- The Federal Financial Institutions Examination Council
published a press release announcing the issuing of a revised
Information Security booklet, which is part of the FFIEC Information
Technology Examination Handbook.
NCUA - Credit Unions Must Prep for New Cyber Risks - Board
Action Bulletin - Stabilization Fund's Net Income in Second Quarter
Tops $425 Million - The National Credit Union Administration Board
held its eighth open meeting of 2016 at the agency's headquarters
here today and received a briefing from the Office of Examination
and Insurance on the rapidly changing nature of cybersecurity.
New Incident Management System Will Improve NCUA’s Disaster
Response - Read the Latest Issue of “The NCUA Report” Online -
Disasters may be infrequent, but they are a fact of life.
White House appoints first Federal Chief Information Security
Officer - Retired Brigadier General Gregory J. Touhill will assume
the role after serving in the Department of Homeland Security.
New research shows ransomware victims are paying up - New research
is claiming that 74 percent of UK organisations who haven't
experienced a ransomware attack remain bullish about the threat,
claiming they would never pay up if infected.
Wells Fargo Bank fined $185M, fires 5,300 staffers over fake account
scam - Wells Fargo Bank was fined a total of $185 million as
punishment for a five-year long scam that saw bank employees using
bank customer information to illegally create accounts and email
addresses and apply for credit and debit cards all in order to meet
assigned sales goals and earn commissions.
Oregon credit union sues Noodles & Company over breach - Oregon
credit union SELCO Community Credit Union accused Noodles & Company
of failing to implement or maintain adequate data security measures
for customer information despite highly publicized breaches at large
national retailers and restaurant chains, according to court
documents filed in a class action lawsuit Tuesday.
CFTC imposes cybersecurity rules for U.S. commodities, derivatives
firms - The Commodity Futures Trading Commission (CFTC) Thursday
approved a set of rules that will require frequent testing of
information technology at U.S. commodities and derivatives firms,
including exchanges and clearinghouses.
Pentagon faulted for lack of cyber preparedness, GAO report -
Although the National Guard is perhaps the best-equipped unit in the
military to assist the government in the event of a cyber emergency,
the Department of Defense (DoD) does not have the necessary
visibility into the capabilities of those assets, according to a
report released earlier this week by the Government Accountability
PCI Council wants upgradeable credit card readers ... next year -
Tamper-proofing and shielding against side attacks on the agenda -
The Payment Card Industry Security Standards Council (PCI Council)
has floated a new standard it hopes will reduce credit card fraud
that starts at the point of sale, in part by allowing easier
U.S. health regulator plans 'thorough' probe of St. Jude case - The
U.S. Food and Drug Administration plans a "thorough investigation"
of allegations about vulnerabilities in cardiac devices made by St.
Jude Medical Inc, the agency's official responsible for cyber
security said on Thursday.
Seagate staff to sue company over data protection failure - Hard
drive manufacturer Seagate may face a lawsuit from its own employees
for failing to protect their data.
Canadian data sharing deal with EU could be illegal under European
Law - A top EU lawyer has concluded that the EU-Canada PNR agreement
which oversees the transfer of information on flight records between
the two countries goes against the EU Charter Fundamental Human
Researcher believes major DDoS attacks part of military recon to
shut down internet - A security researcher spotted a series of DDoS
attacks which may be part of a larger effort to learn how to take
down the internet on a national or even global scale.
1 in 50 employees a malicious insider? - A survey recently conducted
by Imperva showed that 36 percent of surveyed companies have
experienced security incidents involving malicious employees in the
past 12 months.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- UAE medical centre hit, hacker claims good intentions - A medical
centre in the UAE has been modestly breached by a hacker who claims
to want to teach them a lesson in security.
Fire drill knocks ING bank's data centre offline - A fire
extinguisher test in a bank's data centre has gone wrong in an
"unprecedented" manner, causing its cash machines, online banking
operations and website to go offline.
Linode fends off multiple DDOS attacks - Nowhere near as bad as its
ten-day Christmas cracker, but something seems to be afoot - Cloud
hosting outfit Linode has again come under significant denial of
service (DoS) attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
INTRUSION DETECTION SYSTEMS
Vulnerability assessments and penetration analyses help ensure that
appropriate security precautions have been implemented and that
system security configurations are appropriate. The next step is to
monitor the system for intrusions and unusual activities. Intrusion
detection systems (IDS) may be useful because they act as a burglar
alarm, reporting potential intrusions to appropriate personnel. By
analyzing the information generated by the systems being guarded,
IDS help determine if necessary safeguards are in place and are
protecting the system as intended. In addition, they can be
configured to automatically respond to intrusions.
