FYI - CISO salaries may soon hit £1 million - but few qualified for top roles - CISO salaries have long pointed upwards and may soon hit £1 million. New data has highlighted the central importance of the CISO to the enterprise, reflected in their ever increasing pay packets. https://www.scmagazine.com/ciso-salaries-may-soon-hit-1-million--but-few-qualified-for-top-roles/article/663562/

PATCH Act introduced to improve federal cybersecurity and transparency - In the wake of the high-profile WanaCryptor ransomware attack, a bipartisan group of elected officials from both Congressional Houses have introduced the Protecting our Ability To Counter Hacking (PATCH) Act to improve cybersecurity and transparency at the federal level. https://www.scmagazine.com/patch-act-introduced-to-improve-federal-cybersecurity-and-transparency/article/662541/

Target breach settlement payout held up by lone consumer - Although Target agreed to compensate consumers affected in its 2013 data breach from a pool of $10 million, a lone consumer is halting payouts due to a dispute in how the class action suit was handled. https://www.scmagazine.com/target-class-action-data-breach-settlement-halted-by-consumer-challenge/article/663128/

Shift in password strategy from NIST - Buried deep in a new draft of NIST guidelines is a shift in password strategy from periodic changes to use of a long "memorized secret," according to a post on the site of security a blogger. https://www.scmagazine.com/shift-in-password-strategy-from-nist/article/663269/

Medical Identity Theft on The Rise - 5 Tips to Protect Your Employees and Clients - Medical identity theft is on the rise and hackers are being more creative about obtaining personal medical information. In fact, a recent study by researchers at Michigan State University found nearly 1,800 incidences of large data breaches in patient information over a seven-year period from October 2009 to December 2016. https://www.scmagazine.com/medical-identity-theft-on-the-rise--5-tips-to-protect-your-employees-and-clients/article/655115/

DDoS attacks shorter and more frequent: 80% now take less than an hour - During Q1 2017, a reduction in average DDoS attack duration was witnessed, thanks to the prevalence of botnet-for-hire services that commonly used short, low-volume bursts. https://www.scmagazine.com/ddos-attacks-shorter-and-more-frequent-80-now-take-less-than-an-hour/article/663914/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 'Combo list' database of previously breached accounts contains over 560M credentials - An unknown individual has compiled a huge online data set comprised of approximately 560 million emails and their corresponding credentials, over 243 million of which are unique. https://www.scmagazine.com/combo-list-database-of-previously-breached-accounts-contains-over-560m-credentials/article/662861/

Zomato breach leaves bad taste in mouth of 17 million users - Zomato, an online restaurant search and review service, has notified its customers of a data breach, after a dark web vendor was discovered selling data belonging to millions of the company's users. https://www.scmagazine.com/zomato-breach-leaves-bad-taste-in-mouth-of-17-million-users/article/662825/ 

Panic CEO pwned, has company source code stolen - Apple app maker Panic's CEO Steven Frank said he mistakenly downloaded the malware-laced DVD-ripping app HandBrake resulting in some of the company's source code being stolen. https://www.scmagazine.com/panic-ceo-pwned-has-company-source-code-stolen/article/662674/

Breach at DocuSign Led to Targeted Email Malware Campaign - DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. http://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/

Breach at Equifax subsidiary illustrates risks consumers face - The number of those affected by a breach into an Equifax subsidiary remains unclear, but what is known is that intruders were able to access customers' W-2 tax data. https://www.scmagazine.com/breach-at-equifax-subsidiary-illustrates-risks-consumers-face/article/662982/

Passengers facing delays at airports in Australia due to passport software failure - It’s believed the system went down about 7.30am (AEDT) before being restored about 11am. http://www.news.com.au/travel/travel-updates/incidents/passengers-facing-delays-at-sydney-airport/news-story/9f16aa4579ab670022a573e397c9dafc

Brazilian criminals rig ATMs to steal payment card chips - In an effort to work around the security measures built into EMV credit cards, a Brazilian criminal gang has created a skimmer-type device that steals the chip right out of the card when it is inserted into a compromised ATM. https://www.scmagazine.com/brazilian-criminals-rig-atms-to-steal-payment-card-chips/article/663466/

Breach of Florida agency exposes SSNs and concealed weapons license holders - A data breach at the Florida's Department of Agriculture and Consumer Services (FDACS) has put the personal information of thousands of people at risk. https://www.scmagazine.com/breach-of-florida-agency-exposes-ssns-and-concealed-weapons-license-holders/article/663568/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)
 
 Incident Response Programs:  Don't Get Caught Without One
 
 Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.
 
 Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.
 
 To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  LOGGING AND DATA COLLECTION (Part 1 of 2)
  
  Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.
  
  An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including
  
  ! Inbound and outbound Internet traffic,
  ! Internal network traffic,
  ! Firewall events,
  ! Intrusion detection system events,
  ! Network and host performance,
  ! Operating system access (especially high - level administrative or root access),
  ! Application access (especially users and objects with write - and execute privileges), and
  ! Remote access.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.6 Cost Considerations
 
 There are many security costs under the category of user issues. Among these are:
 
 Screening -- Costs of initial background screening and periodic updates, as appropriate.
 
 Training and Awareness -- Costs of training needs assessments, training materials, course fees, and so forth.
 
 User Administration -- Costs of managing identification and authentication, which, particularly for large distributed systems, may be rather significant.
 
 Access Administration -- Particularly beyond the initial account set-up, are ongoing costs of maintaining user accesses currently and completely.
 
 Auditing -- Although such costs can be reduced somewhat when using automated tools, consistent, resource-intensive human review is still often necessary to detect and resolve security anomalies.