FYI - Legislation bars DoD from using Kaspersky; FBI agents visit employees of Russian cyber firm - The U.S. Senate Armed Services Committee on Wednesday released its annual defense spending bill, which reportedly contains a provision prohibiting the Department of Defense from using any products from Moscow-based cybersecurity firm Kaspersky Lab. https://www.scmagazine.com/legislation-bars-dod-from-using-kaspersky-fbi-agents-visit-employees-of-russian-cyber-firm/article/672237/

Defense Contractors will be Held to Higher Cyber Standards - Defense contractors will soon be held to the same cybersecurity standards that the Defense Department has implemented in recent years, according to a top IT official at the Pentagon. http://www.govconwire.com/2017/06/defense-contractors-will-be-held-to-higher-cyber-standards/

Met Police Windows XP migration programme slows with 18,000 PCs still running the antiquated operating system - The Metropolitan Police is still running Windows XP on the majority of its PCs, despite a migration programme that has been ongoing for some three or more years. https://www.v3.co.uk/v3-uk/news/3012835/met-police-windows-xp-migration-programme-slows-with-18-000-pcs-still-running-the-antiquated-operating-system

After the WannaCry ransomware campaign, why aren't people patching? - A massive ransomware campaign attacked countless endpoints for the second time in just over a month, exploiting a vulnerability that had been patched months earlier. SC asks, why does this keep happening? https://www.scmagazine.com/after-the-wannacry-ransomware-campaign-why-arent-people-patching/article/672376/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 8tracks breach yields data on 18M accounts - Hackers accessed 8tracks's user database and pilfered information, including email addresses and encrypted passwords, from at least 18 million accounts signed up for the Internet radio service using email. https://www.scmagazine.com/8tracks-breach-yields-data-on-18m-accounts/article/672233/

Information-stealing malware found targeting Israeli hospitals - Researchers from Trend Micro have discovered a malware attack targeting two Israeli hospitals with highly obfuscated information-stealing malware that abuses LNK shortcut files. https://www.scmagazine.com/updated-information-stealing-malware-found-targeting-israeli-hospitals/article/672261/

Google staffers personal data exposed by third-party travel firm - The details of Google employees have been left exposed by an agency that looks after the search engine giant's travel bookings, it has emerged. https://www.scmagazine.com/google-staffers-personal-data-exposed-by-third-party-travel-firm/article/672837/

What Breach? AA fails to alert customers after server leaks card data - Though the AA's shop was reportedly leaking payment card data, the motoring association did not alert customers. https://www.scmagazine.com/what-breach-aa-fails-to-alert-customers-after-server-leaks-card-data/article/672857/

Bitthumb breach yields personal data on 30K, leads to funds scams - Personal information on 30,000 customers of Bitthumb, billed as South Korea's largest cybercurrency exchange, were likely exposed in a recent hack of an employee's PC and used to trick customers and pilfer their funds. https://www.scmagazine.com/bitthumb-breach-yields-personal-data-on-30k-leads-to-funds-scams/article/673051/

Indiana Medicaid patient information exposed - Indiana Medicaid members may have had their healthcare records compromised when a third-party vendor mistakenly made public a link to the data. https://www.scmagazine.com/indiana-medicaid-patient-information-exposed/article/672881/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)
 
 Define what constitutes an incident.
 
 An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.
 
 Detection
 
 The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.
 
 Identify indicators of unauthorized system access.
 
 Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.
 
 Involve legal counsel.
 
 Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
  
  "Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.
  
  Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).
  
  Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.
  
  Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.1 Human Resources
 
 To ensure an organization has access to workers with the right skills and knowledge, training and documentation of knowledge are needed. During a major contingency, people will be under significant stress and may panic. If the contingency is a regional disaster, their first concerns will probably be their family and property. In addition, many people will be either unwilling or unable to come to work. Additional hiring or temporary services can be used. The use of additional personnel may introduce security vulnerabilities.
 
 Contingency planning, especially for emergency response, normally places the highest emphasis on the protection of human life.
 
 11.4.2 Processing Capability
 
 Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.
 
 1. Hot site -- A building already equipped with processing capability and other services.
 2. Cold site -- A building for housing processors that can be easily adapted for use.
 3. Redundant site -- A site equipped and configured exactly like the primary site. (Some organizations plan on having reduced processing capability after a disaster and use partial redundancy. The stocking of spare personal computers or LAN servers also provides some redundancy.)
 4. Reciprocal agreement -- An agreement that allows two organizations to back each other up. (While this approach often sounds desirable, contingency planning experts note that this alternative has the greatest chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change.)
 5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency.
 
 Recovery may include several stages, perhaps marked by increasing availability of processing capability. Resumption planning may include contracts or the ability to place contracts to replace equipment.