OCC Official Testifies on Cybersecurity - The Office of the
Comptroller of the Currency’s Senior Critical Infrastructure Officer
Valerie Abend today discussed regulatory efforts to address cyber
threats and vulnerabilities and coordinate information sharing for
the benefit of the banking industry, regulatory community, and the
financial system during testimony before the U.S. Senate Committee
on Banking, Housing, and Urban Affairs.
- Judge rules that banks can sue Target for 2013 credit card hack -
On Tuesday, a District Court judge in Minnesota ruled [PDF] that a
group of banks can proceed to sue Target for negligence in the
December 2013 breach that resulted in the theft of 40 million
consumer credit card numbers as well as personal information on 70
TD Bank agrees to $625K breach settlement in Mass. - TD Bank has
agreed to pay a $625,000 settlement in the aftermath of a March 2012
data breach that occurred when two unencrypted backup tapes went
missing during a courier run between its offices in Haverhill and
58 percent of businesses do not have complete patch management
strategy - Although major vulnerabilities, such as Heartbleed and
ShellShock, were discovered this year, and data breaches dominated
headlines, IT security professionals are continuing to delay the
creation of thorough security plans and patching schedules, a new
A look back at the ever-changing information security industry -
Twenty-five years is a long time by any standard. But in the
Internet Age, it's literally an eternity.
Former Apple exec receives one year in prison, $4.5M fine, for
leaking information - A former executive at Apple was sentenced on
Friday to one year in prison for leaking company secrets and
receiving monetary compensation from vendors and suppliers.
German courts blocks extradition of top hacker - A top German court
has blocked the extradition of a Turkish man accused of stealing
close to $60 million in cyber attacks against credit card companies.
Sony Got Hacked Hard: What We Know and Don’t Know So Far - Who knew
that Sony’s top brass, a line-up of mostly white male executives,
earn $1 million and more a year? Or that the company spent half a
million this year in severance costs to terminate employees?
Tor a Big Source of Bank Fraud - A new report from the U.S. Treasury
Department found that a majority of bank account takeovers by
cyberthieves over the past decade might have been thwarted had
affected institutions known to look for and block transactions
coming through Tor, a global communications network that helps users
maintain anonymity by obfuscating their true location online.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Iranian hackers have broken into the networks of 50 governments and
critical infrastructure firms in 16 nations in the latest major
threat to come to light. A report from security company Cylance
details evidence that hackers from Iran have been hitting targets in
countries including the UK, the US, Canada, Germany and South Korea
from as far back as 2010.
Bebe confirms breach, says data exposed - Bebe has confirmed a data
breach that exposed customer payment card information and eventually
led to fraudulent activity on compromised accounts recently detected
by financial institutions.
Hacker collective targets PlayStation Network, causes service outage
- The same hacker collective that launched a distributed
denial-of-service (DDoS) attack on the Xbox Live service took down
another gaming network it had previously targeted.
St. Louis Parking Company says customer card info breached -
Customers credit and debit card information was compromised in a
data breach at a St. Louis parking lot.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 1 of 3)
1. Banks should adopt appropriate processes for evaluating
decisions to outsource e-banking systems or services.
a) Bank management should clearly identify the strategic purposes,
benefits and costs associated with entering into outsourcing
arrangements for e-banking with third parties.
b) The decision to outsource a key e-banking function or service
should be consistent with the bank's business strategies, be based
on a clearly defined business need, and recognize the specific risks
that outsourcing entails.
c) All affected areas of the bank need to understand how the
service provider(s) will support the bank's e-banking strategy and
fit into its operating structure.
2. Banks should conduct appropriate risk analysis and due diligence
prior to selecting an e-banking service provider and at appropriate
a) Banks should consider developing processes for soliciting
proposals from several e-banking service providers and criteria for
choosing among the various proposals.
b) Once a potential service provider has been identified, the bank
should conduct an appropriate due diligence review, including a risk
analysis of the service provider's financial strength, reputation,
risk management policies and controls, and ability to fulfill its
c) Thereafter, banks should regularly monitor and, as appropriate,
conduct due diligence reviews of the ability of the service provider
to fulfill its service and associated risk management obligations
throughout the duration of the contract.
d) Banks need to ensure that adequate resources are committed to
overseeing outsourcing arrangements supporting e-banking.
e) Responsibilities for overseeing e-banking outsourcing
arrangements should be clearly assigned.
f) An appropriate exit strategy for the bank to manage risks
should it need to terminate the outsourcing relationship.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
"Tuning" refers to the creation of signatures that
can distinguish between normal network traffic and potentially
malicious traffic. Proper tuning of these IDS units is essential to
reliable detection of both known attacks and newly developed
attacks. Tuning of some signature - based units for any particular
network may take an extended period of time, and involve extensive
analysis of expected traffic. If an IDS is not properly tuned, the
volume of alerts it generates may degrade the intrusion
identification and response capability.
Signatures may take several forms. The simplest form is the URL
submitted to a Web server, where certain references, such as
cmd.exe, are indicators of an attack. The nature of traffic to and
from a server can also serve as a signature. An example is the
length of a session and amount of traffic passed. A signature method
meant to focus on sophisticated attackers is protocol analysis, when
the contents of a packet or session are analyzed for activity that
violates standards or expected behavior. That method can catch, for
instance, indicators that servers are being attacked using Internet
control message protocol (ICMP).
Switched networks pose a problem for network IDS. Switches
ordinarily do not broadcast traffic to all ports, and a network IDS
may need to see all traffic to be effective. When switches do not
have a port that receives all traffic, the financial institution may
have to alter their network to include a hub or other device to
allow the IDS to monitor traffic.
Encrypted network traffic will drastically reduce the effectiveness
of a network IDS. Since a network IDS only reads traffic and does
not decrypt the traffic, encrypted traffic will avoid detection.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
Audit trails involve many costs. First, some system overhead is
incurred recording the audit trail. Additional system overhead will
be incurred storing and processing the records. The more detailed
the records, the more overhead is required. Another cost involves
human and machine time required to do the analysis. This can be
minimized by using tools to perform most of the analysis. Many
simple analyzers can be constructed quickly (and cheaply) from
system utilities, but they are limited to audit reduction and
identifying particularly sensitive events. More complex tools that
identify trends or sequences of events are slowly becoming available
as off-the-shelf software. (If complex tools are not available for a
system, development may be prohibitively expensive. Some intrusion
detection systems, for example, have taken years to develop.)
The final cost of audit trails is the cost of investigating
anomalous events. If the system is identifying too many events as
suspicious, administrators may spend undue time reconstructing
events and questioning personnel.