- Interior Dept. must update access control standards to meet NIST
guidelines - The U.S. Department of the Interior (DOI) must update
its access controls to meet current standards, according to an
inspector general report issued this week.
EPA IG won't release report on cybersecurity practices - The
Environmental Protection Agency's (EPA) Inspector General conducted
an audit of the agency's cybersecurity and information security
policies but will not release the full report, noting privacy
34% of users click on links due to human curiosity - With nearly a
quarter of ID fraud victims being savvy users of mobile and social
media platforms in the UK last year, regular device updates nor
computer literacy are stopping users from engaging in harmful online
Information on Current and Future States of Cybersecurity in the
Digital Economy - The Commission on Enhancing National Cybersecurity
requests information about current and future states of
cybersecurity in the digital economy.
FDA Addresses Medical Device Cybersecurity Modifications - Draft
Guidance Clarifies When Makers Must Get New FDA Review - New Food
and Drug Administration draft guidance aims to alleviate a common
topic of confusion in the healthcare sector: whether medical device
makers need to submit for FDA review the modifications manufacturers
make that affect cybersecurity in existing products.
After the breach: Settlement expected for 50M Home Depot customers -
A settlement is brewing between The Home Depot and the 50 million
customers whose personally identifiable information (PII) was
compromised in a massive hack in 2014.
Half of enterprises ill-prepared for inside attack, study - Nearly
half of enterprises queried for a new survey were found to be
ill-equipped to deal with threats from insiders.
- U.S. government extends offer to protect states from electoral
cyberthreats - In a move to quell fears that the electoral process
could be hacked and manipulated this November, the U.S. government
has pledged to provide states with federal resources and assistance
to help manage voting cyber risks.
- SWIFT did not monitor weak security practices of its users - The
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
has a history of failing to address security incidents involving
clients of the financial messaging company, according to a Reuters
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 'Video jacking' attack allows attacker to see what you see - If
docking a phone at unfamiliar charging stations wasn't iffy enough,
a “video-jacking” attack by researchers highlights yet another
attack vector to consider.
Just keep swimming: Swimming Australia website rides out waves of
DDoS traffic - Days after Australian gold medalist swimmer Mack
Horton accused his Chinese rival Sun Yang of doping, the Swimming
Australia website has been experiencing a large increase in traffic,
seemingly due to a distributed denial of service (DDoS) attack.
Russian athlete whistleblower has online account hacked in major
security leak - A Russian whistleblower who revealed state-backed
athlete doping in the country has had her account on the World
Anti-Doping Agency (WADA) website hacked, potentially revealing her
Sage suffers data breach from insider - Software company Sage has
reportedly suffered a data breach orchestrated by an insider of the
company. The police are investigating and the ICO has been informed.
20 top US hotels hit by fresh malware attacks - If you've stayed at
these hotels and have taken out your credit card at shops, bars, or
restaurants, your financial data may be at risk.
- NSA blames storm for website outage - The National Security Agency
(NSA) blamed a partial shutdown of NSA.gov on a storm.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
VULNERABILITY ASSESSMENT TOOLS
Vulnerability assessment tools, also called security scanning
tools, assess the security of network or host systems and report
system vulnerabilities. These tools can scan networks, servers,
firewalls, routers, and applications for vulnerabilities. Generally,
the tools can detect known security flaws or bugs in software and
hardware, determine if the systems are susceptible to known attacks
and exploits, and search for system vulnerabilities such as settings
contrary to established security policies.
In evaluating a vulnerability assessment tool, management should
consider how frequently the tool is updated to include the detection
of any new weaknesses such as security flaws and bugs. If there is a
time delay before a system patch is made available to correct an
identified weakness, mitigating controls may be needed until the
system patch is issued.
Generally, vulnerability assessment tools are not run in real-time,
but they are commonly run on a periodic basis. When using the tools,
it is important to ensure that the results from the scan are secure
and only provided to authorized parties. The tools can generate both
technical and management reports, including text, charts, and
graphs. The vulnerability assessment reports can tell a user what
weaknesses exist and how to fix them. Some tools can automatically
fix vulnerabilities after detection.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access control" (MAC)
address. Ethernet systems route messages by the MAC address,
requiring a router to obtain both the IP address and the MAC address
of connected devices. Reverse ARP (RARP) also exists as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) - Encrypts communications sessions, typically
used for remote administration of servers.
! Secure sockets layer (SSL) - Typically used to encrypt
Webbrowsing sessions, sometimes used to secure e-mail transfers and
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Since all controls help to prevent contingencies, there is an
interdependency with all of the controls in the handbook.
Risk Management provides a tool for analyzing the security
costs and benefits of various contingency planning options. In
addition, a risk management effort can be used to help identify
critical resources needed to support the organization and the likely
threat to those resources. It is not necessary, however, to perform
a risk assessment prior to contingency planning, since the
identification of critical resources can be performed during the
contingency planning process itself.
Physical and Environmental Controls help prevent
contingencies. Although many of the other controls, such as logical
access controls, also prevent contingencies, the major threats that
a contingency plan addresses are physical and environmental threats,
such as fires, loss of power, plumbing breaks, or natural disasters.
Incident Handling can be viewed as a subset of contingency
planning. It is the emergency response capability for various
technical threats. Incident handling can also help an organization
prevent future incidents.
Support and Operations in most organizations includes the
periodic backing up of files. It also includes the prevention and
recovery from more common contingencies, such as a disk failure or
corrupted data files.
Policy is needed to create and document the organization's
approach to contingency planning. The policy should explicitly
11.8 Cost Considerations
The cost of developing and implementing contingency planning
strategies can be significant, especially if the strategy includes
contracts for backup services or duplicate equipment. There are too
many options to discuss cost considerations for each type.
One contingency cost that is often overlooked is the cost of
testing a plan. Testing provides many benefits and should be
performed, although some of the less expensive methods (such as a
review) may be sufficient for less critical resources.