|
FYI
- Rate of data compromise revealed: 121 records per sec; defenders
lagging - More data records have been breached in the first six
months of 2017 than the whole of 2016. The Gemalto Breach Level
Index reports that this amounts to an astonishing 121 records lost
or stolen every second of every day.
https://www.scmagazine.com/rate-of-data-compromise-revealed-121-records-per-sec-defenders-lagging/article/694967/
Manchester police still relies on Windows XP - Greater Manchester
Police told the BBC that 1,518 of its PCs ran the ageing operating
system, representing 20.3% of all the office computers it used.
http://www.bbc.com/news/technology-41306321
Equifax hackers likely in network since March - It took Equifax 141
days to discover a breach that exposed the data of 143 million U.S.
consumers with hackers likely accessing the credit monitoring firm's
systems in March, a full two months before Equifax originally said
they did.
https://www.scmagazine.com/equifax-hackers-likely-in-network-since-march/article/690471/
Equifax CEO Richard Smith Resigns After Uproar Over Massive -
Equifax Inc. Chief Executive Officer Richard Smith stepped down,
joining other senior managers who left the credit-reporting company
in the wake of an uproar over the theft of private data on 143
million Americans.
https://www.bloomberg.com/news/articles/2017-09-26/equifax-ceo-smith-resigns-barros-named-interim-chief-after-hack
All the Ways Equifax Epically Bungled Its Breach Response - The
breach of the credit monitoring firm Equifax, which exposed
extensive personal data for 143 million people, is the worst
corporate data breach to date.
https://www.wired.com/story/equifax-breach-response/
SEC chairman defends timing of agency's breach disclosure to
Senators - Chairman of the Securities and Exchange Commission Jay
Clayton confirmed in testimony before the Senate Banking Committee
on Tuesday that a 2016 breach of the regulatory body's EDGAR
document filing system was made possible due to a defect in custom
software code that was subsequently remediated.
https://www.scmagazine.com/sec-chairman-defends-timing-of-agencys-breach-disclosure-to-senators/article/695870/
Cleartext passwords, and worse found among top 21 financial trading
apps - A Senior Security Consultant analyzed 21 of the most used and
well-known mobile trading apps available on the Apple and Google
Play Store and found serious vulnerabilities, some of which could
allow an attacker to compromise a user's account and or view their
trading strategies.
https://www.scmagazine.com/researcher-finds-top-mobile-trading-apps-plagued-with-vulnerabilities/article/695879/
GAO - Federal Information Security: Weaknesses Continue to Indicate
Need for Effective Implementation of Policies and Practices
Report:
http://www.gao.gov/products/GAO-17-549
Highlights:
http://www.gao.gov/assets/690/687460.pdf
Podcast:
http://www.gao.gov/multimedia/podcasts/687356
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- No accounting for this: Deloitte's email server reportedly
breached - The email system of accounting giant and professional
services firm Deloitte was breached last year, giving unknown actors
access to some of its clients' sensitive communications, data, and
internal documentation. That the New York-based company is
considered among the premier firms specializing in cybersecurity
consulting makes the breach all the more embarrassing and perhaps
damaging to Deloitte's brand.
https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/
http://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
Remotely locked Apple devices being held for ransom - Some Apple
product owners have found themselves on the receiving end of a new
ransom attack that has someone locking their device most likely
using stolen iCloud credentials and the initiating the Find My
iPhone remote lock feature.
https://www.scmagazine.com/remotely-locked-apple-devices-being-held-for-ransom/article/690314/
Paramount Pictures, Comedy Central, MTV and hundreds more exposed in
Viacom AWS leak - A mishandling of Viacom's master AWS key has left
the credentials of hundreds of digital properties, including Comedy
Central, Paramount, MTV and other entertainment companies, exposed.
https://www.scmagazine.com/viacom-exposes-paramount-pictures-comedy-central-mtv-and-hundreds-more-in-aws-leak/article/690117/
SEC systems breach may aided have insider trading - Hackers breached
the U.S. Security and Exchange Commission's EDGAR document filing
system and may have used nonpublic information stored on the
database to profit from insider trading, the regulatory body
disclosed on Wednesday.
