- More banks plundered through SWIFT attacks - Shape up, cause the
Bangladesh Bank hack is just the start, SWIFT warns - Criminals have
hacked an unspecified number of new banks, using the SWIFT messaging
system already implicated in one of the most lucrative breaches in
Facial recognition tech nabs ID fraudsters - A man with a suspended
commercial driverís license attempted to get a new one using a
stolen identity, but he was stopped. About two dozen people used
fake information to get a second Social Security numbers and try to
get new licenses, but they were stopped.
Rental cars can be data thieves, warns FTC - The convenience of
automotive IT systems that connect smartphones with onboard media
players might not be worth the risk of data loss when it comes to
rental cars, according to the Federal Trade Commission.
Military Supermarket Chain's Encryption Setup is 'Unacceptable,'
Commissary Says - The Defense Department's $6 billion supermarket
chain needs tighter security for the secret keys fastening its
hundreds of databases, Pentagon officials say.
- Gugi mobile banking malware reportedly tweaked to defeat Android 6
security permissions - The developers of the mobile banking trojan
Gugi have introduced modifications to sidestep two key security
features of Android 6, Kaspersky Lab researcher Roman Unuchek has
reported in the Securelist blog.
- Congressional report faults OPM over breach preparedness and
response - The massive breach at the U.S. Office of Personnel
Management (OPM), announced in June 2015, might have been prevented
had the agency followed basic cybersecurity guidelines, according to
the findings of a congressional investigation.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Dropbox hack leaks 68 million usernames and passwords - A hack
from 2012 reportedly resulted in the breach of far more user
information than previously believed. Wait, how many accounts were
affected by a 2012 hack on Dropbox? About 68 million, according to
Kimpton Hotels Acknowledges Data Breach - Kimpton Hotels on
Wednesday formally acknowledged that malware found on payment
terminals in many of its hotels and restaurants may have compromised
credit/debit cards of guests who patronized the properties in the
first half of this year.
- Leoni AG suffers £34 million whaling attack - Leoni AG, Europe's
biggest manufacturer of wires and electrical cables, has announced
losses of £34 million ($44.6 million) following a whaling attack.
- Derriford hospital hit by ransomware - A Freedom of Information
(FoI) request filed by the Plymouth Herald has revealed that
Plymouth's Derriford Hospital has suffered a ransomware attack.
- Austrian officials investigate attempted cyberattack of Vienna's
airport - Austria's Interior Ministry is reportedly investigating a
hacking group known as ĎAslan Neferler Tim' that has claimed
responsibility for an attempted cyberattack of Vienna's airport.
- University of Alaska breach may have exposed student info - On
Tuesday, University of Alaska officials announced an attacker using
employee credentials may have accessed student information.
- Hutton Hotel guests credit card info exposed during three-year
long breach - The Hutton Hotel became the latest hospitality company
to report a breach of its payment card system warning guests that
their information may have been compromised.
Return to the top
of the newsletter
Lightspeed PoS vendor breached, sensitive database tapped - Vendor:
'We've applied new patches and access controls!' Sys admin: 'Whaddya
mean NEW?!' - Point of sales vendor Lightspeed has been breached
with password, customer data, and API keys possibly exposed.
WEB SITE COMPLIANCE -
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
PENETRATION ANALYSIS (Part 2 of 2)
A penetration analysis itself can introduce new risks to an
institution; therefore, several items should be considered before
having an analysis completed, including the following:
1) If using outside testers, the reputation of the firm or
consultants hired. The evaluators will assess the weaknesses in the
bank's information security system. As such, the confidentiality of
results and bank data is crucial. Just like screening potential
employees prior to their hire, banks should carefully screen firms,
consultants, and subcontractors who are entrusted with access to
sensitive data. A bank may want to require security clearance checks
on the evaluators. An institution should ask if the evaluators have
liability insurance in case something goes wrong during the test.
The bank should enter into a written contact with the evaluators,
which at a minimum should address the above items.
2) If using internal testers, the independence of the testers from
3) The secrecy of the test. Some senior executives may order an
analysis without the knowledge of information systems personnel.
This can create unwanted results, including the notification of law
enforcement personnel and wasted resources responding to an attack.
To prevent excessive responses to the attacks, bank management may
consider informing certain individuals in the organization of the
4) The importance of the systems to be tested. Some systems may be
too critical to be exposed to some of the methods used by the
evaluators such as a critical database that could be damaged during
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your compnay a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 1 of 2)
Packets are moved through networks using routers, switches, and
hubs. The unique IP address is commonly used in routing. Since users
typically use text names instead of IP addresses for their
addressing, the user's software must obtain the numeric IP address
before sending the message. The IP addresses are obtained from the
Domain Naming System (DNS), a distributed database of text names
(e.g., anybank.com) and their associated IP addresses. For example,
financial institution customers might enter the URL of the Web site
in their Web browser. The user's browser queries the domain name
server for the IP associated with anybank.com. Once the IP is
obtained, the message is sent. Although the example depicts an
external address, DNS can also function on internal addresses.
A router directs where data packets will go based on a table that
links the destination IP address with the IP address of the next
machine that should receive the packet. Packets are forwarded from
router to router in that manner until they arrive at their
destination. Since the router reads the packet header and uses a
table for routing, logic can be included that provides an initial
means of access control by filtering the IP address and port
information contained in the message header. Simply put, the router
can refuse to forward, or forward to a quarantine or other
restricted area, any packets that contain IP addresses or ports that
the institution deems undesirable. Security policies should define
the filtering required by the router, including the type of access
permitted between sensitive source and destination IP addresses.
Network administrators implement these policies by configuring an
access configuration table, which creates a filtering router or a
A switch directs the path a message will take within the network.
Switching works faster than IP routing because the switch only looks
at the network address for each message and directs the message to
the appropriate computer. Unlike routers, switches do not support
packet filtering. Switches, however, are designed to send messages
only to the device for which they were intended. The security
benefits from that design can be defeated and traffic through a
switch can be sniffed.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
8.3 Overview of the
Computer System Life Cycle
There are many models for the computer system life cycle but most
contain five basic phases:
1) Initiation. During the initiation phase, the need for a system
is expressed and the purpose of the system is documented.
2) Development/Acquisition. During this phase the system is
designed, purchased, programmed, developed, or otherwise
constructed. This phase often consists of other defined cycles, such
as the system development cycle or the acquisition cycle.
3) Implementation. After initial system testing, the system is
installed or fielded.
4) Operation/Maintenance. During this phase the system performs
its work. The system is almost always modified by the addition of
hardware and software and by numerous other events.
5) Disposal. The computer system is disposed of once the
transition to a new computer system is completed.
Each phase can apply to an entire system, a new component or
module, or a system upgrade. As with other aspects of systems
management, the level of detail and analysis for each activity
described here is determined by many factors including size,
complexity, system cost, and sensitivity.
Many people find the concept of a computer system life cycle
confusing because many cycles occur within the broad framework of
the entire computer system life cycle. For example, an organization
could develop a system, using a system development life cycle.
During the system's life, the organization might purchase new
components, using the acquisition life cycle.
Moreover, the computer system life cycle itself is merely one
component of other life cycles. For example, consider the
information life cycle. Normally information, such as personnel
data, is used much longer than the life of one computer system. If
an employee works for an organization for thirty years and collects
retirement for another twenty, the employee's automated personnel
record will probably pass through many different organizational
computer systems owned by the company. In addition, parts of the
information will also be used in other computer systems, such as
those of the Internal Revenue Service and the Social Security
Many different "life cycles" are associated with computer systems,
including the system development, acquisition, and information life