- Illinois hospital chain to pay record $5.5M for exposing data
about millions of patients - Illinois' largest hospital chain today
agreed to pay a $5.5 million fine by the government for lax data
security that led to the exposure of more than 4 million electronic
- Severe vulnerabilities discovered in HTTP/2 protocol - Four
high-profile bugs have been found in the protocol, potentially
placing 85 million websites at risk. Researchers have discovered a
number of security issues related to the new HTTP/2 protocol which
could place millions of websites at risk of attack.
- Investment in cybersecurity strong as cyberthreats increase -
Venture capitalist investments in cybersecurity firms have seen a
235 percent growth rate over the past five years as cyberthreats
increase, but the trend may not last long.
- 76% of organisations suffer loss or theft of data in past two
years - Over the past two years, three out of every four
organisations have been hit by the loss or theft of important data.
- Online retailer EZcontactsUSA.com to pay $100K over breach -
Following a data breach that compromised 25,000 credit card numbers,
the attorney general of New York reached a settlement with Provision
Supply, d/b/a EZcontactsUSA.com.
- White House finalizes Federal Source Code policy; will launch
Code.gov within 90 days - The White House on Monday published its
finalized Federal Source Code policy, designed to encourage federal
agencies to share code with each other, as well as the open-source
software (OSS) development community.
- Rise of the hacking machines - Will computers get better at
cybersecurity than humans? Experts hope the answer is yes.
- Most Met police computers still using Windows XP - Nearly 30,000
London Metropolitan police computers are still using Windows XP,
raising eyebrows among cyber-security experts who point out that XP
no longer receives security updates from Microsoft.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Banner Health alerts 3.7M potential victims of hack of its
computers - Banner Health, a provider of hospital services, has
notified by mail 3.7 million people, including patients, health plan
members, healthcare providers and customers at its food and beverage
outlets, that their payment card and health plan data, among other
information, may have been compromised.
- O2 confirms USBs distributed in marketing campaign contain virus -
USB pens distributed by the U.K.-based mobile network O2 as part of
a promotional campaign for an eBook were discovered to contain a
“Windows specific virus”, according to an O2 statement sent to
- Carbanak Gang likely behind Oracle MICROS customer service portal
compromise - A breach of Oracle Corp. systems by Russian hackers has
led to a compromise of the MICROS point-of-sale payment system
customer support portal, prompting the company to urge customers to
reset their passwords.
- Newkirk medical records breach impacts 3.3M, Blue Cross Blue
Shield customers affected - Newkirk Products, Inc, a service
provider that issues healthcare ID cards for health insurance plans
including several Blue Cross Blue Shield branches, has begun
notifying approximately 3.3 million people of a data breach.
- Oregon State Hospital notifies patients of breach - Oregon State
Hospital's maximum security ward is notifying patients of a data
breach after a psychiatrist accidentally sent a photograph of
patient records to people outside of the hospital.
- Irish cops probe mystery malware attack - External attempts to
hack into the IT systems of the Garda Síochána prompted a temporary
shut down of several Irish police systems last week.
- Apparent Walmart.com phishing emails coming from legit company
email address - Walmart.com customers are being flooded with
repetitive emails urging them to reset their passwords in what looks
to be a phishing attack.
- Instagram accounts hacked - Symantec researchers spotted an influx
over the last few months in hacked Instagram accounts used to
promote dating spam to earn money through an affiliate program.
- Australian online census swamped by DDoS attack - The website
hosting the online form for Australia's national census was brought
down by a series of distributed denial of service (DDoS) attacks on
Tuesday, temporarily preventing some of the country's citizens from
participating in the population survey, which takes place every five
- Breach of Dota 2 gaming forum exposes 1.9 million accounts - While
players of Valve Corporation's online battle arena game Dota 2 were
busy fighting each other for supremacy, a real-life adversary
recently pulled off his own conquest, stealing 1,923,972 account
records from the official Dota 2 forum's database.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Hackers may use "social engineering" a scheme using social
techniques to obtain technical information required to access a
system. A hacker may claim to be someone authorized to access the
system such as an employee or a certain vendor or contractor. The
hacker may then attempt to get a real employee to reveal user names
or passwords, or even set up new computer accounts. Another threat
involves the practice of "war-dialing" in which hackers use a
program that automatically dials telephone numbers and searches for
modem lines that bypass network firewalls and other security
measures. A few other common forms of system attack include:
Denial of service (system failure), which is any action
preventing a system from operating as intended. It may be the
unauthorized destruction, modification, or delay of service. For
example, in an "SYN Flood" attack, a system can be flooded with
requests to establish a connection, leaving the system with more
open connections than it can support. Then, legitimate users of the
system being attacked are not allowed to connect until the open
connections are closed or can time out.
