- Women in IT Security: Power Players - When Ebba Blitz was hosting
Dragon's Den, Sweden's version of Shark Tank, she was often inspired
by the eager contestants who would come on the reality show with
hopes of building themselves a business empire.
FBI-DHS “amber” alert warns energy industry of attacks on nuke plant
operators - Spear-phishing e-mails with malicious fake résumés
targeted plant engineers.
Firms struggling to get back to business after NotPetya struck -
Major companies struggling to return back to normal operation after
last week's global ransomware attack.
The Pentagon Says It Will Start Encrypting Soldiers' Emails Next
Year - Basic decade-old encryption technology is finally coming to
Pentagon email servers next year.
Multinational talks of £100 mil loss as Petya/NotPetya leaves its
mark - International consumer goods giant Reckitt Benckiser has
announced a large loss in revenue as it recovers from last week's
Petya/NotPetya ransomware attack.
Foreign hackers probe European critical infrastructure networks:
sources - Cyber attackers are regularly trying to attack data
networks connected to critical national infrastructure systems
around Europe, according to current and former European government
sources with knowledge of the issue.
House of Lords to report on post-Brexit GDPR, Germany first to enact
GDPR - The GDPR klaxon rings: Germany becomes the first country to
pass the GDPR through its legislative process, as Lords in the UK
release a report on what post-Brexit GDPR will look like.
Breached companies underperform on NASDAQ, study - While it's widely
known that data breaches often hurt the reputations of a company, a
recent study found breaches also temporarily hurt a company's stock
market status as well.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- CopyCat malware infects 14M Android devices, steals credits for
app downloads - A mobile malware that roots Android devices and
commits both ad and app fraud has infected at least 14 million
devices, at one point raking in $1.5 million during a peak two-month
period in 2016.
Bitthumb breach yields personal data on 30K, leads to funds scams -
Personal information on 30,000 customers of Bitthumb, billed as
South Korea's largest cybercurrency exchange, were likely exposed in
a recent hack of an employee's PC and used to trick customers and
pilfer their funds.
County Commissioners Association of Pennsylvania data breach exposes
PII - Poor security measures left personal information from the
County Commissioners Association of Pennsylvania publicly viewable
Unencrypted PII records leaked from WWE database hosted on AWS
server - A security researcher has allegedly found World Wrestling
Entertainment (WWE) to be storing personally identifiable
information (PII) on three million of its fans in plain-text on an
AWS S3 server.
Data Breach hits California Association of Realtors - A subsidiary
of the California Association of Realtors suffered a data breach
that exposed user information for a two-month period earlier this
Spearphishing attacks on energy firms tied to years-long global
hacking operation - A recent barrage of well-crafted phishing emails
aimed at employees at U.S. energy companies, including one nuclear
facility, is tied to a years-long international campaign to steal
user credentials and gather intelligence from the industry.
Self-Service Food Kiosk Vendor Avanti Hacked - Avanti Markets, a
company whose self-service payment kiosks sit beside shelves of
snacks and drinks in thousands of corporate breakrooms across
America, has suffered of breach of its internal networks in which
hackers were able to push malicious software out to those payment
devices, the company has acknowledged.
Deep Hosting - a Dark Web hosting service - admitted yesterday to
suffering a major security incident during which "some sites have
been exported." The hack took place on Saturday afternoon and was
carried out by a hacker calling himself Dhostpwned, the name he used
when he spoke with Bleeping Computer earlier today.
14M Verizon customer records exposed on Amazon server - A
third-party vendor working with Verizon left the data of as many as
14 million US customers exposed on a misconfigured server.
5,300 University of Iowa Health Care records exposed for two years -
Thousands of University of Iowa Health Care (UIHC) patients had some
of their private information inadvertently posted for more than two
years on a web application development site.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (8 of 12)
During the containment phase, the institution should generally
implement its predefined procedures for responding to the specific
incident (note that containment procedures are a required minimum
component). Additional containment-related procedures some banks
have successfully incorporated into their IRPs are discussed below.
Establish notification escalation procedures.