https://www.scmagazine.com/sec-systems-breach-may-aided-have-insider-trading/article/690317/
New Verizon leak exposed confidential data on internal systems -
Confidential and sensitive documents, including server logs and
several instances of credentials for internal systems, were found on
an unprotected Amazon S3 storage server controlled by a Verizon
Wireless customer.
http://www.zdnet.com/article/another-verizon-leak-exposed-confidential-data-on-internal-systems/
Adobe accidentally releases private PGP key - The firm's security
team failed in a spectacular fashion. Adobe has earned mockery after
accidentally posting its private PGP key on the firm's official
security blog.
http://www.zdnet.com/article/adobe-accidentally-releases-private-pgp-key/
Sonic Drive-In latest to be hit in POS data breach - Sonic Drive-In
is investigating a possible point-of-sale (POS) breach that has led
to customer payment card information being sold on a dark web
market.
https://www.scmagazine.com/sonic-drive-in-latest-to-be-hit-in-pos-data-breach/article/696180/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Schemes
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
costly litigation.
In addition, customers who fall prey to e-mail and
Internet-related fraudulent schemes face real and immediate risk.
Criminals will normally act quickly to gain unauthorized access to
financial accounts, commit identity theft, or engage in other
illegal acts before the victim realizes the fraud has occurred and
takes action to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
messages:
! A financial institution's Web page should never be accessed
from a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail messages
that request confidential information, such as account numbers,
passwords, or PINs. Financial institution customers should be
reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
page.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND
APPLICATION
Measurement and Interpretation of Test Results.
Institutions should design tests to produce results that are logical
and objective. Results that are reduced to metrics are potentially
more precise and less subject to confusion, as well as being more
readily tracked over time. The interpretation and significance of
test results are most useful when tied to threat scenarios.
Traceability. Test results that indicate an unacceptable risk in an
institution's security should be traceable to actions subsequently
taken to reduce the risk to an acceptable level.
Thoroughness. Institutions should perform tests sufficient
to provide a high degree of assurance that their security plan,
strategy and implementation is effective in meeting the security
objectives. Institutions should design their test program to draw
conclusions about the operation of all critical controls. The scope
of testing should encompass all systems in the institution's
production environment and contingency plans and those systems
within the institution that provide access to the production
environment.
Frequency. Test frequency should be based on the risk that
critical controls are no longer functioning. Factors to consider
include the nature, extent, and results of prior tests, the value
and sensitivity of data and systems, and changes to systems,
policies and procedures, personnel, and contractors. For example,
network vulnerability scanning on highrisk systems can occur at
least as frequently as significant changes are made to the network.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 12 - COMPUTER
SECURITY INCIDENT HANDLING
12.3.3 Secure Communications Facilities
Incidents can range from the trivial to those involving national
security. Often when exchanging information about incidents, using
encrypted communications may be advisable. This will help prevent
the unintended distribution of incident-related information.
Encryption technology is available for voice, fax, and e-mail
communications.
12.4 Interdependencies
An incident handling capability generally depends upon other
safeguards presented in this handbook. The most obvious is the
strong link to other components of the contingency plan. The
following paragraphs detail the most important of these
interdependencies.
Contingency Planning. As discussed in the introduction to
this chapter, an incident handling capability can be viewed as the
component of contingency planning that deals with responding to
technical threats, such as viruses or hackers. Close coordination is
necessary with other contingency planning efforts, particularly when
planning for contingency processing in the event of a serious
unavailability of system resources.
Support and Operations. Incident handling is also closely
linked to support and operations, especially user support and
backups. For example, for purposes of efficiency and cost savings,
the incident handling capability is often co-operated with a user
"help desk." Also, backups of system resources may need to be used
when recovering from an incident.
Training and Awareness. The training and awareness program
can benefit from lessons learned during incident handling. Incident
handling staff will be able to help assess the level of user
awareness about current threats and vulnerabilities. Staff members
may be able to help train system administrators, system operators,
and other users and systems personnel. Knowledge of security
precautions (resulting from such training) helps reduce future
incidents. It is also important that users are trained what to
report and how to report it.
Risk Management. The risk analysis process will benefit from
statistics and logs showing the numbers and types of incidents that
have occurred and the types of controls that are effective in
preventing incidents. This information can be used to help select
appropriate security controls and practices. |
®