- Sixth Circuit: Nationwide insurance co.'s breach victims have
standing to sue - A federal Appeals Court has reinstated a
class-action lawsuit against Nationwide Mutual Insurance Company
after concluding that individuals whose whose personal data was
exposed in a 2012 breach have sufficient standing to sue for
Cybersecurity unemployment rate at zero - A Cybersecurity Ventures
study stated there will be 1 million cybersecurity jobs open
worldwide in 2016, with the vast majority of the these being in the
United States. This figure is expected to rise to 1.5 million by
Cyber-attacks now cost enterprises US $861K per security incident -
On average, a single cyber-security incident now costs large
businesses US $861,000 (£652,000). Meanwhile, small and medium
businesses (SMBs) pay $86,500 (£65,500).
Ponemon study: business innovation and IT security often do not go
hand in hand - Micro Focus has released research in partnership with
the Ponemon Institute which claims business innovation and IT
security often do not go hand in hand.
Krebs website withstands historically large DDoS attack; enormous
botnet suspected - Cybersecurity blog site KrebsOnSecurity, a
frequent target of hackers, was barraged on Tuesday evening by an
extraordinary distributed denial of service (DDoS) attack boasting a
bandwidth between 620 and 665 Gbps – one of the largest such attacks
76% of security pros believe threat intelligence should be shared -
Many security professionals believe that they have a moral
responsibility to share threat intelligence.
Global data breaches up 15 percent in first half of 2016 - Data
breaches were up 15 percent during the first half of 2016 compared
to the previous six months, Gemalto researchers reported, noting
there was a total of 974 worldwide breaches compromising more that
554 million combined data records.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- ClixSense breached through old server, 6.6M users potentially
affected - ClixSense, a company that pays people to take surveys,
reported it was breached with several million users being affected.
Eurekalert news service attacked - Scientific news service
EurekAlert suffered a breach which saw the login details of
thousands of journalists stolen. The company has now reformed the
technology behind its website and is promising a brand new login
Hairy situation: Just For Men website rigged to redirect to RIG
Exploit Kit - Executives at Combe Incorporated may have sprung a few
new gray hairs after learning that the website for its Just for Men
brand of hair coloring products was compromised to serve up malware.
324K Regpack users' info compromised when decrypted files placed on
public-facing server - Independent Security Researcher Troy Hunt
spotted a database containing the information of nearly 324,000
Yahoo breach; State-sponsored actors suspected, at least 500 million
accounts affected - On the cusp of a $4.8 billion acquisition by
Verizon, Internet company Yahoo today disclosed an immense data
breach in which a state-sponsored actor is believed to have broken
into the company's network in late 2014 and stolen a copy of account
information belonging to at least 500 million users.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We conclude our review of the FDIC paper "Risk Assessment
Tools and Practices of Information System Security." We hope you
have found this series useful.
INCIDENT RESPONSE - Discusses implementing an incident
response strategy for the response component of an institution's
information security program. After implementing a defense strategy
and monitoring for new attacks, hacker activities, and unauthorized
insider access, management should develop a response strategy. The
sophistication of an incident response plan will vary depending on
the risks inherent in each system deployed and the resources
available to an institution. In developing a response strategy or
plan, management should consider the following:
1) The plan should provide a platform from which an institution can
prepare for, address, and respond to intrusions or unauthorized
activity. The beginning point is to assess the systems at risk, as
identified in the overall risk assessment, and consider the
potential types of security incidents.
2) The plan should identify what constitutes a break-in or system
misuse, and incidents should be prioritized by the seriousness of
the attack or system misuse.
3) Individuals should be appointed and empowered with the latitude
and authority to respond to an incident. The plan should include
what the appropriate responses may be for potential intrusions or
4) A recovery plan should be established, and in some cases, an
incident response team should be identified.
5) The plan should include procedures to officially report the
incidents to senior management, the board of directors, legal
counsel, and law enforcement agents as appropriate.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
A firewall is a collection of components (computers, routers, and
software) that mediate access between different security domains.
All traffic between the security domains must pass through the
firewall, regardless of the direction of the flow. Since the
firewall serves as a choke point for traffic between security
domains, they are ideally situated to inspect and block traffic and
coordinate activities with network IDS systems.
Financial institutions have four primary firewall types from which
to choose: packet filtering, stateful inspection, proxy servers, and
application-level firewalls. Any product may have characteristics of
one or more firewall types. The selection of firewall type is
dependent on many characteristics of the security zone, such as the
amount of traffic, the sensitivity of the systems and data, and
applications. Over the next few weeks we will discussed the
different types of firewalls.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
For most systems, the development/acquisition phase is more
complicated than the initiation phase. Security activities can be
divided into three parts:
! determining security features, assurances, and operational
! incorporating these security requirements into design
! actually acquiring them.
These divisions apply to systems that are designed and built in
house, to systems that are purchased, and to systems developed using
a hybrid approach.
During the phase, technical staff and system sponsors should
actively work together to ensure that the technical designs reflect
the system's security needs. As with development and incorporation
of other system requirements, this process requires an open dialogue
between technical staff and system sponsors. It is important to
address security requirements effectively in synchronization with
development of the overall system.
126.96.36.199 Determining Security Requirements
During the first part of the development / acquisition phase,
system planners define the requirements of the system. Security
requirements should be developed at the same time. These
requirements can be expressed as technical features (e.g., access
controls), assurances (e.g., background checks for system
developers), or operational practices (e.g., awareness and
training). System security requirements, like other system
requirements, are derived from a number of sources including law,
policy, applicable standards and guidelines, functional needs of the
system, and cost-benefit tradeoffs.
Law. Besides specific laws that place security requirements
on information, such as the Privacy Act of 1974, there are laws,
court cases, legal options, and other similar legal material that
may affect security directly or indirectly.
Policy. As discussed in Chapter 5, management officials
issue several different types of policy. System security
requirements are often derived from issue-specific policy.
Standards and Guidelines. International, national, and
organizational standards and guidelines are another source for
determining security features, assurances, and operational
practices. Standards and guidelines are often written in an
"if…then" manner (e.g., if the system is encrypting data, then a
particular cryptographic algorithm should be used). Many
organizations specify baseline controls for different types of
systems, such as administrative, mission- or business- critical, or
proprietary. As required, special care should be given to
Functional Needs of the System. The purpose of security is
to support the function of the system, not to undermine it.
Therefore, many aspects of the function of the system will produce
related security requirements.
Cost-Benefit Analysis. When considering security,
cost-benefit analysis is done through risk assessment, which
examines the assets, threats, and vulnerabilities of the system in
order to determine the most appropriate, cost-effective safeguards
(that comply with applicable laws, policy, standards, and the
functional needs of the system). Appropriate safeguards are normally
those whose anticipated benefits outweigh their costs. Benefits and
cost include monetary and nonmonetary issues, such as prevented
losses, maintaining an organization's reputation, decreased user
friendliness, or increased system administration.
Risk assessment, like cost-benefit analysis, is used to support
decision-making. It helps managers select cost-effective safeguards.
The extent of the risk assessment, like that of other cost-benefit
analyses, should be commensurate with the complexity and cost
(normally an indicator of complexity) of the system and the expected
benefits of the assessment.
Risk assessment can be performed during the requirements analysis
phase of a procurement or the design phase of a system development
cycle. Risk should also normally be assessed during the
development/acquisition phase of a system upgrade. The risk
assessment may be performed once or multiple times, depending upon
the projects methodology.
Care should be taken in differentiating between security risk
assessment and project risk analysis. Many system development and
acquisition projects analyze the risk of failing to successfully
complete the project - a different activity from security risk