If senior management is not already part of the incident
response team, banks may want to consider developing procedures for
notifying these individuals when the situation warrants. Providing
the appropriate executive staff and senior department managers with
information about how containment actions will affect business
operations or systems and including these individuals in the
decision-making process can help minimize undesirable business
disruptions. Institutions that have experienced incidents have
generally found that the management escalation process (and
resultant communication flow) was not only beneficial during the
containment phase, but also proved valuable during the later phases
of the incident response process.
Document details, conversations, and actions.
Retaining documentation is an important component of the
incident response process. Documentation can come in a variety of
forms, including technical reports generated, actions taken, costs
incurred, notifications provided, and conversations held. This
information may be useful to external consultants and law
enforcement for investigative and legal purposes, as well as to
senior management for filing potential insurance claims and for
preparing an executive summary of the events for the board of
directors or shareholders. In addition, documentation can assist
management in responding to questions from its primary Federal
regulator. It may be helpful during the incident response process to
centralize this documentation for organizational purposes.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
Some network IDS units allow the IP addresses
associated with certain signatures to be automatically blocked.
Financial institutions that use that capability run the risk of an
attacker sending attack packets that falsely report the sending IP
addresses as that of service providers and others that the
institution needs to continue offering service, thereby creating a
denial - of - service situation. To avoid such a situation, the
institution also may implement a list of IP addresses that should
not be blocked by the IDS.
Hosts also use a signature-based method. One such method creates a
hash of key binaries, and periodically compares a newly generated
hash against the original hash. Any mismatch signals a change to the
binary, a change that could be the result of an intrusion.
Successful operation of this method involves protection of the
original binaries from change or deletion, and protection of the
host that compares the hashes. If attackers can substitute a new
hash for the original, an attack may not be identified. Similarly,
if an attacker can alter the host performing the comparison so that
it will report no change in the hash, an attack may not be
An additional host-based signature method monitors the application
program interfaces for unexpected or unwanted behavior, such as a
Web server calling a command line interface.
Attackers can defeat host-based IDS systems using loadable kernel
modules, or LKMs. A LKM is software that attaches itself to the
operating system kernel. From there, it can redirect and alter
communications and processing. With the proper LKM, an attacker can
force a comparison of hashes to always report a match and provide
the same cryptographic fingerprint of a file, even after the source
file was altered. LKMs can also hide the use of the application
program interfaces. Detection of LKMs is extremely difficult and is
typically done through another LKM.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
Applications and Data
Normally, the primary contingency strategy for applications and
data is regular backup and secure offsite storage. Important
decisions to be addressed include how often the backup is performed,
how often it is stored off-site, and how it is transported (to
storage, to an alternate processing site, or to support the
resumption of normal operations).
The need for computer security does not go away when an
organization is processing in a contingency mode. In some cases, the
need may increase due to sharing processing facilities,
concentrating resources in fewer sites, or using additional
contractors and consultants. Security should be an important
consideration when selecting contingency strategies.
11.4.4 Computer-Based Services
Service providers may offer contingency services. Voice
communications carriers often can reroute calls (transparently to
the user) to a new location. Data communications carriers can also
reroute traffic. Hot sites are usually capable of receiving data and
voice communications. If one service provider is down, it may be
possible to use another. However, the type of communications carrier
lost, either local or long distance, is important. Local voice
service may be carried on cellular. Local data communications,
especially for large volumes, is normally more difficult. In
addition, resuming normal operations may require another rerouting
of communications services.
11.4.5 Physical Infrastructure
Hot sites and cold sites may also offer office space in addition to
processing capability support. Other types of contractual
arrangements can be made for office space, security services,
furniture, and more in the event of a contingency. If the
contingency plan calls for moving offsite, procedures need to be
developed to ensure a smooth transition back to the primary
operating facility or to a new facility. Protection of the physical
infrastructure is normally an important part of the emergency
response plan, such as use of fire extinguishers or protecting
equipment from water damage.
11.4.6 Documents and Papers
The primary contingency strategy is usually backup onto magnetic,
optical, microfiche, paper, or other medium and offsite storage.
Paper documents are generally harder to backup than electronic ones.
A supply of forms and other needed papers can be stored offsite.