacking Facebook CEO Mark Zuckerberg's
Twitter and Pinterest accounts, the mischievous OurMine hacking
group appears to have briefly seized control of Google CEO Sundar
Pichai's Quora account.
SEC Twitter account hacked, inappropriate pics posted - A prankster
Saturday hacked the official SEC (Southeastern Conference) Twitter
account and posted pictures of scantily clad women.
Hard Rock Hotel & Casino Las Vegas hit with POS breach - The Hard
Rock Hotel & Casino in Las Vegas Monday reported a data breach after
point-of-sale (POS) malware was found on the resort's systems.
- Hummer trojan infects Androids, likely yields creators $500K daily
- A new Trojan, dubbed Hummer, that's infecting Android phones, is
yielding its creators more than $500,000 per day.
- Massachusetts General Hospital data breach affects 4.3K patients -
Fingers are pointing at a third-party vendor as the culpable party
behind the exposure of personally identifiable information of 4,300
patients of Massachusetts General Hospital (MGH).
- House websites knocked offline; provider suggests link to Dem
protest - The Congressional websites of 19 House Democrats were
knocked offline in an incident that the technology firm managing the
sites believes is linked to last week's sit-in calling for a vote on
gun control legislation.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
To ensure the security of information systems and data, financial
institutions should have a sound information security program that
identifies, measures, monitors, and manages potential risk exposure.
Fundamental to an effective information security program is ongoing
risk assessment of threats and vulnerabilities surrounding networked
and/or Internet systems. Institutions should consider the various
measures available to support and enhance information security
programs. The appendix to this paper describes certain vulnerability
assessment tools and intrusion detection methods that can be useful
in preventing and identifying attempted external break-ins or
internal misuse of information systems. Institutions should also
consider plans for responding to an information security incident.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an
attacker to submit false physical characteristics, or to take
advantage of system flaws to make the system erroneously report a
match between the characteristic submitted and the one stored in the
system. In the first situation, an attacker might submit to a
thumbprint recognition system a copy of a valid user's thumbprint.
The control against this attack involves ensuring a live thumb was
used for the submission. That can be done by physically controlling
the thumb reader, for instance having a guard at the reader to make
sure no tampering or fake thumbs are used. In remote entry
situations, logical liveness tests can be performed to verify that
the submitted data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.2 Step 2: Identifying the Resources That Support Critical
Applications and Data
Computer systems run applications that process data. Without
current electronic versions of both applications and data,
computerized processing may not be possible. If the processing is
being performed on alternate hardware, the applications must be
compatible with the alternate hardware, operating systems and other
software (including version and configuration), and numerous other
technical factors. Because of the complexity, it is normally
necessary to periodically verify compatibility.
11.2.4 Computer-Based Services
An organization uses many different kinds of computer-based
services to perform its functions. The two most important are
normally communications services and information services.
Communications can be further categorized as data and voice
communications; however, in many organizations these are managed by
the same service. Information services include any source of
information outside of the organization. Many of these sources are
becoming automated, including on-line government and private
databases, news services, and bulletin boards.
11.2.5 Physical Infrastructure
For people to work effectively, they need a safe working
environment and appropriate equipment and utilities. This can
include office space, heating, cooling, venting, power, water,
sewage, other utilities, desks, telephones, fax machines, personal
computers, terminals, courier services, file cabinets, and many
other items. In addition, computers also need space and utilities,
such as electricity. Electronic and paper media used to store
applications and data also have physical requirements
11.2.6 Documents and Papers
Many functions rely on vital records and various documents, papers,
or forms. These records could be important because of a legal need
(such as being able to produce a signed copy of a loan) or because
they are the only record of the information. Records can be
maintained on paper, microfiche, microfilm, magnetic media, or