FYI - Army Reserve pilots management tool for cyber talent - While many agencies struggle to find and hire cybersecurity workers, the Army Reserve is working on a way to identify the cyber skills already present in its current cadre. https://gcn.com/articles/2017/01/26/army-reserve-cyber-talent.aspx?admgarea=TC_SecCybersSec

Two researchers report 200 bugs in Trend Micro tools - Trend Micro may be one of the world's biggest vendors of cybersecurity solutions, but that hasn't made it immune from hacks into its software, according to a report on Forbes. https://www.scmagazine.com/two-researchers-report-200-bugs-in-trend-micro-tools/article/634095/

Ethical hackers: A question of choice - Traditionally, ethical hackers disclosed their findings for a nod and, perhaps, a bug bounty. With stakes only getting higher, might they be lured with big payouts from questionable sources? https://www.scmagazine.com/ethical-hackers-a-question-of-choice/article/634394/

Americans don't trust others to secure their data, neglect to secure themselves - A recent study found that despite their distrust in companies to properly secure personal data, Americans frequently neglect to follow best practices when securing data themselves. https://www.scmagazine.com/study-finds-americans-dont-trust-companies-with-their-data-or-secure-themselves/article/634430/

Organizations deploying emerging tech without ensuring data security first - In a classic case of putting the cart before the horse, too many organizations are deploying emerging technologies before they can shore up appropriate levels of data security. https://www.scmagazine.com/survey-organizations-deploying-emerging-tech-without-ensuring-data-security-first/article/634724/

Houston home to the most infected computers - The old saying that everything is bigger in Texas unfortunately also holds true when it comes to the number of malware infected computers. https://www.scmagazine.com/houston-home-to-the-most-infected-computers-webroot/article/634546/

Federal agencies leasing in foreign owned buildings may cause cyberespionage risks - Several federal agencies may be at risk of cyberespionage as a result of leasing space in foreign-owned buildings, a recent Government Accountability Office (GAO) report found. https://www.scmagazine.com/gao-calls-for-probe-into-federal-agencies-renting-from-foreign-owned-entities/article/634851/

Acer fined $115K for breach - Following a breach, the Taiwan-based computer manufacturer Acer will pay $115,000 and improve its security practices in a settlement with the New York State Attorney General (NYSAG) Eric T. Schneiderman. https://www.scmagazine.com/acer-fined-115k-for-breach/article/635155/

Bank Account-ability SWIFT demands action from members as threat of cyberheists looms large - Under siege from hackers looking to steal hundreds of millions from its user base, the financial messaging services provider known as SWIFT has been pressuring, cajoling and even threatening its member banks to deploy better defenses and share cyber intelligence. https://www.scmagazine.com/bank-account-ability-swift-demands-action-from-members-as-threat-of-cyberheists-looms-large/article/635526/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Delta cancels 110 flights this morning, in after-effect of computer disruption - Delta passengers wait in line at Hartsfield-Jackson International Airport after Delta Air Lines grounded all domestic flights due to automation issues, Sunday, Jan. 29, 2017, in Atlanta. http://www.startribune.com/delta-us-flights-grounded-due-to-automation-issues/412103733/

Police camera system in D.C. hit with ransomware - The CCTV cameras that police in D.C. use to monitor public areas were shuttered for three days - a week before the presidential inauguration - when a cyberattack hit the system's network of recorders. https://www.scmagazine.com/police-camera-system-in-dc-hit-with-ransomware/article/634545/

Telemarketing firm leaks 400K call recordings, some containing payment data - The firm has previously gotten in trouble for the mishandling of customer data. As a result of a misconfigured database which was left open, Florida-based telemarketing firm VICI Marketing has leaked around 400,000 phone call recordings. https://www.scmagazine.com/telemarketing-firm-leaks-400k-call-recordings-some-containing-payment-data/article/634540/

Hotel hit by ransomware attack, report of guests trapped untrue - Some reports surfaced which claimed that guests of the hotel were locked in their room but the hotel manager refuted such claims saying that hotel building regulations don't allow this to happen.
https://www.scmagazine.com/hotel-hit-by-ransomware-attack-report-of-guests-trapped-untrue/article/634732/
http://www.theregister.co.uk/2017/01/30/austrian_hotel_ransomware_attack/

Sunrun hit with spearphishing attack, W-2 forms compromised - Solar panel maker Sunrun was hit with a spearphishing attack that got away with the company employee W-2 information. https://www.scmagazine.com/sunrun-hit-with-spearphishing-attack-w-2-forms-compromised/article/634742/

