- The Empire State Lays Down the Marker on Cybersecurity - The New
York Department of Financial Services 23 NYCRR 500 Cybersecurity
Requirements for Financial Companies went into effect on March 1st
of this year. While the requirements are New York based, given the
state's concentration of financial services firms, the regulation
reaches far beyond the Hudson River.
Top 10 Security Challenges for 2017 - The first half of 2017 has not
exactly been a ride in the park for cybersecurity professionals.
How Cybersecurity Became 2017’s Hot New Major - If recent headlines
about attacks on our privacy make one thing clear, it’s that there
is a lot of work to do in the world of cybersecurity.
Over the past year or so, there’s been an explosion of interest in
vulnerability disclosure policy - the question of what to do about
flaws in software found by security researchers that need patching
lest they get used by hackers.
NIST Releases Updated Cyber and Privacy Guidance Draft - The
government’s cybersecurity standards agency published a draft
version of a major revision to its guidance on security and privacy
controls for government and industry Tuesday.
Cyber Command elevated to Unified Combatant Command - United States
Cyber Command will become one of 10 Unified Combatant Commands that
will focus on cyberspace operations.
Sinopec's Shengli Oilfield cuts Internet for some offices after
cyber attack - Sinopec's (600028.SS) Shengli Oilfield said it will
cut its Internet connection for some of its offices after a
malicious ransom software attacked of 21 of its Internet terminals,
the company said on its official website on Monday.
10 ways to improve your employee notification system - Today, many
organizations view mass notification systems through the lens of
emergency and disaster events, such as evacuations, severe weather,
terrorist incidents or active shooter situations when the ability to
deliver real-time alerts to employees, customers, partners and
consumers is critical.
Navy probe of warship collision will consider cyberattacks - It has
all the makings of intrigue or a conspiracy theory – the U.S. Navy
will add cyber incident to the scope of its investigation of the
collision, the second in recent months, between a warship and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- HBO hacked again, this time on Facebook, Twitter - Hackers are
refusing to give HBO a break as the cable TV network's social media
channels have been breached in yet another incident.
Google Chrome under attack: Have you used one of these hijacked
extensions? - Recent versions of several Chrome extensions have been
compromised to spread malicious ads.
Voter data on 1.8M Chicagoans left exposed on online storage service
- Personal data on more than 1.8 million Chicagoan voters was found
exposed on a cloud-based storage site, available to anyone for
Hackers steal nearly $500K from Enigma virtual currency platform's
ICO investors - Hackers on Sunday stole close to $500,000 in
Ethereum from Enigma, a cryptocurrency trading platform provider,
after compromising the company's digital assets in order to
advertise a fraudulent crypto wallet address where users could buy
tokens for an Initial Coin Offering.
State Department experiences email outage - State Department email
service has been restored after a nearly 12-hour worldwide outage
hit its entire unclassified system.
Online role-playing games on unofficial websites caught dispensing
'Joao' downloader - Attackers have been compromising popular online
role-playing games from Aeria Games on unofficial websites, in order
to infect players with a newly discovered malware downloader called
Fuze fixes security lapses in portal site that could have exposed
sensitive user data, credentials - Cloud-based unified
communications services provider Fuze earlier this year repaired
three vulnerabilities in a customer web portal that, if exploited,
could have exposed sensitive user data and credentials.
Latest leak of hacked celebrity photos includes images of Tiger
Woods and Lindsay Vonn - A website known for publishing images
stolen from celebrity's hacked accounts has struck again, according
to multiple reports.
Business Email Compromise phishing scam found targeting diverse
array of industries - An organized phishing scam operation likely
based out of West Africa has been attempting to steal the business
email credentials of users across a broad spectrum of industries, in
hopes of compromising their accounts and leveraging them for even
more targeted spear phishing scams.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 2 of 5)
PROCEDURES TO ADDRESS SPOOFING - Detection
Banks can improve their ability to detect spoofing by monitoring
appropriate information available inside the bank and by searching
the Internet for illegal or unauthorized use of bank names and
trademarks. The following is a list of possible indicators of
* E-mail messages returned to bank mail servers that were not
originally sent by the bank. In some cases, these e-mails may
contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web
addresses indicating that the bank's Web site is being copied or
that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank
personnel, or direct communications from consumer reporting spoofing
Banks can also detect spoofing by searching the Internet for
identifiers associated with the bank such as the name of a company
or bank. Banks can use available search engines and other tools to
monitor Web sites, bulletin boards, news reports, chat rooms,
newsgroups, and other forums to identify usage of a specific company
or bank name. The searches may uncover recent registrations of
domain names similar to the bank's domain name before they are used
to spoof the bank's Web site. Banks can conduct this monitoring
in-house or can contract with third parties who provide monitoring
Banks can encourage customers and consumers to assist in the
identification process by providing prominent links on their Web
pages or telephone contact numbers through which customers and
consumers can report phishing or other fraudulent activities.
Banks can also train customer-service personnel to identify and
report customer calls that may stem from potential Web-site attacks.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
BUSINESS CONTINUITY CONSIDERATIONS
Events that trigger the implementation of a business continuity
plan may have significant security considerations. Depending on the
event, some or all of the elements of the security environment may
change. Different people may be involved in operations, at a
different physical location, using similar but different machines
and software which may communicate over different communications
lines. Depending on the event, different tradeoffs may exist between
availability, integrity, confidentiality, and accountability, with a
different appetite for risk on the part of management.
Business continuity plans should be reviewed as an integral part of
the security process. Risk assessments should consider the changing
risks that appear in business continuity scenarios and the different
security posture that may be established. Strategies should consider
the different risk environment and the degree of risk mitigation
necessary to protect the institution in the event the continuity
plans must be implemented. The implementation should consider the
training of appropriate personnel in their security roles, and the
implementation and updating of technologies and plans for back - up
sites and communications networks. Testing these security
considerations should be integrated with the testing of business
continuity plan implementations.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 12 - COMPUTER
SECURITY INCIDENT HANDLING
12.1.2 Preventing Future Damage
An incident handling capability also assists an organization in
preventing (or at least minimizing) damage from future incidents.
Incidents can be studied internally to gain a better understanding
of the organization's threats and vulnerabilities so more effective
safeguards can be implemented. Additionally, through outside
contacts (established by the incident handling capability) early
warnings of threats and vulnerabilities can be provided. Mechanisms
will already be in place to warn users of these risks.
The incident handling capability allows an organization to learn
from the incidents that it has experienced. Data about past
incidents (and the corrective measures taken) can be collected. The
data can be analyzed for patterns -- for example, which viruses are
most prevalent, which corrective actions are most successful, and
which systems and information are being targeted by hackers.
Vulnerabilities can also be identified in this process -- for
example, whether damage is occurring to systems when a new software
package or patch is used. Knowledge about the types of threats that
are occurring and the presence of vulnerabilities can aid in
identifying security solutions. This information will also prove
useful in creating a more effective training and awareness program
-- and thus help reduce the potential for losses. The incident
handling capability assists the training and awareness program by
providing information to users as to (1) measures that can help
avoid incidents (e.g., virus scanning) and (2) what should be done
in case an incident does occur.
Of course, the organization's attempts to prevent future losses
does not occur in a vacuum. With a sound incident handling
capability, contacts will have been established with counterparts
outside the organization. This allows for early warning of threats
and vulnerabilities that the organization may have not yet
experienced. Early preventative measures (generally more
cost-effective than repairing damage) can then be taken to reduce
future losses. Data is also shared outside the organization to allow
others to learn from the organization's experiences.
The sharing of incident data among organizations can help at both
the national and the international levels to prevent and respond to
breaches of security in a timely, coordinated manner.