- DoD unveils new cybersecurity certification model for contractors
- The Defense Department sees its new certification model, which it
unveiled to the public this week, as a way to more quickly bring its
entire industrial base up to date with best cybersecurity practices.
Taxpayers stand strong against paying ransoms - Paying a ransom to
regain access to a city’s data and systems has become increasingly
common over the last few months. However, one study shows that most
taxpayers are not happy when their elected officials give in to an
Google fined $170M for allegedly improper collection of kids’ data
from YouTube channels - The Federal Trade Commission and New York
Attorney General’s office today announced that Google and its
subsidiary YouTube agreed to an unprecedented $170 million in fines
for allegedly using cookies to harvest personal data from minors
without parental consent and then serve behavioral ads based on this
Attackers Hit Ceiling in Ransomware Demands - New Bedford,
Massachusetts' refusal to pay a $5.3 million ransom highlights how
victim towns and cities may be hitting the limit to what they're
willing to spend to speed recovery.
GAO - Information Technology - DOD Needs to Fully Implement Program
for Piloting Open Source Software.
No municipality paid ransoms in 'coordinated ransomware attack' that
hit Texas - More than half of impacted cities and towns are now
operating as normal. A coordinated ransomware attack hit 22 Texas
local governments, but none of the impacted municipalities paid
ransom demands, Texas state officials said this week.
Who’ll benefit from the Regis University cyberattack? The Denver
school’s cybersecurity students. University to use lessons from
attack to help teach students, faculty and the community what to do
M&A gone bad: The brutal truths about insider threat - Your company
is in the process of acquiring its biggest competitor. Midway
through the deal, critical IP leaks, jeopardizing the value of
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Monster.com job applicants info exposed on unprotected server -
Personal details from resumes and CVs from job seekers were exposed
after a server belonging to a recruitment company that was a
customer of Monster.com and others was left unprotected.
419 million Facebook users info exposed, phone numbers and unique
IDs - Unprotected databases are behind a leak that exposed
information, including unique identifiers and phone numbers, on more
than 419 million Facebook users – 133 million of those records
belonging to users in the U.S.
Back to school: With latest attack, ransomware cancels classes in
Flagstaff - As students returned to school across the country over
the past two weeks, school districts are facing an unprecedented
wave of ransomware attacks.
North Carolina Boy Scouts PII compromised - A third-party vendor
that handles sales for the Boy Scouts of America suffered a data
breach exposing the PII of up to 12,900 Mecklenburg County Council
Wikipedia knocked offline by DDoS attack - Wikipedia was hit late
last week with a sustained DDoS attack knocking it offline in many
parts of the world.
Cyber-security incident at US power grid entity linked to unpatched
firewalls - Hackers used a DoS flaw to reboot firewalls at an
electric power grid operator for hours. A cyber-security incident
that impacted a US power grid entity earlier this year was not as
dangerous as initially thought, the North American Electric
Reliability Corporation (NERC) said last week.
The Rockford files: Ransomware disrupts Illinois school district’s
systems - Rockford Public Schools District 250 in Rockford, Ill.,
last week was struck by a ransomware attack that has disrupted the
operations of its electronic and digital systems.
Secret Service probing breach at federal IT contractor - Credentials
and email messages pilfered in a breach of a federal government
contractor that could be used to access the contractor’s systems and
those of its customers.
Ransomware attack on Premier Family Medical reportedly impacts
records of 320K patients - Utah-based health care practice Premier
Family Medical was struck by ransomware last July 8 in a cyberattack
that reportedly affected the records of roughly 320,000 patients.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Capacity, Business Continuity and Contingency Planning Practices for
1. All e-banking services and applications, including those
provided by third-party service providers, should be identified and
assessed for criticality.
2. A risk assessment for each critical e-banking service and
application, including the potential implications of any business
disruption on the bank's credit, market, liquidity, legal,
operational and reputation risk should be conducted.
3. Performance criteria for each critical e-banking service and
application should be established, and service levels should be
monitored against such criteria. Appropriate measures should be
taken to ensure that e-banking systems can handle high and low
transaction volume and that systems performance and capacity is
consistent with the bank's expectations for future growth in
4. Consideration should be given to developing processing
alternatives for managing demand when e-banking systems appear to be
reaching defined capacity checkpoints.
5. E-banking business continuity plans should be formulated to
address any reliance on third-party service providers and any other
external dependencies required achieving recovery.
6. E-banking contingency plans should set out a process for
restoring or replacing e-banking processing capabilities,
reconstructing supporting transaction information, and include
measures to be taken to resume availability of critical e-banking
systems and applications in the event of a business disruption.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly computed
hash to the one sent by A. If the new hash is the same as the one
sent by A, B knows that the message was not changed since the
original hash was created (integrity). Since B obtained A's public
key from the trusted CA and that key produced a matching hash, B is
assured that the message came from A and not someone else
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
The risk assessment
concurred with the general approach taken by HGA, but identified
several vulnerabilities. It reiterated previous concerns about the
lack of assurance associated with the server's access controls and
pointed out that these play a critical role in HGA's approach. The
assessment noted that the e-mail utility allows a user to include a
copy of any otherwise accessible file in an outgoing mail message.
If an attacker dialed in to the server and succeeded in logging in
as an HGA employee, the attacker could use the mail utility to
export copies of all the files accessible to that employee. In fact,
copies could be mailed to any host on the Internet.
The assessment also
noted that the WAN service provider may rely on microwave stations
or satellites as relay points, thereby exposing HGA's information to
eavesdropping. Similarly, any information, including passwords and
mail messages, transmitted during a dial-in session is subject to
Recommendations for Mitigating the Identified Vulnerabilities
The discussions in the
following subsections were chosen to illustrate a broad sampling
of handbook topics. Risk management and security program management
themes are integral throughout, with particular emphasis given to
the selection of risk-driven safeguards.