FYI - FFIEC Joint Statements on Destructive Malware and Compromised Credentials - The Federal Financial Institutions Examination Council has issued two joint statements to alert financial institutions to specific risk mitigation techniques related to destructive malware and cyber attacks that compromise credentials.
Press Release: www.fdic.gov/news/news/financial/2015/fil15013.html
Press Release: www.ffiec.gov/press/pr033015.htm
Bulletin:  http://www.occ.treas.gov/news-issuances/bulletins/2015/bulletin-2015-20.html
Bulletin:  http://www.occ.treas.gov/news-issuances/bulletins/2015/bulletin-2015-19.html
Financial Institution Letters: https://www.fdic.gov/news/news/financial/2015/fil15013.html

FYI - Human error cited as leading contributor to breaches, study shows - Human error accounts for 52 percent of the root cause of security breaches, according to a new study, which surveyed individuals from hundreds of companies in the U.S. http://www.scmagazine.com/study-find-carelessness-among-top-human-errors-affecting-security/article/406876/

FYI - PCI Council updates penetration testing guidance for merchants - The PCI Security Standards Council has released guidance to help merchants improve their system for regularly testing security controls and processes impacting payment card security. http://www.scmagazine.com/pci-council-updates-penetration-testing-guidance-for-merchants/article/405963/

FYI - Gov't offers $3 million reward for info on alleged Carder.su cybercriminals - The U.S. Department of State is offering up to $3 million for information leading to the arrest of two men who are allegedly tied to the Carder.su cybercrime syndicate. http://www.scmagazine.com/govt-offers-3-million-reward-for-info-on-alleged-cardersu-cybercriminals/article/405811/

FYI - Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk - Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. http://www.wired.com/2015/03/big-vulnerability-hotel-wi-fi-router-puts-guests-risk/

FYI - California bill requires warrant for stingray use - Cops claim need for warrant to access all digital devices would "undermine" them. A California state bill that would require a warrant to access all kinds of digital data passed its first hurdle after being approved by the Senate Public Safety Committee on Tuesday. http://arstechnica.com/tech-policy/2015/03/california-bill-requires-warrant-for-stingray-use/

FYI - Insurers’ Cybersecurity Work After Hacks - Insurers doing business in New York State must tell a regulator there about efforts to prevent computer hacking, detailing the precautions taken and the personnel devoted to the task. http://www.bloomberg.com/news/articles/2015-03-26/new-york-to-investigate-insurers-cybersecurity-work-after-hacks

FYI - New York Fed Forms Team Focused on Cybersecurity Threats - The Federal Reserve Bank of New York has formed a team dedicated to cybersecurity threats, according to the bank’s top regulator. http://www.bloomberg.com/news/articles/2015-03-24/new-york-fed-forms-team-focused-on-cybersecurity-threats

FYI - Citigroup report reveals poor disclosure track record at law firms - After reviewing an internal Citigroup report it obtained, The New York Times revealed a trend among major law firms in the U.S. of rarely disclosing cyberattacks. http://www.scmagazine.com/citigroup-report-reveals-poor-disclosure-track-record-at-law-firms/article/405910/

FYI - How cyberattacks can be overlooked in America's most critical sectors - Across some of the most crucial sectors of the American economy, there's a lack of consensus of what exactly should be considered a 'cyberincident' – and whether technical mishaps, even without malicious intent, should count. That's a problem. http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlooked-in-America-s-most-critical-sectors

FYI - 30 percent of practitioners say they would pay cyber extortionists to retrieve their data - A recent poll of 250 security professionals in the U.S. found that most – but not all – respondents would refuse to negotiate with cybercriminals in an attempt to recover stolen or encrypted data. http://www.scmagazine.com/30-percent-of-practitioners-say-they-would-pay-cyber-extortionists-to-retrieve-their-data/article/406453/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware holds schools hostage: 'Now give us Bitcoin worth $129k, er, $124k, wait ...' - 'It's like being in 1981' says district boss - A New Jersey school district in the US has been held hostage by ransomware that has apparently demanded hundreds of Bitcoins to end the situation. http://www.theregister.co.uk/2015/03/25/school_ransomware/