Computer system components or applications can generate detailed,
lengthy logs or audit trails that system administrators can manually
review for unusual events. IDS automate the review of logs and audit
data, which increases the reviews' overall efficiency by reducing
costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an agent,
which is the component that actually collects the information.
Second is a manager, which processes the information collected by
the agents. Third is a console, which allows authorized information
systems personnel to remotely install and upgrade agents, define
intrusion detection scenarios across agents, and track intrusions as
they occur. Depending on the complexity of the IDS, there can be
multiple agent and manager components.
Generally, IDS products use three different methods to detect
intrusions. First, they can look for identified attack signatures,
which are streams or patterns of data previously identified as an
attack. Second, they can look for system misuse such as unauthorized
attempts to access files or disallowed traffic inside the firewall.
Third, they can look for activities that are different from the
users or systems normal pattern. These "anomaly-based" products
(which use artificial intelligence) are designed to detect subtle
changes or new attack patterns, and then notify appropriate
personnel that an intrusion may be occurring. Some anomaly-based
products are created to update normal use patterns on a regular
basis. Poorly designed anomaly-based products can trigger frequent
Although IDS may be an integral part of an institutions overall
system security, they will not protect a system from previously
unknown threats or vulnerabilities. They are not self-sufficient and
do not compensate for weak authentication procedures (e.g., when an
intruder already knows a password to access the system). Also, IDS
often have overlapping features with other security products, such
as firewalls. IDS provide additional protections by helping to
determine if the firewall programs are working properly and by
helping to detect internal abuses. Both firewalls and IDS need to be
properly configured and updated to combat new types of attacks. In
addition, management should be aware that the state of these
products is highly dynamic and IDS capabilities are evolving.
IDS tools can generate both technical and management reports,
including text, charts, and graphs. The IDS reports can provide
background information on the type of attack and recommend courses
of action. When an intrusion is detected, the IDS can automatically
begin to collect additional information on the attacker, which may
be needed later for documentation purposes.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
Activities in the Computer System Life Cycle
This section reviews the security activities that arise in each
stage of the computer system life cycle.
The conceptual and early design process of a system involves the
discovery of a need for a new system or enhancements to an existing
system; early ideas as to system characteristics and proposed
functionality; brainstorming sessions on architectural, performance,
or functional system aspects; and environmental, financial,
political, or other constraints. At the same time, the basic
security aspects of a system should be developed along with the
early system design. This can be done through a sensitivity
22.214.171.124 Conducting a Sensitivity Assessment
A sensitivity assessment looks at the sensitivity of both the
information to be processed and the system itself. The assessment
should consider legal implications, organization policy (including
federal and agency policy if a federal system), and the functional
needs of the system. Sensitivity is normally expressed in terms of
integrity, availability, and confidentiality. Such factors as the
importance of the system to the organization's mission and the
consequences of unauthorized modification, unauthorized disclosure,
or unavailability of the system or data need to be examined when
assessing sensitivity. To address these types of issues, the people
who use or own the system or information should participate in the
A sensitivity assessment
should answer the following questions:
1) What information is
handled by the system?
2) What kind of potential damage could occur through
error, unauthorized disclosure or modification, or
unavailability of data or the system?
3) What laws or regulations affect security (e.g., the
Privacy Act or the Fair Trade Practices Act)?
4) To what threats is the system or information
5) Are there significant environmental considerations
(e.g., hazardous location of system)?
6) What are the security-relevant characteristics of the
user community (e.g., level of technical sophistication and
training or security clearances)?
7) What internal security standards, regulations, or
guidelines apply to this system?
The sensitivity assessment starts an
analysis of security that continues throughout the life cycle. The
assessment helps determine if the project needs special security
oversight, if further analysis is needed before committing to begin
system development (to ensure feasibility at a reasonable cost), or
in rare instances, whether the security requirements are so
strenuous and costly that system development or acquisition will not
be pursued. The sensitivity assessment can be included with the
system initiation documentation either a separate document or as a
section of another planning document. The development of security
features, procedures, and assurances, described in the next section,
builds on the sensitivity assessment.
A sensitivity assessment can also be performed during the planning
stagers of system upgrades (for either upgrades being procured or
developed in house). In this case, the assessment focuses on
the affected areas. If the upgrade significantly affects the
original assessment, steps can be taken to analyze the impact on the
rest of the system. For example, are new controls needed? Will some
controls become necessary?
The definition of sensitive is often misconstrued.
Sensitive is synonymous with important or valuable.
Some data is sensitive because it must be kept confidential. Much
more data, however, is sensitive because its integrity or
availability must be assured. The Computer Security Act and OMB
Circular A-130 clearly state that information is sensitive if its
unauthorized disclosure, modification (i.e., loss of integrity), or
unavailability would harm the agency. In general, the more important
a system is to the mission of the agency, the more sensitive it is.