FYI - NJ law requires health insurance carriers to encrypt sensitive data - New Jersey has passed a law requiring health insurance carriers to encrypt sensitive patient data. http://www.scmagazine.com/christie-signs-bill-to-protect-personal-information/article/392123/

FYI - Warning over data grabbed by smart gadgets - A "deeply personal" picture of every consumer could be grabbed by futuristic smart gadgets, the chair of the US Federal Trade Commission has warned. http://www.bbc.com/news/technology-30705361

FYI - Manhattan District Attorney speaks out against default device encryption - Device-makers should be required to give law enforcement access to users' data, Manhattan District Attorney Cyrus Vance said earlier this week. http://www.scmagazine.com/cyrus-vance-bashes-google-and-apple-devices-automatic-encryption/article/391880/

FYI - Congressman presses KeyPoint for answers following data breach - A ranking member of the House Committee on Oversight and Government Reform is seeking for answers regarding the KeyPoint Government Solutions data breach that impacted more than 40,000 federal workers. http://www.scmagazine.com/congressman-presses-keypoint-for-answers-following-data-breach/article/391691/

FYI - Zappos must pay $106K post-breach - Zappos must pay nine states $106,000 in a settlement reached after a 2012 data breach potentially exposed data on a server that contained information on the online shoe retailer's 24 million customers. http://www.scmagazine.com/shoe-retailer-settled-with-nine-states/article/391696/

FYI - Obama to call for national breach notification law, student privacy bill - President Obama will continue to apply his influence (and pen) to jump-start the legislative process on key issues, this time by proposing a pair of laws aimed at creating federal data breach legislation as well as protecting the privacy of student data. http://www.scmagazine.com/state-of-the-union-speech-will-outline-privacy-and-data-protection/article/392127/

FYI - UK PM looking to outlaw encrypted online communication - UK Prime Minister David Cameron wants to legislate against forms of communication that cannot be read by law-enforcement and intelligence agencies. http://www.zdnet.com/article/uk-pm-looking-to-outlaw-encrypted-online-communication/

FYI - Energy Department releases energy sector cybersecurity framework - Energy companies and utilities should develop risk management strategies and incorporate cyber best practices into their security procedures, according to voluntary guidance released by the Energy Department. http://www.federaltimes.com/story/government/cybersecurity/2015/01/09/energy-cybersecurity-framework/21500813/

FYI - Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official - Airside Clouseau in search of something, anything - Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. http://www.theregister.co.uk/2015/01/06/former_ms_bug_bounty_program_developer_forced_into_paris_laptop_decryption/

FYI - Track down hacks with log files - Any system can collect logs, but most security operations do a poor job of filtering them to find evidence of malicious activity. Here's where to start - Most malicious computer attacks leave telltale evidence in the victim's security event logs. The Verizon Data Breach Investigation Reports have been bringing word on this for many years.  http://www.infoworld.com/article/2865292/security/have-you-been-hacked-get-your-logs-in-order-to-find-out.html

FYI - Survey: most orgs not very prepared to recover IT assets following a disaster - A cloud services company conducted its “2015 Disaster Recovery & Business Continuity Survey” with more than 2,000 executive and IT professionals, and, in the end, learned that less than half feel very prepared to recover their IT and related assets following a disaster or other incident. http://www.scmagazine.com/more-than-a-third-surveyed-said-their-orgs-suffered-an-incident-or-outage/article/392593/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Got an Asus router? Someone on your network can probably hack it - Root command execution bug invades most wireless routers. If you're running an Asus wireless router, chances are good that someone inside your network can take full administrative control of it thanks to a currently unpatched vulnerability in virtually all versions of the firmware, a security researcher said. http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-network-can-probably-hack-it/

FYI - Hackers steal $5M in bitcoin currency during Bitstamp exchange attack - Attackers made off with approximately $5 million worth of bitcoins after hacking the Bitstamp exchange over the weekend. http://www.computerworld.com/article/2865800/hackers-steal-5m-in-bitcoin-currency-during-bitstamp-exchange-attack.html

FYI - Pro-ISIS attackers compromise U.S. Central Command Twitter and YouTube accounts - U.S. Central Command confirmed to SCMagazine.com that two of its social media accounts were hacked on Monday afternoon.
http://www.scmagazine.com/us-central-command-social-media-accounts-hacked/article/392128/
http://www.bbc.com/news/world-us-canada-30785232

FYI - Computer stolen, contained info on 1,000 Inland Empire Health Plan members - California-based Inland Empire Health Plan (IEHP) is notifying more than a thousand members that an unencrypted, password protected desktop computer containing personal information was stolen from Children's Eyewear Sight, a participating provider with IEHP that provides vision services. http://www.scmagazine.com/computer-stolen-contained-info-on-1000-inland-empire-health-plan-members/article/392016/

