- Remarks of Deputy Secretary Raskin at The Texas Bankers’
Association Executive Leadership Cybersecurity Conference -
Cybersecurity for Banks: 10 Questions for Executives and their
- Infosec checklists becoming common, but they're not magic -
Security checklists like the Australian Signals Directorate's Top 4
Mitigation Strategies are valuable, but to treat them as universal
compliance mechanisms is a mistake. A risk-based approach is
- Credit unions urge Congress to enforce security standards for
retailers - A credit union trade group is urging Congress to take
proactive steps in establishing national data security standards for
- Beth Israel medical center to pay $100K over data breach - In
addition to bolstering the security of the sensitive information it
manages, the Beth Israel Deaconess Medical Center (BIDMC) in Boston
has agreed to pay a $100,000 fine related to its 2012 data breach.
- Bank and account phishing tops list of U.S. SMS attacks - Bank and
account phishing has become the top SMS attack in the U.S. in recent
months, overtaking spam and other scams targeting mobile devices,
according to new research from Cloudmark.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Sony Pictures films leaked online following cyber attack - Nearly
a week after its network was hacked, Sony Pictures Entertainment had
multiple films leaked online.
- Phishing campaign spoofs emails from Costco, Home Depot - It's no
surprise to discover that cybercriminals are leveraging the uptick
in holiday shopping to further spread their malicious campaigns.
- Malware installed at 17 parking facilities, payment cards at risk
- Parking facility service provider SP+ announced that customer
payment card data may be at risk, including cardholder names, card
numbers, expiration dates, and verification codes.
- Shutterfly Inc. websites have user data compromised - Tiny Prints,
a cardstock vendor and part of Shutterfly Inc.'s brand portfolio,
revealed that its systems were compromised in an attack that exposed
user email addresses and encrypted passwords.
- Godiva notifies employees of stolen laptop containing their data -
Chocolate maker Godiva is notifying an undisclosed number of
employees that a suitcase containing a laptop was stolen from the
rental car of a human resources employee and their personal
information – including Social Security numbers – could be at risk.
- Phishing scam that penetrated Wall Street just might work against
you, too - Researchers have uncovered a group of Wall Street-savvy
hackers that has penetrated the e-mail accounts of more than 100
companies, a feat that has allowed them to obtain highly valuable
plans concerning corporate acquisitions and other insider
- Unauthorized intruders gain access to ART Payroll database -
Specialized payroll service American Residuals and Talent (ART
Payroll) is notifying current and former clients and their employees
that unauthorized intruders gained access to an ART Payroll database
and may have compromised their data.
- Anonymous takes down Fort Lauderdale city websites in "Operation
Lift the Bans" - Upset with the city of Fort Lauderdale's recent
ordinances that regulate the city's homeless, hacktivist collective
Anonymous launched a denial-of-service attack on city websites
- N.C. hospital patient info accessible via internet for longer than
two years - Highlands-Cashiers Hospital in North Carolina is
notifying about 25,000 patients that their personal information –
including Social Security numbers – was accessible via the internet
for longer than two years.
- Retailer Bebe suffers breach, stolen cards sold online - Bebe, a
woman's clothing chain, is apparently the latest retailer targeted
in a data breach, with fraudulent charges showing up on credit
- Visionworks announces second data incident affecting 48K Florida
customers - Less than two weeks after issuing a similar statement in
November, Texas-based eye care services provider Visionworks
announced it is notifying approximately 48,000 customers who
received services at its Mall of the Avenues location in
Jacksonville, FL that a database server containing their personal
information is missing.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Security Control Practices for E-Banking
1. Security profiles should be created and maintained and specific
authorization privileges assigned to all users of e-banking systems
and applications, including all customers, internal bank users and
outsourced service providers. Logical access controls should also be
designed to support proper segregation of duties.
2. E-banking data and systems should be classified according to
their sensitivity and importance and protected accordingly.
Appropriate mechanisms, such as encryption, access control and data
recovery plans should be used to protect all sensitive and high-risk
e-banking systems, servers, databases and applications.
3. Storage of sensitive or high-risk data on the organization's
desktop and laptop systems should be minimized and properly
protected by encryption, access control and data recovery plans.
4. Sufficient physical controls should be in place to deter
unauthorized access to all critical e-banking systems, servers,
databases and applications.
5. Appropriate techniques should be employed to mitigate external
threats to e-banking systems, including the use of:
a) Virus-scanning software at all critical entry points (e.g.
remote access servers, e-mail proxy servers) and on each desktop
b) Intrusion detection software and other security assessment
tools to periodically probe networks, servers and firewalls for
weaknesses and/or violations of security policies and controls.
c) Penetration testing of internal and external networks.
6. A rigorous security review process should be applied to all
employees and service providers holding sensitive positions.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is that
a signature must exist for an alert to be generated. Attacks that
generate different signatures from what the institution includes in
its IDS will not be detected. This problem can be particularly acute
if the institution does not continually update its signatures to
reflect lessons learned from attacks on itself and others, as well
as developments in attack tool technologies. It can also pose
problems when the signatures only address known attacks, rather than
both known attacks and anomalous traffic. Another general weakness
is in the capacity of the IDS to read traffic. If the IDS falls
behind in reading network traffic, traffic may be allowed to bypass
the IDS. That traffic may contain attacks that would otherwise cause
the IDS to issue an alert.
Proper placement of network IDS is a strategic decision determined
by the information the institution is trying to obtain. Placement
outside the firewall will deliver IDS alarms related to all attacks,
even those that are blocked by the firewall. With this information,
an institution can develop a picture of potential adversaries and
their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
The ability to audit supports many of the controls presented in this
handbook. The following paragraphs describe some of the most
Policy. The most fundamental interdependency of audit trails
is with policy. Policy dictates who is authorized access to what
system resources. Therefore it specifies, directly or indirectly,
what violations of policy should be identified through audit trails.
Assurance. System auditing is an important aspect of
operational assurance. The data recorded into an audit trail is used
to support a system audit. The analysis of audit trail data and the
process of auditing systems are closely linked; in some cases, they
may even be the same thing. In most cases, the analysis of audit
trail data is a critical part of maintaining operational assurance.
Identification and Authentication. Audit trails are tools
often used to help hold users accountable for their actions. To be
held accountable, the users must be known to the system (usually
accomplished through the identification and authentication process).
However, as mentioned earlier, audit trails record events and
associate them with the perceived user (i.e., the user ID). If a
user is impersonated, the audit trail will establish events but not
the identity of the user.
Logical Access Control. Logical access controls restrict the
use of system resources to authorized users. Audit trails complement
this activity in two ways. First, they may be used to identify
breakdowns in logical access controls or to verify that access
control restrictions are behaving as expected, for example, if a
particular user is erroneously included in a group permitted access
to a file. Second, audit trails are used to audit use of resources
by those who have legitimate access. Additionally, to protect audit
trail files, access controls are used to ensure that audit trails
are not modified.
Contingency Planning. Audit trails assist in contingency
planning by leaving a record of activities performed on the system
or within a specific application. In the event of a technical
malfunction, this log can be used to help reconstruct the state of
the system (or specific files).
Incident Response. If a security incident occurs, such as
hacking, audit records and other intrusion detection methods can be
used to help determine the extent of the incident. For example, was
just one file browsed, or was a Trojan horse planted to collect
Cryptography. Digital signatures can be used to protect
audit trails from undetected modification. (This does not prevent
deletion or modification of the audit trail, but will provide an
alert that the audit trail has been altered.) Digital signatures can
also be used in conjunction with adding secure time stamps to audit
records. Encryption can be used if confidentiality of audit trail
information is important.