FYI - A turning point for cybersecurity? - As we begin another year in the information security industry, I've been mulling how far we've come...as well as how far we still have to go. https://www.scmagazine.com/a-turning-point-for-cybersecurity/article/633549/

Data breaches costing some businesses 20 percent of revenue - The cybercrime landscape underwent several changes in 2016 with malicious actors taking a more "corporate" approach to their craft, which helped lead to even greater losses by business hit with a cyberattack. https://www.scmagazine.com/cisco-data-breaches-costing-some-businesses-20-percent-of-revenue/article/635851/

SWIFT demands action from members as threat of cyberheists looms large - Under siege from hackers looking to steal hundreds of millions from its user base, the financial messaging services provider known as SWIFT has been pressuring, cajoling and even threatening its member banks to deploy better defenses and share cyber intelligence. https://www.scmagazine.com/swift-demands-action-from-members-as-threat-of-cyberheists-looms-large/article/635526/

Texas hospital penalized $3.2M for HIPAA violations - A hospital in Texas was slammed with a $3.2 million penalty after it was found to be in violation of "multiple standards of the HIPAA Security Rule," according to Data Breach Today. https://www.scmagazine.com/texas-hospital-penalized-32m-for-hipaa-violations/article/635989/

Only 5% of FTSE companies have cyber-security expertise on the board - An analysis of company annual returns of the FTSE 100 companies by Deloitte finds a disturbing lack of cyber-security skills among business leaders. https://www.scmagazine.com/only-5-of-ftse-companies-have-cyber-security-expertise-on-the-board/article/636253/

DHS may require social media passwords from those visiting from 7 banned countries - Gen. John Kelly, the newly minted Secretary of the Department of Homeland Security (DHS), told Congress Tuesday his department was considering requesting social media passwords from people looking to enter the U.S. from the seven countries named in President Donald Trump's controversial immigration ban. https://www.scmagazine.com/gen-john-kelly-visitors-to-us-may-have-to-give-up-passwords-to-enter/article/637028/

Pennsylvania court rules UPMC not responsible for securing employee data - The Pennsylvania Superior Court has ruled the University of Pittsburgh Medical Center isn't responsible for protecting employee data. https://www.scmagazine.com/umpc-found-to-have-no-legal-duty-to-protect-employee-data/article/637010/

Humans are the biggest risk to enterprise security, report - Last year, criminals leveraged human vulnerabilities to launch more malicious email campaigns than ever before, according to a just released report. https://www.scmagazine.com/humans-are-the-biggest-risk-to-enterprise-security-report/article/636871/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bed-lam: 1,100 furniture company employees' W-2 info exposed in spoofing scam - Furniture manufacturer and retailer Mitchell Gold + Bob Williams mistakenly furnished a cybercriminal operation with its employees' W-2 information after falling for a phishing scam that used a spoofed email address. https://www.scmagazine.com/bed-lam-1100-furniture-company-employees-w-2-info-exposed-in-spoofing-scam/article/635819/

Hackers place YG and Nipsey Hussle anti-Trump song on radio stations - Anti-Trump protestors have brought their fight to the airwaves by exploiting a known vulnerability in low power FM radio transmitters to play a provocative tune. https://www.scmagazine.com/trump-protests-hack-fm-radio-stations-to-play-protest-song/article/635873/

Particle accelerator hacked: Boffins' hashed passwords beamed up - The Australian Nuclear Science and Technology Organisation (ANSTO) is investigating a computer security breach at the Australian Synchrotron that saw hackers steal scientists' usernames and passwords Friday. http://www.theregister.co.uk/2017/02/03/australian_synchrotron_hacked/

David Beckham's emails hacked and released after ransom refusal - International football star David Beckham has seen sensitive and embarrassing emails published after a company he works with, Doyen Global, rejected a hacker's ransom demand. https://www.scmagazine.com/david-beckhams-emails-hacked-and-released-after-ransom-refusal/article/636560/

1.9 million Michigan government workers PII compromised - Almost 2 million Michigan residents had their names and Social Security numbers potentially exposed due to when a software update went awry opening the information to outsiders. https://www.scmagazine.com/19-million-michigan-government-workers-pii-compromised/article/636282/

InterContinental Hotels Group announces breach at 12 U.S. properties - A little more than a month after the InterContinental Hotel Group said it was investigating claims of a possible breach, the chain said a payment card breach affected 12 of its U.S. properties. https://www.scmagazine.com/payment-card-breach-announced-by-intercontinental-hotel-group/article/636283/

Attackers steal from ATMs after infecting banks with memory-only malware - One or more unidentified hacker groups are leveraging free and commonly available pen testing tools to attack enterprises in the finance, government and telecom sectors with "fileless" malware that resides only in a machine's RAM, making it extremely difficult to detect and analyze. https://www.scmagazine.com/attackers-steal-from-atms-after-infecting-banks-with-memory-only-malware/article/637029/

More than 100K WordPress web pages defaced following disclosure of patched bug - More than 100,000 WordPress web pages have been defaced, following last week's public disclosure of a patched vulnerability that allows attackers to remotely modify the content of pages and posts. https://www.scmagazine.com/report-more-than-100k-wordpress-web-pages-defaced-following-disclosure-of-patched-bug/article/636877/

Websites of foreign embassies and ministries compromised to infect visitors - An unknown actor whose targets and tactics resemble those of a Russian advanced persistent threat group has been compromising the websites of foreign embassies, ministries and organizations, in an attempt to infect certain site visitors with malware. https://www.scmagazine.com/websites-of-foreign-embassies-and-ministries-compromised-to-infect-visitors/article/636770/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
Board and Management Oversight - Principle 8: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.
  
  Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Failure to maintain the data integrity of transactions, records and information can expose banks to financial losses as well as to substantial legal and reputational risk.
  
  The inherent nature of straight-through processes for e-banking may make programming errors or fraudulent activities more difficult to detect at an early stage. Therefore, it is important that banks implement straight-through processing in a manner that ensures safety and soundness and data integrity.
  
  As e-banking is transacted over public networks, transactions are exposed to the added threat of data corruption, fraud and the tampering of records. Accordingly, banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over Internet, resident on internal bank databases, or transmitted/stored by third-party service providers on behalf of the bank. Common practices used to maintain data integrity within an e-banking environment include the following:
  
  1)  E-banking transactions should be conducted in a manner that makes them highly resistant to tampering throughout the entire process.
  
  2)  E-banking records should be stored, accessed and modified in a manner that makes them highly resistant to tampering.
  
  3)  E-banking transaction and record-keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.
  
  4)  Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any e-banking system changes that may erroneously or unintentionally compromise controls or data reliability.
  
  5)  Any tampering with e-banking transactions or records should be detected by transaction processing, monitoring and record keeping functions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. 
 
 ENCRYPTION TYPES
 
 Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.
 
 A cryptographic hash reduces a variable - length input to a fixed-length output. The fixed-length output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.
 
 Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.
 
 Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

 Chapter 9 - Assurance
 
 .4.1.4 Penetration Testing
 
 Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools as described above, penetration testing can be done "manually." The most useful type of penetration testing is to use methods that might really be used against the system. For hosts on the Internet, this would certainly include automated tools. For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Another method is "social engineering," which involves getting users or administrators to divulge information about systems, including their passwords.
 
 9.4.2 Monitoring Methods and Tools
 
 Security monitoring is an ongoing activity that looks for vulnerabilities and security problems. Many of the methods are similar to those used for audits, but are done more regularly or, for some automated tools, in real time.
 
 9.4.2.1 Review of Systems Logs
 
 A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours.