- French submarine builder DCNS springs leak: India investigates -
The French are said to be going ballistic - India is investigating a
security breach affecting its French-built Scorpene-class submarines
after more than 22,000 pages covering its secret capabilities were
- Russia's Central Bank introduces new mandatory cyber-security
regulations - Russian banks will be faced with a whole range of new
regulations, and penalties for non-compliance, when it comes to
cyber-security, according to the country's Central Bank.
- Two swing states decline DHS security for voting machines - Two
swing states, Pennsylvania and Georgia, are declining an offer from
the Department of Homeland Security (DHS) to scan their voting
systems ahead of the 2016 elections.
- Muddying the waters of infosec: Cyber upstart, investors short
medical biz - then reveal bugs - Analysis A team of security
researchers tipped off an investment firm about software
vulnerabilities in life-preserving medical equipment in order to
profit from the fallout.
- Hacker who stole 2.9 million credit card numbers is Russian
lawmaker’s son - On Thursday, a federal jury in Seattle found the
son of Russian Parliament member guilty of stealing millions of
credit card numbers and selling them online to other fraudsters.
- Fiat Chrysler locks down on DealerCONNECT security after car theft
- Fiat Chrysler Association (FCA) on Aug. 25 updated its
anyone who provides unauthorized third parties access to "key codes,
radio codes and other anti-theft or security measures."
- Privacy advocates upset over FAA drone regulations, citizen takes
action - The Federal Aviation Administration's (FAA) small unmanned
aircraft system rule went into effect Aug. 29 broadly authorizing
commercial drone operations but noticeably lacking privacy specific
standards, still some citizens managed to take the security of their
airspace into their own hands.
- Dropbox commended for its handling of massive data breach
involving 68M users - What started out last week as a warning by
Dropbox to its users that some login data may have been compromised
has exploded into a massive data breach with an estimated 68 million
Dropbox user credentials being exposed on the web, but industry
insiders say the company has handled the problem quite well.
- Increasing use of encryption technology causes more cyber-attacks
- An outcome of the growing use of encryption technology to keep
network data safe is an increase in cyber-attacks.
- China allows foreign tech firms to participate in creating
cybersecurity standards - China appears to have taken a more global
approach to discussions involving the country's cybersecurity
- Rental car or loaner flash drive? FTC warns rental cars store user
data - The Federal Trade Commission is warning consumers to be
careful when using the infotainment systems of rental cars.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- GozNym malware is proficient in German, new malicious campaign
proves - Thirteen German financial institutions and their
subsidiaries are probably feeling weltschmerz (look it up) after
their customers became targets of the latest campaign from hybrid
downloader and banking malware GozNym.
- Dropbox recommending some users update account credentials -
Dropbox is recommending to some users update the log in credentials
for their account because a group of member emails and passwords may
have been compromised.
- State wildlife agencies halt license sales after apparent vendor
breach - The fish and wildlife agencies of Washington, Oregon and
Idaho have temporarily suspended the sale of hunting and fishing
licenses and tags after the vendor operating their online licensing
system was apparently breached.
- Voter databases in two states breached by foreign hackers, FBI -
The FBI's Cyber Division revealed in a "flash" report that it
uncovered evidence that the election databases were hacked, which
led to the agency issuing warnings to election officials across the
country to strengthen the security of their computer ystems.
- GoDaddy customers target of phishing scam - A phishing scam aimed
at GoDaddy customers lures victims by notifying them that they can't
receive any more email because their email storage has reached
- Cozy Bear suspected of hacking Russia-focused think tanks in D.C.
- The same Russian-backed cybergang which launched cyber attacks
against the Pentagon, State Department and DNC is also believed to
have targeted Russia-focused think tanks based in Washington D.C.
- Sacramento County data exposed for nearly a year - Sacramento
County has notified citizens whose data may have been left exposed
for nearly a year.
- Opera resets all user passwords following incursion - Opera is
alerting customers of its web browser that its sync system was
- Voter database hack in Illinois by foreign intruder compromises
info of 200K - Personal information of Illinois voters was likely
siphoned off in a cyberattack, possibly of foreign origin.
- 87K affected in SCAN Health Plan breach - SCAN Health Plan is
notifying users that remote attackers were able to gain access to
the contact sheets system and accessed the personal information of
past and current members and some non-plan members of SCAN Health
Plan, SCAN Health Plan Arizona, and VillageHealth plans.
- SWIFT warns of new attacks, pushes for security upgrades - While
six Democratic senators were beseeching President Obama in a letter
to make cybercrime a priority at this weekend's Group of 20 Summit
in China, SWIFT was sending a letter of its own to clients alerting
them to additional attacks on member banks.
- Jerry's Artarama hit with hack - A letter has gone out to
customers of Jerry's Artarama advising that its online portal "may
have been attacked" by a hacker and customer information "may have
- Kimpton Hotels details data breach, dozens of properties impacted
- The Kimpton Hotel chain officially notified its customers that its
point-of-sale system severs had been infected with malware earlier
this year, possibly exposing payment card information and cardholder
- Mr. Chow restaurants website hacked to distribute ransomware - If
you thought too much MSG was the most dangerous thing about ordering
Chinese food, consider this: the website for the upscale Mr. Chow
restaurants has reportedly been compromised to deliver ransomware to
- User data of 43.6M Last.fm subscribers made public - The user data
of 43,570,999 subscribers to the Last.fm music site were posted on
the pwned repository LeakedSource.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
PENETRATION ANALYSIS (Part 1 of 2)
After the initial risk assessment is completed, management may
determine that a penetration analysis (test) should be conducted.
