- NIST Says SMS-Based Two-Factor Authentication Isn't Secure -
Updated guidelines from the National Institute of Standards and
Technology say SMS-based two-factor authentication should be banned.
OMB issues A-130 update - The Office of Management and Budget has
released the long-awaited update to Circular A-130, the overarching
framework for federal information policy.
FBI to lead nation's cyberattack responses - But doubts remain about
whether feds have their cybersecurity act together - President
Barack Obama issued a policy directive Tuesday putting the FBI in
charge of cyberattack responses. For businesses, this means the FBI
should be in the speed dial if help is needed.
FBI posts 'Cyber's Most Wanted' list - They may not appear on
posters in the post office, but the FBI's "Cyber's Most Wanted" list
features 26 accused criminals, including the so-called "Iranian DDoS
attacks," a group of seven Iranian nationals sought for their
involvement in conspiracies to conduct a coordinated campaign of
distributed denial-of-service (DDoS) attacks against the United
States financial sector and other U.S.-based companies.
Microsoft mandates Windows 10 hardware change for PC security -
Microsoft is rolling out a change in minimum hardware requirements
for Windows 10 PCs and mobile devices, and expects hardware makers
to comply in order to make their devices more secure.
SANS - Researchers have found that security weaknesses in some
wireless keyboards could allow attackers to inject keystrokes and to
read everything users type, spelling trouble for the security of
account access credentials and any other sensitive communications.
To sniff this information, attackers would need to be within 250
feet of a targeted device.
Keysweeper - http://samy.pl/keysweeper/
We want you! Organizations see huge hole in cybersecurity staffing
needs - The dearth of trained cybersecurity professionals is having
a direct and measurable negative impact on organizations and many
companies are addressing this shortfall by outsourcing some their
cybersecurity work, according to a new report.
DHS sets guidelines for reporting cyberattack to the feds - The U.S.
Department of Homeland Security (DHS) has issued guidelines to help
organizations properly report cyber incidents to the proper federal
Nine out of 10 UK orgs don't encrypt over 75% of data in the cloud -
Companies are not adopting appropriate governance and security
measures to protect sensitive data in the cloud according to a
Barclays rolls out voice recognition security - All clients of
Barclays bank will now be able to verify their banking accounts
using voice-recognition technology.
Social Security Administration Now Requires Two-Factor
Authentication - Unfortunately, the new security measure
does little to prevent identity thieves from fraudulently
creating online accounts to siphon benefits from Americans who
haven’t yet created accounts for themselves.
- 59% of IT leaders feel the 'traditional' IT dept no longer exists
- Nearly six in ten (59 percent) IT leaders believe the
‘traditional' IT department no longer exists in modern business.
- 82% of global IT pros admit to a shortage of cyber-security skills
- On a global scale, the UK IT industry is the least satisfied with
its education system. Only 14 percent of UK IT decision makers
(ITDMs) feel that the UK education system fully prepares
professionals for the cyber-security industry.
- Legacy systems within U.S. finacial sector likely to blame for
breaches, report - A recent SecurityScorecard study claims America's
financial industry is highly susceptible to data breaches and legacy
systems may be to blame.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Kimpton Hotels Probes Card Breach Claims - Kimpton Hotels, a
boutique hotel brand that includes 62 properties across the United
States, said today it is investigating reports of a credit card
breach at multiple locations.
Clinton Campaign systems hacked - If the Democrats are lucky, hacks,
like celebrity deaths will come in threes and the latest intrusion
-- this time into Hillary Clinton's campaign network -- will be the
last in a series of targeted attacks.
Oklahoma news hit with malvertising attack - Oklahoma's News 9
website is reportedly safe to visit after a malvertising attack
which lasted at least a week.
390K affected in Disney Playdom forums breach - Disney Consumer
Products and Interactive Media are notifying users that an
unauthorized party compromised the Disney Playdom forums website and
accessed user information.
Chinese hackers take down Vietnam airport systems - A group of
hackers linked to China have allegedly compromised systems at major
- Hackers have stolen $72 million worth of bitcoin - $72 million
worth of bitcoins have been stolen from Hong Kong-based bitcoin
exchange causing the price of bitcoins to drop, casting doubt on the
government's decision to use blockchain technology for its Crown
- Banner Health data breach impacts 3.7 million - Phoenix-based
Banner Health is notifying patients of a cyberattack that
compromised patient records.
- Telegram API flaw leaks 15 million Iranian users' data - Two
independent security researchers claim that an Iranian hacking group
managed to obtain public information and phone numbers from15
million Iranian users of the Telegram messaging app.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Potential Threats To Consider
Serious hackers, interested computer novices, dishonest vendors or
competitors, disgruntled current or former employees, organized
crime, or even agents of espionage pose a potential threat to an
institution's computer security. The Internet provides a wealth of
information to banks and hackers alike on known security flaws in
hardware and software. Using almost any search engine, average
Internet users can quickly find information describing how to break
into various systems by exploiting known security flaws and software
bugs. Hackers also may breach security by misusing vulnerability
assessment tools to probe network systems, then exploiting any
identified weaknesses to gain unauthorized access to a system.
