FYI - Cyberattacks on federal government hit record high - Federal network cybersecurity incidents were up 15 percent in fiscal 2014 from the previous year, according to a recent government report. http://thehill.com/policy/cybersecurity/234601-cyberattacks-on-government-hit-record-high

FYI - Law firms to share info about cyber threats - Leading international law firms are moving to share information on hacking threats, a step that could revolutionize how the legal industry copes with attempted cyberespionage. http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threats

FYI - Anthem Refuses To Let Inspector General Conduct Full Security Audit - Security industry has mixed reactions. Anthem Healthcare initially earned brownie points with security professionals by publicly disclosing a major data breach well before they were obligated to do so. http://www.darkreading.com/anthem-refuses-to-let-inspector-general-conduct-full-security-audit/d/d-id/1319365

FYI - 'Domain shadowing' hijacks registrar accounts to spawn attack sites - Industrialised hack site creation exploit on the rise - Fiends behind the world's most infamous exploit kit Angler are stealing login credentials to create tens of thousands of pop-up domains used in hit-and-run -style attacks. http://www.theregister.co.uk/2015/03/05/worlds_nastiest_exploit_kit_just_got_nastier/

FYI - Man arrested for refusing to give phone passcode to border agents - Technically Incorrect: A Quebec resident believes his cell phone is personal. So when Canadian border agents wanted to search it, he says no. http://www.cnet.com/news/man-charged-for-refusing-to-give-up-phone-passcode-to-canadian-border-agents/

FYI - Spyware vendor may have helped Ethiopia target journalists – even after it was aware of abuses, researchers say - The Ethiopian government appears again to be using Internet spying tools to attempt to eavesdrop on journalists based in suburban Washington, said security researchers who call such high-tech intrusions a serious threat to human rights and press freedoms worldwide. http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/09/spyware-vendor-may-have-helped-ethiopia-spy-on-journalists-even-after-it-was-aware-of-abuses-researchers-say/

FYI - Feds Indict Three in 2011 Epsilon Hack - U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/

FYI - $1.1M fine issued to firm for violating Canada's anti-spam law - The authority in charge of regulating Canada's broadcasting and telecommunications sector has issued the first fine to an organization for violating the country's anti-spam law. http://www.scmagazine.com/11m-fine-issued-to-firm-for-violating-canadas-anti-spam-law/article/402564/

FYI - 2,400 unsafe mobile apps on employee devices in average large enterprise - The average large global enterprise has approximately 2,400 unsafe mobile applications installed on employee devices. http://www.scmagazine.com/mobile-apps-on-employee-devices-create-headaches-for-enterprise/article/402898/

FYI - Security pros felt more pressure to secure their organization in 2014 than year prior - The pressure is on IT security professionals in the coming year, with 57 percent believing they will feel a greater squeeze this year to keep their organization secure. http://www.scmagazine.com/trustwave-release-annual-security-pressures-report/article/402839/

FYI - 71 percent of orgs were successfully attacked in 2014 - The number of successful cyber attacks against organizations is increasing, according to the “2015 Cyberthreat Defense Report”, which surveyed 814 IT security decision makers and practitioners from organizations – in 19 industries – across North America and Europe. http://www.scmagazine.com/report-71-percent-of-orgs-were-successfully-attacked-in-2014/article/403267/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Credit Card Breach at Mandarin Oriental - In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/

FYI - NEXTEP, a POS systems provider, is investigating a possible breach - Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is investigating a possible security compromise of customer systems, according to a statement emailed to SCMagazine.com on Monday. http://www.scmagazine.com/nextep-a-pos-systems-provider-is-investigating-a-possible-breach/article/402441/

FYI - Programmer pleads guilty to stealing Federal Reserve software code - A former top programmer for the Federal Reserve Bank of Kansas City pleaded guilty in federal court Wednesday to stealing software code belonging to the government. http://www.kansascity.com/news/local/crime/article13531559.html

FYI - New York private investigator pleads guilty to computer hacking charge - A New York City-based private investigator has pled guilty to one charge of conspiracy to commit computer hacking, which carries a maximum sentence of five years. http://www.scmagazine.com/eric-saldarriaga-pleads-guilty-to-computer-hacking-charge/article/402474/

FYI - Chicago man convicted in ATM skimming spree that netted $5 million - A Chicago man has been convicted for playing a lead role in an ATM skimming spree that impacted various banks. http://www.scmagazine.com/chicago-man-convicted-in-atm-skimming-spree-that-netted-5-million/article/403045/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.

Detection

The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
(FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)

Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.

Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM  (HGA)

This chapter illustrates how a hypothetical government agency (HGA) deals with computer security issues in its operating environment. It follows the evolution of HGA's initiation of an assessment of the threats to its computer security system all the way through to HGA's recommendations for mitigating those risks. In the real world, many solutions exist for computer security problems. No single solution can solve similar security problems in all environments. Likewise, the solutions presented in this example may not be appropriate for all environments.

This case study is provided for illustrative purposes only, and should not be construed as guidance or specific recommendations to solving specific security issues. Because a comprehensive example attempting to illustrate all handbook topics would be inordinately long, this example necessarily simplifies the issues presented and omits many details. For instance, to highlight the similarities and differences among controls in the different processing environments, it addresses some of the major types of processing platforms linked together in a distributed system: personal computers, local-area networks, wide-area networks, and mainframes; it does not show how to secure these platforms.

This section also highlights the importance of management's acceptance of a particular level of risk--this will, of course, vary from organization to organization. It is management's prerogative to decide what level of risk is appropriate, given operating and budget environments and other applicable factors.