FYI - NIST Says SMS-Based Two-Factor Authentication Isn't Secure - Updated guidelines from the National Institute of Standards and Technology say SMS-based two-factor authentication should be banned.  http://www.eweek.com/security/nist-says-sms-based-two-factor-authentication-isnt-secure.html

FYI - OMB issues A-130 update - The Office of Management and Budget has released the long-awaited update to Circular A-130, the overarching framework for federal information policy. https://fcw.com/articles/2016/07/27/omb-a130-update.aspx

FYI - FBI to lead nation's cyberattack responses - But doubts remain about whether feds have their cybersecurity act together - President Barack Obama issued a policy directive Tuesday putting the FBI in charge of cyberattack responses. For businesses, this means the FBI should be in the speed dial if help is needed. http://www.computerworld.com/article/3100625/security/fbi-to-lead-nations-cyberattack-responses.html

FYI - FBI posts 'Cyber's Most Wanted' list - They may not appear on posters in the post office, but the FBI's "Cyber's Most Wanted" list features 26 accused criminals, including the so-called "Iranian DDoS attacks," a group of seven Iranian nationals sought for their involvement in conspiracies to conduct a coordinated campaign of distributed denial-of-service (DDoS) attacks against the United States financial sector and other U.S.-based companies. http://www.scmagazine.com/fbi-posts-cybers-most-wanted-list/article/512686/

FYI - Microsoft mandates Windows 10 hardware change for PC security - Microsoft is rolling out a change in minimum hardware requirements for Windows 10 PCs and mobile devices, and expects hardware makers to comply in order to make their devices more secure. http://www.computerworld.com/article/3101427/security/microsoft-mandates-windows-10-hardware-change-for-pc-security.html

FYI - SANS - Researchers have found that security weaknesses in some wireless keyboards could allow attackers to inject keystrokes and to read everything users type, spelling trouble for the security of account access credentials and any other sensitive communications. To sniff this information, attackers would need to be within 250 feet of a targeted device.
Report - https://www.dreamlab.net/wp-content/uploads/2012/06/Whitepaper-27_Mhz_keyboard_insecurities.pdf
Keysweeper - http://samy.pl/keysweeper/

FYI - We want you! Organizations see huge hole in cybersecurity staffing needs - The dearth of trained cybersecurity professionals is having a direct and measurable negative impact on organizations and many companies are addressing this shortfall by outsourcing some their cybersecurity work, according to a new report. http://www.scmagazine.com/we-want-you-organizations-see-huge-hole-in-cybersecurity-staffing-needs/article/512853/

FYI - DHS sets guidelines for reporting cyberattack to the feds - The U.S. Department of Homeland Security (DHS) has issued guidelines to help organizations properly report cyber incidents to the proper federal office. http://www.scmagazine.com/dhs-sets-guidelines-for-reporting-cyberattack-to-the-feds/article/513316/

FYI - Nine out of 10 UK orgs don't encrypt over 75% of data in the cloud - Companies are not adopting appropriate governance and security measures to protect sensitive data in the cloud according to a report. http://www.scmagazine.com/nine-out-of-10-uk-orgs-dont-encrypt-over-75-of-data-in-the-cloud/article/512974/

FYI - Barclays rolls out voice recognition security - All clients of Barclays bank will now be able to verify their banking accounts using voice-recognition technology. http://www.scmagazine.com/barclays-rolls-out-voice-recognition-security/article/513315/

FYI - Social Security Administration Now Requires Two-Factor Authentication - Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves. http://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/

FYI - 59% of IT leaders feel the 'traditional' IT dept no longer exists - Nearly six in ten (59 percent) IT leaders believe the ‘traditional' IT department no longer exists in modern business. http://www.scmagazine.com/59-of-it-leaders-feel-the-traditional-it-dept-no-longer-exists/article/513434/

FYI - 82% of global IT pros admit to a shortage of cyber-security skills - On a global scale, the UK IT industry is the least satisfied with its education system. Only 14 percent of UK IT decision makers (ITDMs) feel that the UK education system fully prepares professionals for the cyber-security industry. http://www.scmagazine.com/82-of-global-it-pros-admit-to-a-shortage-of-cyber-security-skills/article/513433/

FYI - Legacy systems within U.S. finacial sector likely to blame for breaches, report - A recent SecurityScorecard study claims America's financial industry is highly susceptible to data breaches and legacy systems may be to blame. http://www.scmagazine.com/study-finds-companies-within-the-financial-sector-are-highly-susceptible-to-a-breach/article/513962/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Kimpton Hotels Probes Card Breach Claims - Kimpton Hotels, a boutique hotel brand that includes 62 properties across the United States, said today it is investigating reports of a credit card breach at multiple locations. http://krebsonsecurity.com/2016/07/kimpton-hotels-probes-card-breach-claims/

FYI - Clinton Campaign systems hacked - If the Democrats are lucky, hacks, like celebrity deaths will come in threes and the latest intrusion -- this time into Hillary Clinton's campaign network -- will be the last in a series of targeted attacks. http://www.scmagazine.com/clinton-campaign-systems-hacked/article/512950/