Internal misuse of information systems remains an ever-present
Many break-ins or insider misuses of information occur due to poor
security programs. Hackers often exploit well-known weaknesses and
security defects in operating systems that have not been
appropriately addressed by the institution. Inadequate maintenance
and improper system design may also allow hackers to exploit a
security system. New security risks arise from evolving attack
methods or newly detected holes and bugs in existing software and
hardware. Also, new risks may be introduced as systems are altered
or upgraded, or through the improper setup of available
security-related tools. An institution needs to stay abreast of new
security threats and vulnerabilities. It is equally important to
keep up to date on the latest security patches and version upgrades
that are available to fix security flaws and bugs. Information
security and relevant vendor Web sites contain much of this
Systems can be vulnerable to a variety of threats, including the
misuse or theft of passwords. Hackers may use password cracking
programs to figure out poorly selected passwords. The passwords may
then be used to access other parts of the system. By monitoring
network traffic, unauthorized users can easily steal unencrypted
passwords. The theft of passwords is more difficult if they are
encrypted. Employees or hackers may also attempt to compromise
system administrator access (root access), tamper with critical
files, read confidential e-mail, or initiate unauthorized e-mails or
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Computer networks often extend connectivity far beyond the
financial institution and its data center. Networks provide system
access and connectivity between business units, affiliates, TSPs,
business partners, customers, and the public. This increased
connectivity requires additional controls to segregate and restrict
access between various groups and information users.
A typical approach to securing a large network involves dividing
the network into logical security domains. A logical security domain
is a distinct part of a network with security policies that differ
from other domains. The differences may be far broader than network
controls, encompassing personnel, host, and other issues.
Typical network controls that distinguish security domains include
access control software permissions, dedicated lines, filtering
routers, firewalls, remote-access servers, and virtual private
networks. This booklet will discuss additional access controls
within the applications and operating systems residing on the
network in other sections. Before selecting the appropriate
controls, financial institutions should map and configure the
network to identify and control all access control points. Network
configuration considerations could include the following actions:
! Identifying the various applications and user-groups accessed via
! Identifying all access points to the network including various
telecommunications channels (e.g., wireless, Ethernet, frame relay,
dedicated lines, remote dial - up access, extranets, Internet);
! Mapping the internal and external connectivity between various
! Defining minimum access requirements for network services (i.e.,
most often referenced as a network services access policy); and
! Determining the most appropriate network configuration to ensure
adequate security and performance.
With a clear understanding of network connectivity, the financial
institution can avoid introducing security vulnerabilities by
minimizing access to less - trusted domains and employing encryption
for less secure connections. Institutions can then determine the
most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to
restrict access. Some applications and business processes may
require complete segregation from the corporate network (e.g., no
connectivity between corporate network and wire transfer system).
Others may restrict access by placing the services that must be
accessed by each zone in their own security domain, commonly called
a "demilitarized zone" (DMZ).
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.5 Step 5:
Implementing the Contingency Strategies
Once the contingency planning strategies have been selected, it is
necessary to make appropriate preparations, document the strategies,
and train employees. Many of these tasks are ongoing.
Much preparation is needed to implement the strategies for
protecting critical functions and their supporting resources. For
example, one common preparation is to establish procedures for
backing up files and applications. Another is to establish contracts
and agreements, if the contingency strategy calls for them. Existing
service contracts may need to be renegotiated to add contingency
services. Another preparation may be to purchase equipment,
especially to support a redundant capability.
It is important to keep preparations, including documentation,
up-to-date. Computer systems change rapidly and so should backup
services and redundant equipment. Contracts and agreements may also
need to reflect the changes. If additional equipment is needed, it
must be maintained and periodically replaced when it is no longer
dependable or no longer fits the organization's architecture.
Preparation should also include formally designating people who are
responsible for various tasks in the event of a contingency. These
people are often referred to as the contingency response team. This
team is often composed of people who were a part of the contingency
There are many important implementation issues for an organization.
Two of the most important are 1) how many plans should be developed?
and 2) who prepares each plan? Both of these questions revolve
around the organization's overall strategy for contingency planning.
The answers should be documented in organization policy and
Backing up data files and applications is a critical part of
virtually every contingency plan. Backups are used, for example, to
restore files after a personal computer virus corrupts the files or
after a hurricane destroys a data processing center.
How many plans?
Some organizations have just one plan for the entire organization,
and others have a plan for every distinct computer system,
application, or other resource. Other approaches recommend a plan
for each business or mission function, with separate plans, as
needed, for critical resources.
The answer to the question, therefore, depends upon the unique
circumstances for each organization. But it is critical to
coordinate between resource managers and functional managers who are
responsible for the mission or business.
Who Prepares the Plan?
If an organization decides on a centralized approach to contingency
planning, it may be best to name a contingency planning coordinator.
The coordinator prepares the plans in cooperation with various
functional and resource managers. Some organizations place
responsibility directly with the functional and resource managers.
Relationship Between Contingency Plans and Computer Security Plans
For small or less complex systems, the contingency plan may be a
part of the computer security plan. For larger or more complex
systems, the computer security plan could contain a brief synopsis
of the contingency plan, which would be a separate document.
The contingency plan needs to be written, kept up-to-date as the
system and other factors change, and stored in a safe place. A
written plan is critical during a contingency, especially if the
person who developed the plan is unavailable. It should clearly
state in simple language the sequence of tasks to be performed in
the event of a contingency so that someone with minimal knowledge
could immediately begin to execute the plan. It is generally helpful
to store up-to-date copies of the contingency plan in several
locations, including any off-site locations, such as alternate
processing sites or backup data storage facilities.