Unsealed docs shed new light on St. Louis Cardinals MLB hacking case - Newly unsealed court documents have revealed the extensive case that U.S. prosecutors had built against Chris Correa, the former St. Louis Cardinals front-office executive who last year pleaded guilty to hacking into the Houston Astros' email and player scouting databases. https://www.scmagazine.com/unsealed-docs-shed-new-light-on-st-louis-cardinals-mlb-hacking-case/article/634562/

Texas cops lose evidence going back eight years in ransomware attack - Updated Cockrell Hill, Texas has a population of just over 4,000 souls and a police force that managed to lose eight years of evidence when a departmental server was compromised by ransomware. http://www.theregister.co.uk/2017/01/27/texas_cops_lose_evidence_going_back_eight_years_in_ransomware_attack/

Cyber Attack Confirmed to Be the Cause of the Power Outage in the Ukraine over Christmas 2016 - Preliminary results of a probe into the events that led to the 2016 Christmas power outage in the Ukraine reveal that hackers were indeed involved, says Ukrenergo. https://www.socpedia.com/cyber-attack-confirmed-to-be-the-cause-of-the-power-outage-in-the-ukraine-over-christmas-2016

1,300 Lexington County (S.C.) School District Two employees compromised - The Lexington (S.C.) School District Two was hit with a speakphishing email attack in late January that may have exposed the W-2 information of current and former school district staffers. https://www.scmagazine.com/1300-lexington-county-sc-school-district-two-employees-compromised/article/634842/

4K W-2 compromised in Scotty's Brewhouse phishing attack - An employee payroll manager responded to a phishing email requesting employee information. https://www.scmagazine.com/4k-w-2-compromised-in-scottys-brewhouse-phishing-attack/article/635503/

2.5 million XBOX 360 and PSP ISO forum accounts breached - An unidentified hacker reportedly breached the XBOX 360 and PlayStation Portable ISO forums compromising 2.5 million gamer accounts. https://www.scmagazine.com/xbox-and-psp-forum-accounts-breached/article/635024/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
Board and Management Oversight - Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.
  
  In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.
  
  In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.
 

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 ENCRYPTION KEY MANAGEMENT
 
 Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address
 
 ! Generating keys for different cryptographic systems and different applications;
 ! Generating and obtaining public keys;
 ! Distributing keys to intended users, including how keys should be activated when received;
 ! Storing keys, including how authorized users obtain access to keys;
 ! Changing or updating keys including rules on when keys should be changed and how this will be done;
 ! Dealing with compromised keys;
 ! Revoking keys and specifying how keys should be withdrawn or deactivated;
 ! Recovering keys that are lost or corrupted as part of business continuity management;
 ! Archiving keys;
 ! Destroying keys;
 ! Logging the auditing of key management - related activities; and
 ! Instituting defined activation and deactivation dates, limiting the usage period of keys.
 
 Secure key management systems are characterized by the following precautions.
 
 ! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
 ! No key ever appears unencrypted.
 ! Keys are randomly chosen from the entire key space, preferably by hardware.
 ! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
 ! All patterns in clear text are disguised before encrypting.
 ! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
 ! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
 ! Keys that are transmitted are sent securely to well - authenticated parties.
 ! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.4.1.2 Internal Controls Audit
 
 An auditor can review controls in place and determine whether they are effective. The auditor will often analyze both computer and noncomputer-based controls. Techniques used include inquiry, observation, and testing (of both the controls themselves and the data). The audit can also detect illegal acts, errors, irregularities, or a lack of compliance with laws and regulations. Security checklists and penetration testing, discussed below, may be used.
 
 9.4.1.3 Security Checklists
 
 Within the government, the computer security plan provides a checklist against which the system can be audited. This plan outlines the major security considerations for a system, including management, operational, and technical issues. One advantage of using a computer security plan is that it reflects the unique security environment of the system, rather than a generic list of controls. Other checklists can be developed, which include national or organizational security policies and practices (often referred to as baselines). Lists of "generally accepted security practices" (GSSPs) can also be used. Care needs to be taken so that deviations from the list are not automatically considered wrong, since they may be appropriate for the system's particular environment or technical constraints.
 
 Checklists can also be used to verify that changes to the system have been reviewed from a security point of view. A common audit examines the system's configuration to see if major changes (such as connecting to the Internet) have occurred that have not yet been analyzed from a security point of view.
 
 Warning: Security Checklists that are passed (e.g., with a B+ or better score) are often used mistakenly as proof (instead of an indication) that security is sufficient. Also, managers of systems which "fail" a checklist often focus too much attention on "getting the points," rather than whether the security measures makes sense in the particular environment and are correctly implemented.