FYI - Information Technology Risk Examination (InTREx) Program - The FDIC updated its information technology and operations risk (IT) examination procedures to provide a more efficient, risk-focused approach. This enhanced program also provides a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings. https://www.fdic.gov/news/news/financial/2016/fil16043.html

FYI - GAO - Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed.
Report: http://www.gao.gov/products/GAO-16-605 
Highlights: http://www.gao.gov/assets/680/678083.pdf

FYI - Fed weighs enhanced scrutiny on transfers after $81M cyberheist - The Federal Reserve is considering “enhanced monitoring” for certain kinds of transactions, after hackers stole $81 million from the Bangladesh central bank’s account at the New York branch, Fed chairman Janet Yellen told lawmakers Wednesday. http://thehill.com/business-a-lobbying/284505-fed-weighs-enhanced-scrutiny-on-transfers-after-81m-cyberheist

FYI - Foreign Government Hackers Are the Gravest and Most Common Threat, Agencies Say - The gravest attacks -- and most common -- perpetrated against agency networks involved nation states, according to an audit that happened to be released amid accusations the Russian government allegedly hacked the Democratic National Committee. http://www.nextgov.com/cybersecurity/2016/06/foreign-government-hackers-are-gravest-and-most-common-threat-agencies-say/129280/

FYI - Naval Academy grads spread cyber awareness servicewide - Just as cyber permeates every other domain of warfare, the Naval Academy’s first class of cybersecurity graduates pervades every community in the service, from Navy SEALs to submariners to Marines. http://federalnewsradio.com/cyber-skills-training-month/2016/06/naval-academy-grads-spread-cyber-awareness-servicewide/

FYI - Hacker selling 655,000 patient records from 3 hacked healthcare organizations - A hacker is reportedly trying to sell more than half a million patient records, obtained from exploiting RDP, on a dark web marketplace. http://www.computerworld.com/article/3088907/security/hacker-selling-655-000-patient-records-from-3-hacked-healthcare-organizations.html

FYI - Payout of $10,000 for Windows 10 update - Microsoft has agreed to pay a Californian woman $10,000 (£7,500) after an automatic Windows 10 update left her computer unusable. http://www.bbc.com/news/technology-36640464

FYI - Medicos could be world's best security bypassers, study finds - Hospitals plastered with password sticky notes - Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed. http://www.theregister.co.uk/2016/06/27/medicos_could_be_worlds_best_security_bypassers_study_finds/

FYI - British teen admits to cyberattack on SeaWorld - A British teenager has admitted to instigating cyber attacks on SeaWorld in Florida, but has denied launching bomb threats to airlines in the U.S. via Twitter, according to BBC News. http://www.scmagazine.com/british-teen-admits-to-cyberattack-on-seaworld/article/505956/

FYI - Top 10 cyber-weapons; weaponised IT the preferred attack vehicle once inside - The Cyber Weapons Report 2016 from LightCyber Inc issued today catalogues the top ten weapons used in various categories of cyber-attack, however its main thrust is that once an attacker is on your system, they rarely use malware and what you need to monitor is anomalous behaviour using legitimate tools. http://www.scmagazine.com/top-10-cyber-weapons-weaponised-it-the-preferred-attack-vehicle-once-inside/article/506357/

FYI - Recycled hard drives rich with residual data, study - Owing to a decrease in the sale of PCs and laptops, consumers and businesses in need of additional storage are buying up more recycled hard drives – and the amount of digital information stored on these devices is staggering, according to a new study. http://www.scmagazine.com/recycled-hard-drives-rich-with-residual-data-study/article/506361/

FYI - Hackers investing 40% of crime proceeds in new criminal techniques - Cyber-criminals are investing up to 40 percent of their stolen funds in improving and modernising their techniques and criminal schemes according to a recent report issued by cyber-experts at the Russian Ministry of Communications. http://www.scmagazine.com/hackers-investing-40-of-crime-proceeds-in-new-criminal-techniques/article/506847/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Online Backup Firm Carbonite Hit by Password Reuse Attack - Boston-based backup services provider Carbonite is the latest company whose users have been targeted by hackers leveraging credentials leaked recently from major websites. http://www.securityweek.com/online-backup-firm-carbonite-hit-password-reuse-attack

