FYI - DoD unveils new cybersecurity certification model for contractors - The Defense Department sees its new certification model, which it unveiled to the public this week, as a way to more quickly bring its entire industrial base up to date with best cybersecurity practices. https://federalnewsnetwork.com/defense-main/2019/09/dod-unveils-new-cybersecurity-certification-model-for-contractors/

Taxpayers stand strong against paying ransoms - Paying a ransom to regain access to a city’s data and systems has become increasingly common over the last few months. However, one study shows that most taxpayers are not happy when their elected officials give in to an attacker’s demand. https://www.scmagazine.com/home/security-news/ransomware/taxpayers-stand-strong-against-paying-ransoms/

Google fined $170M for allegedly improper collection of kids’ data from YouTube channels - The Federal Trade Commission and New York Attorney General’s office today announced that Google and its subsidiary YouTube agreed to an unprecedented $170 million in fines for allegedly using cookies to harvest personal data from minors without parental consent and then serve behavioral ads based on this information. https://www.scmagazine.com/home/security-news/privacy-compliance/google-fined-170m-for-allegedly-improper-collection-of-kids-data-from-youtube-channels/

Attackers Hit Ceiling in Ransomware Demands - New Bedford, Massachusetts' refusal to pay a $5.3 million ransom highlights how victim towns and cities may be hitting the limit to what they're willing to spend to speed recovery. https://www.darkreading.com/attacks-breaches/attackers-hit-ceiling-in-ransomware-demands/d/d-id/1335745

GAO - Information Technology - DOD Needs to Fully Implement Program for Piloting Open Source Software. https://www.gao.gov/products/GAO-19-457

No municipality paid ransoms in 'coordinated ransomware attack' that hit Texas - More than half of impacted cities and towns are now operating as normal. A coordinated ransomware attack hit 22 Texas local governments, but none of the impacted municipalities paid ransom demands, Texas state officials said this week. https://www.zdnet.com/article/no-municipality-paid-ransoms-in-coordinated-ransomware-attack-that-hit-texas/

Who’ll benefit from the Regis University cyberattack? The Denver school’s cybersecurity students. University to use lessons from attack to help teach students, faculty and the community what to do to prepare. https://www.denverpost.com/2019/09/06/regis-university-cybersecurity-attack-student/

M&A gone bad: The brutal truths about insider threat - Your company is in the process of acquiring its biggest competitor. Midway through the deal, critical IP leaks, jeopardizing the value of transaction. https://www.scmagazine.com/home/opinion/executive-insight/ma-gone-bad-the-brutal-truths-about-insider-threat/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Monster.com job applicants info exposed on unprotected server - Personal details from resumes and CVs from job seekers were exposed after a server belonging to a recruitment company that was a customer of Monster.com and others was left unprotected. https://www.scmagazine.com/home/security-news/monster-com-job-applicants-info-exposed-on-unprotected-server/

419 million Facebook users info exposed, phone numbers and unique IDs - Unprotected databases are behind a leak that exposed information, including unique identifiers and phone numbers, on more than 419 million Facebook users – 133 million of those records belonging to users in the U.S. https://www.scmagazine.com/home/security-news/419-million-facebook-users-info-exposed/

Back to school: With latest attack, ransomware cancels classes in Flagstaff - As students returned to school across the country over the past two weeks, school districts are facing an unprecedented wave of ransomware attacks. https://arstechnica.com/information-technology/2019/09/back-to-school-with-latest-attack-ransomware-cancels-classes-in-flagstaff/

North Carolina Boy Scouts PII compromised - A third-party vendor that handles sales for the Boy Scouts of America suffered a data breach exposing the PII of up to 12,900 Mecklenburg County Council scouts. https://www.scmagazine.com/home/security-news/data-breach/north-carolina-boy-scouts-pii-compromised/

Wikipedia knocked offline by DDoS attack - Wikipedia was hit late last week with a sustained DDoS attack knocking it offline in many parts of the world. https://www.scmagazine.com/home/security-news/cyberattack/wikileaks-knocked-offline-by-ddos-attack/

Cyber-security incident at US power grid entity linked to unpatched firewalls - Hackers used a DoS flaw to reboot firewalls at an electric power grid operator for hours. A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week. https://www.zdnet.com/article/cyber-security-incident-at-us-power-grid-entity-linked-to-unpatched-firewalls/

The Rockford files: Ransomware disrupts Illinois school district’s systems - Rockford Public Schools District 250 in Rockford, Ill., last week was struck by a ransomware attack that has disrupted the operations of its electronic and digital systems. https://www.scmagazine.com/home/security-news/the-rockford-files-ransomware-disrupts-illinois-school-districts-systems/

Secret Service probing breach at federal IT contractor - Credentials and email messages pilfered in a breach of a federal government contractor that could be used to access the contractor’s systems and those of its customers. https://www.scmagazine.com/home/security-news/government-and-defense/secret-service-probing-breach-at-federal-it-contractor/

Ransomware attack on Premier Family Medical reportedly impacts records of 320K patients - Utah-based health care practice Premier Family Medical was struck by ransomware last July 8 in a cyberattack that reportedly affected the records of roughly 320,000 patients. https://www.scmagazine.com/home/security-news/cybercrime/ransomware-attack-on-premier-family-medical-reportedly-impacts-records-of-320k-patients/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Capacity, Business Continuity and Contingency Planning Practices for E-Banking
  
  1. All e-banking services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.
  
  2. A risk assessment for each critical e-banking service and application, including the potential implications of any business disruption on the bank's credit, market, liquidity, legal, operational and reputation risk should be conducted.
  
  3. Performance criteria for each critical e-banking service and application should be established, and service levels should be monitored against such criteria.  Appropriate measures should be taken to ensure that e-banking systems can handle high and low transaction volume and that systems performance and capacity is consistent with the bank's expectations for future growth in e-banking.
  
  4. Consideration should be given to developing processing alternatives for managing demand when e-banking systems appear to be reaching defined capacity checkpoints.
  
  5. E-banking business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.
  
  6. E-banking contingency plans should set out a process for restoring or replacing e-banking processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-banking systems and applications in the event of a business disruption.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  EXAMPLES OF ENCRYPTION USES
  
  Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).
  
  Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.
  
  Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.
  
  IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.
  
  Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.5 Network-Related Vulnerabilities

The risk assessment concurred with the general approach taken by HGA, but identified several vulnerabilities. It reiterated previous concerns about the lack of assurance associated with the server's access controls and pointed out that these play a critical role in HGA's approach. The assessment noted that the e-mail utility allows a user to include a copy of any otherwise accessible file in an outgoing mail message. If an attacker dialed in to the server and succeeded in logging in as an HGA employee, the attacker could use the mail utility to export copies of all the files accessible to that employee. In fact, copies could be mailed to any host on the Internet.

The assessment also noted that the WAN service provider may rely on microwave stations or satellites as relay points, thereby exposing HGA's information to eavesdropping. Similarly, any information, including passwords and mail messages, transmitted during a dial-in session is subject to eavesdropping.

20.6 Recommendations for Mitigating the Identified Vulnerabilities

The discussions in the following subsections were chosen to illustrate a broad sampling of handbook topics. Risk management and security program management themes are integral throughout, with particular emphasis given to the selection of risk-driven safeguards.