- CMS Offers HIPAA Guidance on Ransomware - Dispelling a common
notion, the agency says HIPAA breach disclosure rules usually apply
- 38% of UK orgs have no data loss prevention solutions - Most
security pros (88 percent) say that they are happy with their
organisation's security strategy, but 38 percent admit that their
company doesn't have dedicated data loss prevention solutions in
- UK rail network suffers four cyber-attacks in past 12 months - The
UK rail network has been hit by cyber-attacks at least four times in
the past 12 months.
- Russian security firm linked to Carbanak cybergang - The Carbanak
cybergang which facilitated the heist of $1 billion from banks
around the world last year, was linked to the Russian security firm
- Cardinals exec who hacked Astros sentenced to 46 months in the
grand slammer - The former St. Louis Cardinals baseball executive
who illegally hacked into the Houston Astros' computer systems in
order to gather intelligence and obtain an unfair advantage was
sentenced in Houston yesterday to 46 months in federal prison.
- Hackers compromising checkout process on retail sites, redirecting
shoppers to phishing page - Here's a two-for-one deal that no retail
customer wants: Researchers at Sucuri has uncovered a sampling of
novel e-commerce attacks that combine the classic duplicity of
phishing schemes with the insidiousness of malicious webpage
- IT jobs volume hits peak despite slow start in 2016 - Despite a
slow start at the beginning of 2016, the IT jobs market in London
experienced an upturn in the number of jobs with June being the
highest month so far for job volume in 2016.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chinese hackers blamed for multiple breaches at U.S. banking
agency - The FDIC failed to promptly report breaches, a
congressional report says. Breaches at the FDIC in 2010, 2011 and
2013 were caused by an "advanced persistent threat ... believed to
have been the Chinese government."
- UK rail network hit by multiple cyber attacks last year - The UK
railway network was the victim of at least four major cyber attacks
in the last 12 months, according to a private security company that
works with the network.
- The Hacking of Ubuntu Linux Forums: Lessons Learned - Two million
usernames and emails were exposed after the breach of unpatched
forum software. Here's what happened and what we should learn from
- Dunlop online slideshow reportedly compromised, visitors
redirected to Neutrino kit - A website for the rubber goods brand
Dunlop was compromised to distribute CryptXXX ransomware to
customers viewing a slideshow of DIY projects featuring its product
- BT Broadband outage blamed on power failure [updated] - BT
Broadband has suffered a major outage this morning and it's pointing
the finger at a power-outage in one of its central London service
- Second BT outage calls into question security of critical
infrastructure - The second consecutive outage of BT broadband in
two days calls into question the security of the country's critical
- Cicis Pizza delivers the bad news, confirms breach at 138
locations - Cicis Pizza has officially acknowledged a payment card
data breach in 138 of its restaurant locations, after reports of a
point-of-sale malware attack first came to light last month.
- Library of Congress systems back to normal after four-day DDoS
attack - After a four-day long DDoS assault, the Library of Congress
announced its computer systems have returned to normal.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Performing the Risk Assessment and Determining Vulnerabilities
Performing a sound risk assessment is critical to establishing an
effective information security program. The risk assessment provides
a framework for establishing policy guidelines and identifying the
risk assessment tools and practices that may be appropriate for an
institution. Banks still should have a written information security
policy, sound security policy guidelines, and well-designed system
architecture, as well as provide for physical security, employee
education, and testing, as part of an effective program.
When institutions contract with third-party providers for
information system services, they should have a sound oversight
program. At a minimum, the security-related clauses of a written
contract should define the responsibilities of both parties with
respect to data confidentiality, system security, and notification
procedures in the event of data or system compromise. The
institution needs to conduct a sufficient analysis of the provider's
security program, including how the provider uses available risk
assessment tools and practices. Institutions also should obtain
copies of independent penetration tests run against the provider's
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses,
Attacks, and Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or software - based keystroke capture mechanisms. PKI
private keys could be captured or reverse - engineered from their
tokens. Protection against these attacks primarily consists of
physically securing the client systems, and, if a shared secret is
used, changing the secret on a frequency commensurate with risk.
While physically securing the client system is possible within areas
under the financial institution's control, client systems outside
the institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records
the authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
is an attacker's use of an authenticated user's session to
communicate with system components. Controls against hijacking
include encryption of the user's session and the use of encrypted
cookies or other devices to authenticate each communication between
the client and the server.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4.1 Human Resources
To ensure an organization has access to workers with the right
skills and knowledge, training and documentation of knowledge are
needed. During a major contingency, people will be under significant
stress and may panic. If the contingency is a regional disaster,
their first concerns will probably be their family and property. In
addition, many people will be either unwilling or unable to come to
work. Additional hiring or temporary services can be used. The use
of additional personnel may introduce security vulnerabilities.
Contingency planning, especially for emergency response, normally
places the highest emphasis on the protection of human life.
11.4.2 Processing Capability
Strategies for processing capability are normally grouped into five
categories: hot site; cold site; redundancy; reciprocal agreements;
and hybrids. These terms originated with recovery strategies for
data centers but can be applied to other platforms.
1. Hot site -- A building already equipped with processing
capability and other services.
2. Cold site -- A building for housing processors that can be
easily adapted for use.
3. Redundant site -- A site equipped and configured exactly like
the primary site. (Some organizations plan on having reduced
processing capability after a disaster and use partial redundancy.
The stocking of spare personal computers or LAN servers also
provides some redundancy.)
4. Reciprocal agreement -- An agreement that allows two
organizations to back each other up. (While this approach often
sounds desirable, contingency planning experts note that this
alternative has the greatest chance of failure due to problems
keeping agreements and plans up-to-date as systems and personnel
5. Hybrids -- Any combinations of the above such as using having a
hot site as a backup in case a redundant or reciprocal agreement
site is damaged by a separate contingency.
Recovery may include several stages, perhaps marked by increasing
availability of processing capability. Resumption planning may
include contracts or the ability to place contracts to replace