FYI - Women in IT Security: Power Players - When Ebba Blitz was hosting Dragon's Den, Sweden's version of Shark Tank, she was often inspired by the eager contestants who would come on the reality show with hopes of building themselves a business empire. https://www.scmagazine.com/women-in-it-security-power-players/article/674085/

FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators - Spear-phishing e-mails with malicious fake résumés targeted plant engineers. https://arstechnica.com/security/2017/07/dhs-fbi-warn-of-attempts-to-hack-nuclear-plants/

Firms struggling to get back to business after NotPetya struck - Major companies struggling to return back to normal operation after last week's global ransomware attack. https://www.scmagazine.com/firms-struggling-to-get-back-to-business-after-notpetya-struck/article/673192/

The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year - Basic decade-old encryption technology is finally coming to Pentagon email servers next year. https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year

Multinational talks of £100 mil loss as Petya/NotPetya leaves its mark - International consumer goods giant Reckitt Benckiser has announced a large loss in revenue as it recovers from last week's Petya/NotPetya ransomware attack. https://www.scmagazine.com/multinational-talks-of-100-mil-loss-as-petyanotpetya-leaves-its-mark/article/673509/

Foreign hackers probe European critical infrastructure networks: sources - Cyber attackers are regularly trying to attack data networks connected to critical national infrastructure systems around Europe, according to current and former European government sources with knowledge of the issue. http://www.reuters.com/article/us-britain-cyber-idUSKBN19V1C7

House of Lords to report on post-Brexit GDPR, Germany first to enact GDPR - The GDPR klaxon rings: Germany becomes the first country to pass the GDPR through its legislative process, as Lords in the UK release a report on what post-Brexit GDPR will look like. https://www.scmagazine.com/house-of-lords-to-report-on-post-brexit-gdpr-germany-first-to-enact-gdpr/article/674321/

Breached companies underperform on NASDAQ, study - While it's widely known that data breaches often hurt the reputations of a company, a recent study found breaches also temporarily hurt a company's stock market status as well. https://www.scmagazine.com/study-finds-breach-companies-underperform-nasdaq/article/674304/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CopyCat malware infects 14M Android devices, steals credits for app downloads - A mobile malware that roots Android devices and commits both ad and app fraud has infected at least 14 million devices, at one point raking in $1.5 million during a peak two-month period in 2016. https://www.scmagazine.com/copycat-malware-infects-14m-android-devices-steals-credits-for-app-downloads/article/673361/

Bitthumb breach yields personal data on 30K, leads to funds scams - Personal information on 30,000 customers of Bitthumb, billed as South Korea's largest cybercurrency exchange, were likely exposed in a recent hack of an employee's PC and used to trick customers and pilfer their funds. https://www.scmagazine.com/bitthumb-breach-yields-personal-data-on-30k-leads-to-funds-scams/article/673051/

County Commissioners Association of Pennsylvania data breach exposes PII - Poor security measures left personal information from the County Commissioners Association of Pennsylvania publicly viewable online. https://www.scmagazine.com/county-commissioners-association-of-pennsylvania-data-breach-exposes-pii/article/673356/

Unencrypted PII records leaked from WWE database hosted on AWS server - A security researcher has allegedly found World Wrestling Entertainment (WWE) to be storing personally identifiable information (PII) on three million of its fans in plain-text on an AWS S3 server. https://www.scmagazine.com/unencrypted-pii-records-leaked-from-wwe-database-hosted-on-aws-server/article/673507/

Data Breach hits California Association of Realtors - A subsidiary of the California Association of Realtors suffered a data breach that exposed user information for a two-month period earlier this year. https://www.scmagazine.com/data-breach-hits-california-association-of-realtors/article/673795/

Spearphishing attacks on energy firms tied to years-long global hacking operation - A recent barrage of well-crafted phishing emails aimed at employees at U.S. energy companies, including one nuclear facility, is tied to a years-long international campaign to steal user credentials and gather intelligence from the industry. https://www.cyberscoop.com/nuclear-hacks-fireeye-2015-global-hacking-campaign/

Self-Service Food Kiosk Vendor Avanti Hacked - Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. http://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/

Deep Hosting - a Dark Web hosting service - admitted yesterday to suffering a major security incident during which "some sites have been exported." The hack took place on Saturday afternoon and was carried out by a hacker calling himself Dhostpwned, the name he used when he spoke with Bleeping Computer earlier today. https://www.bleepingcomputer.com/news/security/dark-web-hosting-service-hacked-some-data-was-stolen/

14M Verizon customer records exposed on Amazon server - A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed on a misconfigured server. https://www.scmagazine.com/misconfigured-server-leaves-14-million-verizon-customer-records-exposed/article/674590/

5,300 University of Iowa Health Care records exposed for two years - Thousands of University of Iowa Health Care (UIHC) patients had some of their private information inadvertently posted for more than two years on a web application development site. https://www.scmagazine.com/5300-university-of-iowa-health-care-records-exposed-for-two-years/article/674428/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (8 of 12)
 
 Containment
 
 During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.
 
 Establish notification escalation procedures.
 
 If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.
 
 Document details, conversations, and actions.
 
 Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
  
  Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.
  
  Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.
  
  An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.
  
  Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.3 Automated Applications and Data
 
 Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored off-site, and how it is transported (to storage, to an alternate processing site, or to support the resumption of normal operations).
 
 The need for computer security does not go away when an organization is processing in a contingency mode. In some cases, the need may increase due to sharing processing facilities, concentrating resources in fewer sites, or using additional contractors and consultants. Security should be an important consideration when selecting contingency strategies.
 
 11.4.4 Computer-Based Services
 
 Service providers may offer contingency services. Voice communications carriers often can reroute calls (transparently to the user) to a new location. Data communications carriers can also reroute traffic. Hot sites are usually capable of receiving data and voice communications. If one service provider is down, it may be possible to use another. However, the type of communications carrier lost, either local or long distance, is important. Local voice service may be carried on cellular. Local data communications, especially for large volumes, is normally more difficult. In addition, resuming normal operations may require another rerouting of communications services.
 
 11.4.5 Physical Infrastructure
 
 Hot sites and cold sites may also offer office space in addition to processing capability support. Other types of contractual arrangements can be made for office space, security services, furniture, and more in the event of a contingency. If the contingency plan calls for moving offsite, procedures need to be developed to ensure a smooth transition back to the primary operating facility or to a new facility. Protection of the physical infrastructure is normally an important part of the emergency response plan, such as use of fire extinguishers or protecting equipment from water damage.
 
 11.4.6 Documents and Papers
 
 The primary contingency strategy is usually backup onto magnetic, optical, microfiche, paper, or other medium and offsite storage. Paper documents are generally harder to backup than electronic ones. A supply of forms and other needed papers can be stored offsite.