FYI - Slack announces breach, unauthorized access to database - Team communication platform Slack announced on Friday that for roughly four days in February unauthorized access was gained to a database and suspicious activity has subsequently been detected on a small number of accounts. http://www.scmagazine.com/slack-announces-breach-unauthorized-access-to-database/article/405946/

FYI - Cyberattack hits hard at popular coding site Github - A debilitating onslaught of Internet traffic directed at Github appears to be focused on shutting down anticensorship tools. GitHub is still grappling with a distributed denial-of-service attack of a scale it had never seen before and believed to originate from China. http://www.cnet.com/news/hackers-hit-hard-at-popular-coding-site-github/

FYI - British Airways says rewards accounts hacked, locked down - British Airways has “locked down a number” of customers' frequent flyer accounts after an unauthorized third party apparently tried to access some Executive Club and Registered Customer accounts. http://www.scmagazine.com/british-airways-says-rewards-accounts-hacked-locked-down/article/406231/

FYI - Puush urges users to change passwords after cyber attack - The screen sharing platform Puush was hit by a cyber attack this weekend that injected malware into a server. http://www.scmagazine.com/cyber-attack-on-puush-prompts-password-changes/article/406201/

FYI - Cyber attack hits Fairleigh Dickinson; Rutgers works to restore internet service - As Rutgers University works to recover from a weekend cyber attack, Fairleigh Dickinson University officials confirm that a similar attack shut down the university's own computer network Saturday. http://www.nj.com/middlesex/index.ssf/2015/03/cyber_attacks_hit_fairleigh_dickinson_rutgers_work.html

FYI - Nite Ize website attack impacts credit cards, possibly customer database - Nite Ize is notifying customers that its online store experienced a cyber attack, which resulted in credit card transactions being compromised and unauthorized access possibly being gained to a general customer database. http://www.scmagazine.com/nite-ize-website-attack-impacts-credit-cards-possibly-customer-database/article/406835/

FYI - Australia immigration dept. leaked 2014 G20 leaders' personal info - Australia's Department of Immigration and Border Protection inadvertently leaked information about world leaders who attended the 2014 G20 Summit in Brisbane Australia. http://www.scmagazine.com/passport-visa-info-on-g20-leaders-leaked-in-email/article/406424/

FYI - Fraudulent activity on payment cards used at New York car wash - New York police have identified a pattern of fraudulent activity on credit and debit cards used to make purchases at a car wash in Rotterdam, according to reports. http://www.scmagazine.com/fraudulent-activity-on-payment-cards-used-at-new-york-car-wash/article/407110/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Digital Signatures 

Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 

Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING

A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.2.1 System Architecture

Most of HGA's staff (a mix of clerical, technical, and managerial staff) are provided with personal computers (PCs) located in their offices. Each PC includes hard-disk and floppy-disk drives.

The PCs are connected to a local area network (LAN) so that users can exchange and share information. The central component of the LAN is a LAN server, a more powerful computer that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information, including shared application programs. The server provides logical access controls on potentially sharable information via elementary access control lists. These access controls can be used to limit user access to various files and programs stored on the server. Some programs stored on the server can be retrieved via the LAN and executed on a PC; others can only be executed on the server.

To initiate a session on the network or execute programs on the server, users at a PC must log into the server and provide a user identifier and password known to the server. Then they may use files to which they have access.

One of the applications supported by the server is electronic mail (e-mail), which can be used by all PC users. Other programs that run on the server can only be executed by a limited set of PC users.

Several printers, distributed throughout HGA's building complex, are connected to the LAN. Users at PCs may direct printouts to whichever printer is most convenient for their use.

Since HGA must frequently communicate with industry, the LAN also provides a connection to the Internet via a router. The router is a network interface device that translates between the protocols and addresses associated with the LAN and the Internet. The router also performs network packet filtering, a form of network access control, and has recently been configured to disallow non-e-mail (e.g., file transfer, remote log-in) between LAN and Internet computers.

The LAN server also has connections to several other devices.