FYI - FDIC ill-equipped to identify major cyber incidents - The Federal Deposit Insurance Corp.'s breach reporting guidelines are inadequate for identifying "major" cyber incidents, according to a new inspector general report. https://fcw.com/articles/2016/07/11/fdic-cyber-oig.aspx

FYI - European Member States Approve Privacy Shield Agreement - Representatives of the 28 states of the European Union approved the final version of the Privacy Shield agreement between the United States and the EU on July 8. http://www.eweek.com/security/european-member-states-approve-privacy-shield-agreement.html

FYI - FAA reauthorization to bolster cyber efforts - The Federal Aviation Administration reauthorization, introduced Thursday and likely to pass next week, will require the agency to mull improvements to cybersecurity. http://thehill.com/policy/cybersecurity/287013-faa-reauthorization-to-bolster-cyber-efforts

FYI - European Union’s First Cybersecurity Law Gets Green Light - The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Amazon.com Inc. to report attacks. http://www.bloomberg.com/news/articles/2016-07-06/european-union-s-first-cybersecurity-law-gets-green-light

FYI - Cybercrime now tops traditional crime in U.K. - A new report found that cybercrime in the U.K. has passed traditional crime in terms of impact. http://www.scmagazine.com/cybercrime-now-tops-traditional-crime-in-uk/article/508296/

FYI - 53% of organisations around the world still use Windows Server 2003 - Over half (53 percent) of companies have at least one instance of Windows Server 2003 still running even though its end of life (EOL) date passed on 14 July 2015. http://www.scmagazine.com/53-of-organisations-around-the-world-still-use-windows-server-2003/article/509180/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wendy's says payment card info accessed in malware attack - The burger chain said Thursday that malware on point-of-sales systems at more than 300 franchise locations targeted payment card information including "cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code." The malware led to unusual credit card activity beginning in autumn 2015. http://www.cnet.com/news/speed-desk-headlinewendys-opens-up-about-malware-says-hackers-accessed-payment-info/

FYI - 20 million Iranian mobile users' data leaked but operator denies being hacked - Iran's second largest mobile operator, Irancell, lost the personal information of 20 million customers in a data leak last week but denies being hacked. http://www.scmagazine.com/20-million-iranian-mobile-users-data-leaked-but-operator-denies-being-hacked/article/508300/

FYI - Baton Rouge police server accessed, 50K files reportedly released - A hacker reportedly accessed and publicly posted 50,000 records from the Baton Rouge Police Department to protest the police killing of local resident Alton Sterling. http://www.scmagazine.com/baton-rouge-police-server-accessed-50k-files-reportedly-released/article/508307/

FYI - NC State breach affects 38,000 - A cyber crook used a phishing scam to break into a North Carolina State University email account containing personally identifiable information. http://www.scmagazine.com/nc-state-breach-affects-38000/article/508601/

FYI - Datadog breached, tells users to reset login credentials - Cloud service data aggregator Datadog was hit with a data breach late last week and has sent a letter to its customers warning them to change their login credentials. http://www.scmagazine.com/datadog-breached-tells-users-to-reset-login-credentials/article/508723/

FYI - Omni Hotels was hit by point-of-sale malware - Omni Hotels & Resorts has reported that point-of-sale systems at some of its properties were hit by malware targeting payment card information. http://www.computerworld.com/article/3093390/security/omni-hotels-was-hit-by-point-of-sale-malware.html

FYI - Malware suspected in ATM heist in Taiwan - ATMs in Taiwan were spewing money over the weekend in what authorities believe were malware-aided thefts. http://www.scmagazine.com/malware-suspected-in-atm-heist-in-taiwan/article/509170/

FYI - Seeking Alpha financial news app leaks credentials, stock positions of 500K users - Researchers discovered financial news platform Seeking Alpha's mobile applications leaking PII and confidential information of more than 500,000 users. http://www.scmagazine.com/seeking-alpha-financial-news-app-leaks-credentials-stock-positions-of-500k-users/article/509335/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
 
 RISK ASSESSMENT/MANAGEMENT
 
 A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.
 
 The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)
 
 All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.
 
 Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.
 
 Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.
 
 Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for large-scale re-issuances of authentication devices.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4 Step 4: Selecting Contingency Planning Strategies
 
 The next step is to plan how to recover needed resources. In evaluating alternatives, it is necessary to consider what controls are in place to prevent and minimize contingencies. Since no set of controls can cost-effectively prevent all contingencies, it is necessary to coordinate prevention and recovery efforts.
 
 A contingency planning strategy normally consists of three parts: emergency response, recovery, and resumption.89 Emergency response encompasses the initial actions taken to protect lives and limit damage. Recovery refers to the steps that are taken to continue support for critical functions. Resumption is the return to normal operations. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode.
 
 The selection of a strategy needs to be based on practical considerations, including feasibility and cost. The different categories of resources should each be considered. Risk assessment can be used to help estimate the cost of options to decide on an optimal strategy. For example, is it more expensive to purchase and maintain a generator or to move processing to an alternate site, considering the likelihood of losing electrical power for various lengths of time? Are the consequences of a loss of computer-related resources sufficiently high to warrant the cost of various recovery strategies? The risk assessment should focus on areas where it is not clear which strategy is the best.
 
 In developing contingency planning strategies, there are many factors to consider in addressing each of the resources that support critical functions. Some examples are:
 
 Example 1: If the system administrator for a LAN has to be out of the office for a long time (due to illness or an accident), arrangements are made for the system administrator of another LAN to perform the duties. Anticipating this, the absent administrator should have taken steps beforehand to keep documentation current. This strategy is inexpensive, but service will probably be significantly reduced on both LANs which may prompt the manager of the loaned administrator to partially renege on the agreement.
 
 Example 2: An organization depends on an on-line information service provided by a commercial vendor. The organization is no longer able to obtain the information manually (e.g., from a reference book) within acceptable time limits and there are no other comparable services. In this case, the organization relies on the contingency plan of the service provider. The organization pays a premium to obtain priority service in case the service provider has to operate at reduced capacity.
 
 Example #3: A large mainframe data center has a contract with a hot site vendor, has a contract with the telecommunications carrier to reroute communications to the hot site, has plans to move people, and stores up-to-date copies of data, applications and needed paper records off-site. The contingency plan is expensive, but management has decided that the expense is fully justified.
 
 Example #4. An organization distributes its processing among two major sites, each of which includes small to medium processors (personal computers and minicomputers). If one site is lost, the other can carry the critical load until more equipment is purchased. Routing of data and voice communications can be performed transparently to redirect traffic. Backup copies are stored at the other site. This plan requires tight control over the architectures used and types of applications that are developed to ensure compatibility. In addition, personnel at both sites must be cross-trained to perform all functions.