Internet Protocol (IP) spoofing, which allows an intruder
via the Internet to effectively impersonate a local system's IP
address in an attempt to gain access to that system. If other local
systems perform session authentication based on a connections IP
address, those systems may misinterpret incoming connections from
the intruder as originating from a local trusted host and not
require a password.
Trojan horses, which are programs that contain additional
(hidden) functions that usually allow malicious or unintended
activities. A Trojan horse program generally performs unintended
functions that may include replacing programs, or collecting,
falsifying, or destroying data. Trojan horses can be attached to
e-mails and may create a "back door" that allows unrestricted access
to a system. The programs may automatically exclude logging and
other information that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded in
other code and can self-replicate. Once active, they may take
unwanted and unexpected actions that can result in either
nondestructive or destructive outcomes in the host computer
programs. The virus program may also move into multiple platforms,
data files, or devices on a system and spread through multiple
systems in a network. Virus programs may be contained in an e-mail
attachment and become active when the attachment is opened.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 1 of 3)
Network communications rely on software protocols to ensure the
proper flow of information. A protocol is a set of rules that allows
communication between two points in a telecommunications connection.
Different types of networks use different protocols. The Internet
and most intranets and extranets, however, are based on the TCP/IP
layered model of protocols. That model has four layers, and
different protocols within each layer. The layers, from bottom to
top, are the network access layer, the Internet layer, the
host-to-host layer, and the application layer. Vulnerabilities and
corresponding attack strategies exist at each layer. This becomes an
important consideration in evaluating the necessary controls.
Hardware and software can use the protocols to restrict network
access. Likewise, attackers can use weaknesses in the protocols to
The primary TCP/IP protocols are the Internet protocol (IP) and the
transmission control protocol (TCP). IP is used to route messages
between devices on a network, and operates at the Internet layer.
TCP operates at the host-to-host layer, and provides a
connection-oriented, full - duplex, virtual circuit between hosts.
Different protocols support different services for the network. The
different services often introduce additional vulnerabilities. For
example, a third protocol, the user datagram protocol (UDP) is also
used at the host-to-host layer. Unlike TCP, UDP is not connection -
oriented, which makes it faster and a better protocol for supporting
broadcast and streaming services. Since UDP is not
connection-oriented, however, firewalls often do not effectively
filter it. To provide additional safeguards, it is often blocked
entirely from inbound traffic or additional controls are added to
verify and authenticate inbound UDP packets as coming from a trusted
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
All personnel should be trained in their contingency-related
duties. New personnel should be trained as they join the
organization, refresher training may be needed, and personnel will
need to practice their skills.
Training is particularly important for effective employee response
during emergencies. There is no time to check a manual to determine
correct procedures if there is a fire. Depending on the nature of
the emergency, there may or may not be time to protect equipment and
other assets. Practice is necessary in order to react correctly,
especially when human safety is involved.
11.6 Step 6: Testing and Revising
A contingency plan should be tested periodically because there will
undoubtedly be flaws in the plan and in its implementation. The plan
will become dated as time passes and as the resources used to
support critical functions change. Responsibility for keeping the
contingency plan current should be specifically assigned. The extent
and frequency of testing will vary between organizations and among
systems. There are several types of testing, including reviews,
analyses, and simulations of disasters.
Contingency plan maintenance can be incorporated into procedures
for change management so that upgrades to hardware and software are
reflected in the plan.
A review can be a simple test to check the accuracy of contingency
plan documentation. For instance, a reviewer could check if
individuals listed are still in the organization and still have the
responsibilities that caused them to be included in the plan. This
test can check home and work telephone numbers, organizational
codes, and building and room numbers. The review can determine if
files can be restored from backup tapes or if employees know
An analysis may be performed on the entire plan or portions of it,
such as emergency response procedures. It is beneficial if the
analysis is performed by someone who did not help develop the
contingency plan but has a good working knowledge of the critical
function and supporting resources. The analyst(s) may mentally
follow the strategies in the contingency plan, looking for flaws in
the logic or process used by the plan's developers. The analyst may
also interview functional managers, resource managers, and their
staff to uncover missing or unworkable pieces of the plan.
Organizations may also arrange disaster simulations. These tests
provide valuable information about flaws in the contingency plan and
provide practice for a real emergency. While they can be expensive,
these tests can also provide critical information that can be used
to ensure the continuity of important functions. In general, the
more critical the functions and the resources addressed in the
contingency plan, the more cost-beneficial it is to perform a
The results of a "test" often implies a grade assigned for a
specific level of performance, or simply pass or fail. However, in
the case of contingency planning, a test should be used to improve
the plan. If organizations do not use this approach, flaws in the
plan may remain hidden and uncorrected.