For the purpose of this paper, "penetration analysis" is broadly
defined. Bank management should determine the scope and objectives
of the analysis. The scope can range from a specific test of a
particular information systems security or a review of multiple
information security processes in an institution.
A penetration analysis usually involves a team of experts who
identify an information systems vulnerability to a series of
attacks. The evaluators may attempt to circumvent the security
features of a system by exploiting the identified vulnerabilities.
Similar to running vulnerability scanning tools, the objective of a
penetration analysis is to locate system vulnerabilities so that
appropriate corrective steps can be taken.
The analysis can apply to any institution with a network, but
becomes more important if system access is allowed via an external
connection such as the Internet. The analysis should be independent
and may be conducted by a trusted third party, qualified internal
audit team, or a combination of both. The information security
policy should address the frequency and scope of the analysis. In
determining the scope of the analysis, items to consider include
internal vs. external threats, systems to include in the test,
testing methods, and system architectures.
A penetration analysis is a snapshot of the security at a point in
time and does not provide a complete guaranty that the system(s)
being tested is secure. It can test the effectiveness of security
controls and preparedness measures. Depending on the scope of the
analysis, the evaluators may work under the same constraints applied
to ordinary internal or external users. Conversely, the evaluators
may use all system design and implementation documentation. It is
common for the evaluators to be given just the IP address of the
institution and any other public information, such as a listing of
officers that is normally available to outside hackers. The
evaluators may use vulnerability assessment tools, and employ some
of the attack methods discussed in this paper such as social
engineering and war dialing. After completing the agreed-upon
analysis, the evaluators should provide the institution a detailed
written report. The report should identify vulnerabilities,
prioritize weaknesses, and provide recommendations for corrective
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
TCP/IP is a packet - based communications system. A packet consists
of a header and a data payload. A header is analogous to a mail
envelope, containing the information necessary for delivery of the
envelope, and the return address. The data payload is the content of
the envelope. The IP packet header contains the address of the
sender (source address) and the intended recipient (destination
address) and other information useful in handling the packet. Under
IP, the addresses are unique numbers known as IP addresses. Each
machine on an IP network is identified by a unique IP address. The
vast majority of IP addresses are publicly accessible. Some IP
addresses, however, are reserved for use in internal networks. Those
addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 -
172.31.255.255, and 192.168.0.0 - 192.168.255.255. Since those
internal addresses are not accessible from outside the internal
network, a gateway device is used to translate the external IP
address to the internal address. The device that translates external
and internal IP addresses is called a network address translation
(NAT) device. Other IP packet header fields include the protocol
field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether
routers are allowed to fragment the packet, and other information.
If the IP packet indicates the protocol is TCP, a TCP header will
immediately follow the IP header. The TCP header contains the source
and destination ports, the sequence number, and other information.
The sequence number is used to order packets upon receipt and to
verify that all packets in the transmission were received.
Information in headers can be spoofed, or specially constructed to
contain misleading information. For instance, the source address can
be altered to reflect an IP address different from the true source
address, and the protocol field can indicate a different protocol
than actually carried. In the former case, an attacker can hide
their attacking IP, and cause the financial institution to believe
the attack came from a different IP and take action against that
erroneous IP. In the latter case, the attacker can craft an attack
to pass through a firewall and attack with an otherwise disallowed
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
8.2 Benefits of
Integrating Security in the Computer System Life Cycle
Although a computer security plan can be developed for a system at
any point in the life cycle, the recommended approach is to draw up
the plan at the beginning of the computer system life cycle.
Security, like other aspects of a computer system, is best managed
if planned for throughout the computer system life cycle. It has
been a tenet of the computer community that it costs ten times more
to add a feature in a system after it has been designed than to
include the feature in the system at the initial design phase. The
principal reason for implementing security during a system's
development is that it is more difficult to implement it later (as
is usually reflected in the higher cost of doing so). It also tends
to disrupt ongoing operations.
Security also needs to be incorporated into the later phases of the
computer system life cycle to help ensure that security keeps up
with changes in the system's environment, technology, procedures,
and personnel. It also ensures that security is considered in system
upgrades, including the purchase of new components or the design of
new modules. Adding new security controls to a system after a
security breach, mishap, or audit can lead to haphazard security
that can be more expensive and less effective that security that is
already integrated into the system. It can also significantly
degrade system performance. Of course, it is virtually impossible to
anticipate the whole array of problems that may arise during a
system's lifetime. Therefore, it is generally useful to update the
computer security plan at least at the end of each phase in the life
cycle and after each re-accreditation. For many systems, it may be
useful to update the plan more often.
Life cycle management also helps document security-relevant
decisions, in addition to helping assure management that security is
fully considered in all phases. This documentation benefits system
management officials as well as oversight and independent audit
groups. System management personnel use documentation as a
self-check reminder of why decisions were made so that the impact of
changes in the environment can be more easily assessed. Oversight
and independent audit groups use the documentation in their reviews
to verify that system management has done an adequate job and to
highlight areas where security may have been overlooked. This
includes examining whether the documentation accurately reflects how
the system is actually being operated.
Within the federal government, the Computer Security Act of 1987
and its implementing instructions provide specific requirements for
computer security plans. These plans are a form of documentation
that helps ensure that security is considered not only during system
design and development but also throughout the rest of the life
cycle. Plans can also be used to be sure that requirements of
Appendix III to OMB Circular A-130, as well as other applicable
requirements, have been addressed.
Different people can provide security input throughout the life
cycle of a system, including the accrediting official, data users,
systems users, and system technical staff.