FYI - Oklahoma news hit with malvertising attack - Oklahoma's News 9 website is reportedly safe to visit after a malvertising attack which lasted at least a week. http://www.scmagazine.com/oklahomas-news-9-site-reportedly-safe-to-visit/article/512849/

FYI - 390K affected in Disney Playdom forums breach - Disney Consumer Products and Interactive Media are notifying users that an unauthorized party compromised the Disney Playdom forums website and accessed user information. http://www.scmagazine.com/390k-affected-in-disney-playdom-forums-breach/article/512966/

FYI - Chinese hackers take down Vietnam airport systems - A group of hackers linked to China have allegedly compromised systems at major Vietnamese airports. http://www.zdnet.com/article/chinese-hackers-take-down-vietnam-airport-systems/

FYI - Hackers have stolen $72 million worth of bitcoin - $72 million worth of bitcoins have been stolen from Hong Kong-based bitcoin exchange causing the price of bitcoins to drop, casting doubt on the government's decision to use blockchain technology for its Crown Commercial Service. http://www.scmagazine.com/hackers-have-stolen-72-million-worth-of-bitcoin/article/513729/

FYI - Banner Health data breach impacts 3.7 million - Phoenix-based Banner Health is notifying patients of a cyberattack that compromised patient records. http://www.scmagazine.com/banner-health-data-breach-impacts-37-million/article/514213/

FYI - Telegram API flaw leaks 15 million Iranian users' data - Two independent security researchers claim that an Iranian hacking group managed to obtain public information and phone numbers from15 million Iranian users of the Telegram messaging app. http://www.scmagazine.com/telegram-api-flaw-leaks-15-million-iranian-users-data/article/514084/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 Potential Threats To Consider
 
 Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.
 
 Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.
 
 Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Network Configuration
 
 Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.
 
 A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.
 
 Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:
 
 ! Identifying the various applications and user-groups accessed via the network;
 
 ! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);
 
 ! Mapping the internal and external connectivity between various network segments;
 
 ! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and
 
 ! Determining the most appropriate network configuration to ensure adequate security and performance.
 
 With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.5    Step 5: Implementing the Contingency Strategies
 
 Once the contingency planning strategies have been selected, it is necessary to make appropriate preparations, document the strategies, and train employees. Many of these tasks are ongoing.
 
 11.5.1 Implementation
 
 Much preparation is needed to implement the strategies for protecting critical functions and their supporting resources. For example, one common preparation is to establish procedures for backing up files and applications. Another is to establish contracts and agreements, if the contingency strategy calls for them. Existing service contracts may need to be renegotiated to add contingency services. Another preparation may be to purchase equipment, especially to support a redundant capability.
 
 It is important to keep preparations, including documentation, up-to-date. Computer systems change rapidly and so should backup services and redundant equipment. Contracts and agreements may also need to reflect the changes. If additional equipment is needed, it must be maintained and periodically replaced when it is no longer dependable or no longer fits the organization's architecture.
 
 Preparation should also include formally designating people who are responsible for various tasks in the event of a contingency. These people are often referred to as the contingency response team. This team is often composed of people who were a part of the contingency planning team.
 
 There are many important implementation issues for an organization. Two of the most important are 1) how many plans should be developed? and 2) who prepares each plan? Both of these questions revolve around the organization's overall strategy for contingency planning. The answers should be documented in organization policy and procedures.
 
 Backing up data files and applications is a critical part of virtually every contingency plan. Backups are used, for example, to restore files after a personal computer virus corrupts the files or after a hurricane destroys a data processing center.
 
 How many plans?
 
 Some organizations have just one plan for the entire organization, and others have a plan for every distinct computer system, application, or other resource. Other approaches recommend a plan for each business or mission function, with separate plans, as needed, for critical resources.
 
 The answer to the question, therefore, depends upon the unique circumstances for each organization. But it is critical to coordinate between resource managers and functional managers who are responsible for the mission or business.
 
 Who Prepares the Plan?
 
 If an organization decides on a centralized approach to contingency planning, it may be best to name a contingency planning coordinator. The coordinator prepares the plans in cooperation with various functional and resource managers. Some organizations place responsibility directly with the functional and resource managers.
 
 Relationship Between Contingency Plans and Computer Security Plans
 
 For small or less complex systems, the contingency plan may be a part of the computer security plan. For larger or more complex systems, the computer security plan could contain a brief synopsis of the contingency plan, which would be a separate document.
 
 11.5.2 Documenting
 
 The contingency plan needs to be written, kept up-to-date as the system and other factors change, and stored in a safe place. A written plan is critical during a contingency, especially if the person who developed the plan is unavailable. It should clearly state in simple language the sequence of tasks to be performed in the event of a contingency so that someone with minimal knowledge could immediately begin to execute the plan. It is generally helpful to store up-to-date copies of the contingency plan in several locations, including any off-site locations, such as alternate processing sites or backup data storage facilities.