FYI - A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever - Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it. http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

FYI - Stolen credentials used to access United Airlines' MileagePlus accounts - The login credentials came from an unidentified third party - Three dozen loyalty accounts belonging to United Airlines customers saw fraudulent transactions after hackers used login credentials collected from an unknown source. http://www.computerworld.com/article/2867241/security0/stolen-credentials-used-to-access-united-airlines-mileageplus-accounts.html

FYI - POS malware threatens payment cards used at Marriott in California - Texas-based hotel management company Presidian is notifying an undisclosed number of individuals that malware was found on three point-of-sale (POS) terminals used at food and beverage outlets in the Visalia Marriott at the Convention Center in California, and their payment card information may have been compromised. http://www.scmagazine.com/pos-malware-threatens-payment-cards-used-at-marriott-in-california/article/392341/

FYI - Payment cards used on Park 'N Fly website are at risk - Georgia-based parking operator Park ‘N Fly (PNF) is notifying an undisclosed number of individuals of a security compromise involving payment card data processed through the PNF e-commerce website. http://www.scmagazine.com/security-breach-compromised-parking-customers-payment-data/article/392458/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices to Help Maintain the Privacy of Customer E-Banking Information

1. Banks should employ appropriate cryptographic techniques, specific protocols or other security controls to ensure the confidentiality of customer e-banking data.

2. Banks should develop appropriate procedures and controls to periodically assess its customer security infrastructure and protocols for e-banking.

3. Banks should ensure that its third-party service providers have confidentiality and privacy policies that are consistent with their own.

4. Banks should take appropriate steps to inform e-banking customers about the confidentiality and privacy of their information. These steps may include:

a)   Informing customers of the bank's privacy policy, possibly on the bank's website. Clear, concise language in such statements is essential to assure that the customer fully understands the privacy policy. Lengthy legal descriptions, while accurate, are likely to go unread by the majority of customers.

b)   Instructing customers on the need to protect their passwords, personal identification numbers (PINs) and other banking and/or personal data. 

c)   Providing customers with information regarding the general security of their personal computer, including the benefits of using virus protection software, physical access controls and personal firewalls for static Internet connections.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. 

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE  (Part 1 of 2)

Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.

The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:

! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
! How to control the frequently powerful intrusion identification and response tools.
! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions taken.
! What criteria must be met before compromised services, equipment and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve the institution's security.
! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2 Uses of Cryptography

Cryptography is used to protect data both inside and outside the boundaries of a computer system. Outside the computer system, cryptography is sometimes the only way to protect data. While in a computer system, data is normally protected with logical and physical access controls (perhaps supplemented by cryptography). However, when in transit across communications lines or resident on someone else's computer, data cannot be protected by the originator's logical or physical access controls. Cryptography provides a solution by protecting data even when the data is no longer in the control of the originator.

19.2.1 Data Encryption

One of the best ways to obtain cost-effective data confidentiality is through the use of encryption. Encryption transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext. This process is reversed through the process of decryption. Once data is encrypted, the ciphertext does not have to be protected against disclosure. However, if ciphertext is modified, it will not decrypt correctly.

Both secret key and public key cryptography can be used for data encryption although not all public key algorithms provide for data encryption.

To use a secret key algorithm, data is encrypted using a key. The same key must be used to decrypt the data.

When public key cryptography is used for encryption, any party may use any other party's public key to encrypt a message; however, only the party with the corresponding private key can decrypt, and thus read, the message.

Since secret key encryption is typically much faster, it is normally used for encrypting larger amounts of data.

19.2.2 Integrity

In computer systems, it is not always possible for humans to scan information to determine if data has been erased, added, or modified. Even if scanning were possible, the individual may have no way of knowing what the correct data should be. For example, "do" may be changed to "do not," or $1,000 may be changed to $10,000. It is therefore desirable to have an automated means of detecting both intentional and unintentional modifications of data.

While error detecting codes have long been used in communications protocols (e.g., parity bits), these are more effective in detecting (and correcting) unintentional modifications. They can be defeated by adversaries. Cryptography can effectively detect both intentional and unintentional modification; however, cryptography does not protect files from being modified. Both secret key and public key cryptography can be used to ensure integrity. Although newer public key methods may offer more flexibility than the older secret key method, secret key integrity verification systems have been successfully integrated into many applications.

When secret key cryptography is used, a message authentication code (MAC) is calculated from and appended to the data. To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if they are identical, the verifier has confidence that the data has not been modified by an unauthorized party. FIPS 113, Computer Data Authentication, specifies a standard technique for calculating a MAC for integrity verification.