|
FYI
- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
examiner@yennik.com.FFIEC
Announces Webinars in Observance of Cybersecurity Awareness Month -
The Federal Financial Institutions Examination Council will host two
webinars for financial institutions in October in recognition of
National Cybersecurity Awareness Month.
www.ffiec.gov/press/pr100616.htm
End-of-support devices on networks weakening cyberdefenses -
Nearly three-quarters of businesses have end-of-support devices
operating in their networks – and the consequences could prove dire,
a new study found.
http://www.scmagazine.com/end-of-support-devices-on-networks-weakening-cyberdefenses-report/article/525610/
86% of over-55s worldwide think they're safe from cyber-criminals -
Nearly all (86 percent) over-55s don't believe that they're targets
for cyber-criminals.
http://www.scmagazine.com/86-of-over-55s-worldwide-think-theyre-safe-from-cyber-criminals/article/525439/
GAO -Information Security: FDA Needs to Rectify Control Weaknesses
That Place Industry and Public Health Data at Risk.
Report:
http://www.gao.gov/products/GAO-16-513
Highlights:
http://www.gao.gov/assets/680/679358.pdf
ISACA programme aims to attract more women into technology
professions - For some time women have been underrepresented in
technology, but a new programme seeks to change that by connecting
women in technology.
http://www.scmagazine.com/isaca-programme-aims-to-attract-more-women-into-technology-professions/article/525769/
Europol's IOCTA report says cyber-crime on a sharp rise - Europol
has released its yearly Internet Organised Crime Threat Assessment (IOCTA)
report, which this year has highlighted a sharp incline in
cyber-crime and identified eight cyber-crime trends.
http://www.scmagazine.com/europols-iocta-report-says-cyber-crime-on-a-sharp-rise/article/525770/
NIST offers cyber self-assessment tool, updates email security
guidance - The National Institute of Standards and Technology has
long been a national resource on cybersecurity, and its
Cybersecurity Framework has been widely adopted in both government
and private industry.
https://gcn.com/blogs/cybereye/2016/09/nist-cyber-self-assessment.aspx
https://www.nist.gov/sites/default/files/documents/2016/09/15/baldrige-cybersecurity-excellence-builder-draft-09.2016.pdf
Vast majority of Americans unsettled about data breaches - A new
study found significant concerns around data breaches among 1,200
survey participants.
http://www.scmagazine.com/vast-majority-of-americans-unsettled-about-data-breaches/article/526441/
National Cyber Security Centre HQ operational - The UK's new
National Cyber Security Centre (NCSC) officially opens for business
today as a public-facing part of GCHQ that acts as a focal point for
the government to deliver authoritative advice on tackling
cyber-security issues.
http://www.scmagazineuk.com/ncsc-will-be-based-in-the-nova-office-and-shopping-complex-near-victoria-station-in-london/article/526405/
SANS calls for admins to secure IoT devices as manufacturers drag
feet - With the timer set for a potential wave of high powered
IoT-botnet fueled DDoS attacks triggered by the release of the Mirai
source code, SANS Institute researchers are calling on system
administrators to do their part in securing connected devices as
they feel manufacturers have dragged their feet to address the
issue.
http://www.scmagazine.com/sans-calls-admins-to-arms-in-fight-of-iot-botnet-threat/article/527190/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Yahoo! data breach likely exceeds 500 million records - InfoArmor
is reporting that the Yahoo! data breach likely contains millions
more records than the 500-million figure now being bandied about and
the total number of user records that have been stolen by the
various groups involved in this and other recent hacks could total
3.5 billion.
http://www.scmagazine.com/yahoo-data-breach-likely-exceeds-500-million-records/article/525990/
Popular Russian boxing website compromised - A cybercriminal could
be risking a serious beating by compromising the popular Russian
boxing site allboxing[.]ru with a redirect to a third-party site
containing a Russian banking trojan.
http://www.scmagazine.com/popular-russian-boxing-website-compromised/article/525998/
Record-breaking DDoS reportedly delivered by >145k hacked cameras -
Last week, security news site KrebsOnSecurity went dark for more
than 24 hours following what was believed to be a record 620
gigabit-per-second denial of service attack brought on by an
ensemble of routers, security cameras, or other so-called Internet
of Things devices.
http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/
NSA contractor nabbed for pilfering agency codes - A National
Security Agency (NSA) contractor who worked for the same firm as
Edward Snowden was recently arrested for allegedly stealing
classified computer codes in 2014 that facilitate hacking into
foreign government networks.
http://www.scmagazine.com/nsa-contractor-nabbed-for-pilfering-agency-codes/article/527208/
ICO fines TalkTalk £400K for theft of customer data last year - Due
to its poor data security, which led to the theft of the personal
data of over 150,000 customers last year, TalkTalk has been fined
£400,000 by the Information Commissioner's Office (ICO).
http://www.scmagazine.com/ico-fines-talktalk-400k-for-theft-of-customer-data-last-year/article/527059/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to
the top of the newsletter
FFIEC IT SECURITY
-
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION -
NETWORK ACCESS
Stateful Inspection Firewalls
Stateful inspection firewalls are packet filters that monitor the
state of the TCP connection. Each TCP session starts with an
initial handshake communicated through TCP flags in the header
information. When a connection is established the firewall adds the
connection information to a table. The firewall can then compare
future packets to the connection or state table. This essentially
verifies that inbound traffic is in response to requests initiated
from inside the firewall.
Proxy Server Firewalls
Proxy servers act as an intermediary between internal and external
IP addresses and block direct access to the internal network.
Essentially, they rewrite packet headers to substitute the IP of the
proxy server for the IP of the internal machine and forward packets
to and from the internal and external machines. Due to that limited
capability, proxy servers are commonly employed behind other
firewall devices. The primary firewall receives all traffic,
determines which application is being targeted, and hands off the
traffic to the appropriate proxy server. Common proxy servers are
the domain name server (DNS), Web server (HTTP), and mail (SMTP)
server. Proxy servers frequently cache requests and responses,
providing potential performance benefits. Additionally, proxy
servers provide another layer of access control by segregating the
flow of Internet traffic to support additional authentication and
logging capability, as well as content filtering. Web and e-mail
proxy servers, for example, are capable of filtering for potential
malicious code and application-specific commands.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
CYCLE
8.4.2.3 Obtaining the System and Related Security Activities
During this phase, the system is actually built or bought. If the
system is being built, security activities may include developing
the system's security aspects, monitoring the development process
itself for security problems, responding to changes, and monitoring
threat. Threats or vulnerabilities that may arise during the
development phase include Trojan horses, incorrect code, poorly
functioning development tools, manipulation of code, and malicious
insiders.
If the system is being acquired off the shelf, security activities
may include monitoring to ensure security is a part of market
surveys, contract solicitation documents, and evaluation of proposed
systems. Many systems use a combination of development and
acquisition. In this case, security activities include both sets.
As the system is built or bought, choices are made about the
system, which can affect security. These choices include selection
of specific off-the-shelf products, finalizing an architecture, or
selecting a processing site or platform. Additional security
analysis will probably be necessary.
In addition to obtaining the system, operational practices need to
be developed. These refer to human activities that take place around
the system such as contingency planning, awareness and training, and
preparing documentation. The chapters in the Operational Controls
section of this handbook discuss these areas. These areas, like
technical specifications, should be considered from the beginning of
the development and acquisition phase.
In federal government contracting, it is often useful if personnel
with security expertise participate as members of the source
selection board to help evaluate the security aspects of proposals. |
®