Security guard charged with hacking hospital systems - He intended
to use a botnet to launch a massive DDoS attack on July 4 - The
grainy video shows a bleary-eyed young man in a hoodie inside the
Carrell Clinic in Dallas. As he hits the elevator button, the theme
music from Mission Impossible plays in the background. "You're on a
mission with me: Infiltration," he says to the camera.
Data breach defense: Response ability - When a breach occurs,
customers expect more than an apology, says Bob Maley,
Pennsylvania's CISO. Dan Kaplan reports. Bob Maley, chief
information security officer for the state of Pennsylvania, was
about two weeks on the job when he had to deal with his first data
Practical forensics - Large and small enterprises are facing a
number of issues when it comes to forensic investigations, reports
Deb Radcliff. Whether or not to launch a digital forensics
investigation depends on many things: What is it the organization is
trying to find, where is the evidence located, and how does an
enterprise define forensics in the first place?
PC Invader Costs Ky. County $415,000 - Cyber criminals based in
Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky
this week. The crooks were aided by more than two dozen
co-conspirators in the United States, as well as a strain of
malicious software capable of defeating online security measures put
in place by many banks.
Gamer embezzles virtual cash to settle real debts - As if
high-profile investment scandals and the economic downturn weren't
bad enough here on Earth, now folks have to deal with it outside our
galaxy. Virtually, at least.
Law enforcement may never get ahead of cybercriminals, an FBI
supervisory special agent has said. - "It's a race," Austin Berglas,
who works in the FBI's cybercrime squad, said Tuesday during a panel
session at Symantec's Cybercrime Day 2009 event in New York.
"Zero-days happen every day."
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers steal money from Bullitt County account - The federal agents
and members of the Bullitt County Fiscal Court are trying to recover
thousands of dollars that went missing from a county account at
First Federal Savings Bank in what appears to be a cyber crime.
Limited information is being released, but a FBI agent WAVE 3 spoke
with believes this crime has international ties.
Malicious server used to propagate Zbot shut down - A criminal
operation has been halted by the shutdown of a malicious server in
the Cayman Islands, but attackers are probably now looking for a new
home, researchers at a U.K. security firm said this week.
Programmer charged with stealing code freed on bail - A software
programmer charged with copying secret financial-trading code from
Goldman Sachs computers is out on $750,000 bail.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
covering some of the issues discussed in the "Risk Management
Principles for Electronic Banking" published by the Basel Committee
on Bank Supervision.
Board and Management Oversight
The Board of Directors and senior management are responsible for
developing the banking institution's business strategy. An explicit
strategic decision should be made as to whether the Board wishes the
bank to provide e-banking transactional services before beginning to
offer such services. Specifically, the Board should ensure that
e-banking plans are clearly integrated within corporate strategic
goals, a risk analysis is performed of the proposed e-banking
activities, appropriate risk mitigation and monitoring processes are
established for identified risks, and ongoing reviews are conducted
to evaluate the results of e-banking activities against the
institution's business plans and objectives.
In addition, the Board and senior management should ensure that the
operational and security risk dimensions of the institution's
e-banking business strategies are appropriately considered and
addressed. The provision of financial services over the Internet may
significantly modify and/or even increase traditional banking risks
(e.g. strategic, reputational, operational, credit and liquidity
risk). Steps should therefore be taken to ensure that the bank's
existing risk management processes, security control processes, due
diligence and oversight processes for outsourcing relationships are
appropriately evaluated and modified to accommodate e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
"Tuning" refers to the creation of signatures that can
distinguish between normal network traffic and potentially malicious
traffic. Proper tuning of these IDS units is essential to reliable
detection of both known attacks and newly developed attacks. Tuning
of some signature - based units for any particular network may take
an extended period of time, and involve extensive analysis of
expected traffic. If an IDS is not properly tuned, the volume of
alerts it generates may degrade the intrusion identification and
Signatures may take several forms. The simplest form is the URL
submitted to a Web server, where certain references, such as cmd.exe,
are indicators of an attack. The nature of traffic to and from a
server can also serve as a signature. An example is the length of a
session and amount of traffic passed. A signature method meant to
focus on sophisticated attackers is protocol analysis, when the
contents of a packet or session are analyzed for activity that
violates standards or expected behavior. That method can catch, for
instance, indicators that servers are being attacked using Internet
control message protocol (ICMP).
Switched networks pose a problem for network IDS. Switches
ordinarily do not broadcast traffic to all ports, and a network IDS
may need to see all traffic to be effective. When switches do not
have a port that receives all traffic, the financial institution may
have to alter their network to include a hub or other device to
allow the IDS to monitor traffic.
Encrypted network traffic will drastically reduce the effectiveness
of a network IDS. Since a network IDS only reads traffic and does
not decrypt the traffic, encrypted traffic will avoid detection.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
4. Determine whether logs of security-related events are sufficient
to assign accountability for intrusion detection system activities,
as well as support intrusion forensics and IDS.
5. Determine if logs of security-related events are appropriately
secured against unauthorized access, change, and deletion for an
adequate time period, and that reporting to those logs is adequately
6. Determine if an appropriate process exists to authorize employee
access to intrusion detection systems and that authentication and
authorization controls limit access to and control the access of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
15. If the institution provides a short-form initial privacy notice
with the opt out notice, does the institution do so only to
consumers with whom the institution does not have a customer