- FDIC ill-equipped to identify major cyber incidents - The Federal
Deposit Insurance Corp.'s breach reporting guidelines are inadequate
for identifying "major" cyber incidents, according to a new
inspector general report.
- European Member States Approve Privacy Shield Agreement -
Representatives of the 28 states of the European Union approved the
final version of the Privacy Shield agreement between the United
States and the EU on July 8.
- FAA reauthorization to bolster cyber efforts - The Federal
Aviation Administration reauthorization, introduced Thursday and
likely to pass next week, will require the agency to mull
improvements to cybersecurity.
- European Union’s First Cybersecurity Law Gets Green Light - The
European Union approved its first rules on cybersecurity, forcing
businesses to strengthen defenses and companies such as Google Inc.
and Amazon.com Inc. to report attacks.
- Cybercrime now tops traditional crime in U.K. - A new report found
that cybercrime in the U.K. has passed traditional crime in terms of
- 53% of organisations around the world still use Windows Server
2003 - Over half (53 percent) of companies have at least one
instance of Windows Server 2003 still running even though its end of
life (EOL) date passed on 14 July 2015.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wendy's says payment card info accessed in malware attack - The
burger chain said Thursday that malware on point-of-sales systems at
more than 300 franchise locations targeted payment card information
including "cardholder name, credit or debit card number, expiration
date, cardholder verification value, and service code." The malware
led to unusual credit card activity beginning in autumn 2015.
- 20 million Iranian mobile users' data leaked but operator denies
being hacked - Iran's second largest mobile operator, Irancell, lost
the personal information of 20 million customers in a data leak last
week but denies being hacked.
- Baton Rouge police server accessed, 50K files reportedly released
- A hacker reportedly accessed and publicly posted 50,000 records
from the Baton Rouge Police Department to protest the police killing
of local resident Alton Sterling.
breach affects 38,000 - A cyber crook used a phishing scam to break
into a North Carolina State University email account containing
personally identifiable information.
breached, tells users to reset login credentials - Cloud service
data aggregator Datadog was hit with a data breach late last week
and has sent a letter to its customers warning them to change their
was hit by point-of-sale malware - Omni Hotels & Resorts has
reported that point-of-sale systems at some of its properties were
hit by malware targeting payment card information.
suspected in ATM heist in Taiwan - ATMs in Taiwan were spewing money
over the weekend in what authorities believe were malware-aided
Alpha financial news app leaks credentials, stock positions of 500K
users - Researchers discovered financial news platform Seeking
Alpha's mobile applications leaking PII and confidential information
of more than 500,000 users.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FDIC paper "Risk Assessment Tools and Practices or Information
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing process
of evaluating threats and vulnerabilities, and establishing an
appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the
potential to harm an institution, while vulnerabilities are
weaknesses that can be exploited.
The extent of the information security program should be
commensurate with the degree of risk associated with the
institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions
offering transactional Internet banking activities are exposed to
greater risks. Further, real-time funds transfers generally pose
greater risks than delayed or batch-processed transactions because
the items are processed immediately. The extent to which an
institution contracts with third-party vendors will also affect the
nature of the risk assessment program.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 1 of 2)
All authentication methodologies display weaknesses. Those
weaknesses are of both a technical and a nontechnical nature. Many
of the weaknesses are common to all mechanisms. Examples of common
weaknesses include warehouse attacks, social engineering, client
attacks, replay attacks, and hijacking.
Warehouse attacks result in the compromise of the authentication
storage system, and the theft of the authentication data.
Frequently, the authentication data is encrypted; however,
dictionary attacks make decryption of even a few passwords in a
large group a trivial task. A dictionary attack uses a list of
likely authenticators, such as passwords, runs the likely
authenticators through the encryption algorithm, and compares the
result to the stolen, encrypted authenticators. Any matches are
easily traceable to the pre-encrypted authenticator.
Dictionary and brute force attacks are viable due to the speeds
with which comparisons are made. As microprocessors increase in
speed, and technology advances to ease the linking of processors
across networks, those attacks will be even more effective. Because
those attacks are effective, institutions should take great care in
securing their authentication databases. Institutions that use one -
way hashes should consider the insertion of secret bits (also known
as "salt") to increase the difficulty of decrypting the hash. The
salt has the effect of increasing the number of potential
authenticators that attackers must check for validity, thereby
making the attacks more time consuming and creating more opportunity
for the institution to identify and react to the attack.
Warehouse attacks typically compromise an entire authentication
mechanism. Should such an attack occur, the financial institution
might have to deny access to all or nearly all users until new
authentication devices can be issued (e.g. new passwords).
Institutions should consider the effects of such a denial of access,
and appropriately plan for large-scale re-issuances of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4 Step 4:
Selecting Contingency Planning Strategies
The next step is to plan how to recover needed resources. In
evaluating alternatives, it is necessary to consider what controls
are in place to prevent and minimize contingencies. Since no set of
controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts.
A contingency planning strategy normally consists of three parts:
emergency response, recovery, and resumption.89 Emergency response
encompasses the initial actions taken to protect lives and limit
damage. Recovery refers to the steps that are taken to continue
support for critical functions. Resumption is the return to normal
operations. The relationship between recovery and resumption is
important. The longer it takes to resume normal operations, the
longer the organization will have to operate in the recovery mode.
The selection of a strategy needs to be based on practical
considerations, including feasibility and cost. The different
categories of resources should each be considered. Risk assessment
can be used to help estimate the cost of options to decide on an
optimal strategy. For example, is it more expensive to purchase and
maintain a generator or to move processing to an alternate site,
considering the likelihood of losing electrical power for various
lengths of time? Are the consequences of a loss of computer-related
resources sufficiently high to warrant the cost of various recovery
strategies? The risk assessment should focus on areas where it is
not clear which strategy is the best.
In developing contingency planning strategies, there are many
factors to consider in addressing each of the resources that support
critical functions. Some examples are:
Example 1: If the system administrator for a LAN has to be out of
the office for a long time (due to illness or an accident),
arrangements are made for the system administrator of another LAN to
perform the duties. Anticipating this, the absent administrator
should have taken steps beforehand to keep documentation current.
This strategy is inexpensive, but service will probably be
significantly reduced on both LANs which may prompt the manager of
the loaned administrator to partially renege on the agreement.
Example 2: An organization depends on an on-line information
service provided by a commercial vendor. The organization is no
longer able to obtain the information manually (e.g., from a
reference book) within acceptable time limits and there are no other
comparable services. In this case, the organization relies on the
contingency plan of the service provider. The organization pays a
premium to obtain priority service in case the service provider has
to operate at reduced capacity.
Example #3: A large mainframe data center has a contract with a hot
site vendor, has a contract with the telecommunications carrier to
reroute communications to the hot site, has plans to move people,
and stores up-to-date copies of data, applications and needed paper
records off-site. The contingency plan is expensive, but management
has decided that the expense is fully justified.
Example #4. An organization distributes its processing among two
major sites, each of which includes small to medium processors
(personal computers and minicomputers). If one site is lost, the
other can carry the critical load until more equipment is purchased.
Routing of data and voice communications can be performed
transparently to redirect traffic. Backup copies are stored at the
other site. This plan requires tight control over the architectures
used and types of applications that are developed to ensure
compatibility. In addition, personnel at both sites must be
cross-trained to perform all functions.