FYI - Technology director arrested in Abingdon-Avon School District on electronic eavesdropping charges - Law enforcement officials in Knox County, Ill. earlier this week arrested a longtime IT employee of Abingdon-Avon School District #276 on electronic eavesdropping charges in connection with a recent data breach, according to local reports. http://www.scmagazine.com/technology-director-arrested-in-abingdon-avon-school-district-on-electronic-eavesdropping-charges/article/505374/

FYI - How 154M U.S. voter records will affect Americans' security - industry reacts - A security researcher discovered an unencrypted database containing 154 million records of U.S. voters that included addresses, phone numbers, political party, income range, ethnicity, age, and voting history. http://www.scmagazine.com/how-154m-us-voter-records-will-affect-americans-security--industry-reacts/article/505376/

FYI - Microsoft Office 365 hit with massive Cerber ransomware attack, report - Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted. http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/

FYI - Google CEO Sundar Pichai Quora account hijacked by Zuckerberg hackers - Three weeks after hijacking Facebook CEO Mark Zuckerberg's Twitter and Pinterest accounts, the mischievous OurMine hacking group appears to have briefly seized control of Google CEO Sundar Pichai's Quora account. http://www.scmagazine.com/google-ceo-sundar-pichai-quora-account-hijacked-by-zuckerberg-hackers/article/505635/

FYI - SEC Twitter account hacked, inappropriate pics posted - A prankster Saturday hacked the official SEC (Southeastern Conference) Twitter account and posted pictures of scantily clad women. http://www.scmagazine.com/attacker-hacks-sec-twitter-account-posts-images-of-scantily-clad-women/article/505641/

FYI - Hard Rock Hotel & Casino Las Vegas hit with POS breach - The Hard Rock Hotel & Casino in Las Vegas Monday reported a data breach after point-of-sale (POS) malware was found on the resort's systems. http://www.scmagazine.com/payment-card-breach-at-hard-rock-hotel-casino-las-vegas/article/506181/

FYI - Hummer trojan infects Androids, likely yields creators $500K daily - A new Trojan, dubbed Hummer, that's infecting Android phones, is yielding its creators more than $500,000 per day. http://www.scmagazine.com/hummer-trojan-infects-androids-likely-yields-creators-500k-daily/article/506833/

FYI - Massachusetts General Hospital data breach affects 4.3K patients - Fingers are pointing at a third-party vendor as the culpable party behind the exposure of personally identifiable information of 4,300 patients of Massachusetts General Hospital (MGH). http://www.scmagazine.com/massachusetts-general-hospital-data-breach-affects-43k-patients/article/506659/

FYI - House websites knocked offline; provider suggests link to Dem protest - The Congressional websites of 19 House Democrats were knocked offline in an incident that the technology firm managing the sites believes is linked to last week's sit-in calling for a vote on gun control legislation. http://www.scmagazine.com/house-websites-knocked-offline-provider-suggests-link-to-dem-protest/article/506636/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION - Biometrics (Part 2 of 2)
 
 Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.
 
 Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.
 
 Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 11.2.3 Automated Applications and Data
 
 Computer systems run applications that process data. Without current electronic versions of both applications and data, computerized processing may not be possible. If the processing is being performed on alternate hardware, the applications must be compatible with the alternate hardware, operating systems and other software (including version and configuration), and numerous other technical factors. Because of the complexity, it is normally necessary to periodically verify compatibility.
 
 11.2.4 Computer-Based Services
 
 An organization uses many different kinds of computer-based services to perform its functions. The two most important are normally communications services and information services. Communications can be further categorized as data and voice communications; however, in many organizations these are managed by the same service. Information services include any source of information outside of the organization. Many of these sources are becoming automated, including on-line government and private databases, news services, and bulletin boards.
 
 11.2.5 Physical Infrastructure
 
 For people to work effectively, they need a safe working environment and appropriate equipment and utilities. This can include office space, heating, cooling, venting, power, water, sewage, other utilities, desks, telephones, fax machines, personal computers, terminals, courier services, file cabinets, and many other items. In addition, computers also need space and utilities, such as electricity. Electronic and paper media used to store applications and data also have physical requirements
 
 11.2.6 Documents and Papers
 
 Many functions rely on vital records and various documents, papers, or forms. These records could be important because of a legal need (such as being able to produce a signed copy of a loan) or because they are the only record of the information. Records can be maintained on paper, microfiche, microfilm, magnetic media, or optical disk.