FYI - Uncle Sam says 'nyet' to Kaspersky amid fresh claims of Russian ties - Kaspersky Lab is facing new restrictions from the US government to go along with a fresh round of accusations that the antivirus makers works closely with Russian intelligence. http://www.theregister.co.uk/2017/07/11/uncle_sam_says_nyet_to_kaspersky/

Russia, China vow to kill off VPNs, Tor browser - New laws needed because today's censorship not good enough, apparently - Russia and China are banning the use of virtual private networks, as their governments assert ever greater control over what citizens can see online. http://www.theregister.co.uk/2017/07/11/russia_china_vpns_tor_browser/

Verizon Data Exposure - A Lesson in Cloud Security Hygiene - According to reports, Verizon potentially exposed up to 14 million customers' personal information in a public-facing Amazon S3 (storage) bucket which was managed by one of their third-party vendors. https://www.scmagazine.com/verizon-data-exposure--a-lesson-in-cloud-security-hygiene/article/674902/

ATM skimmers using infrared to steal data - Credit card skimming thieves have upped their game and are using infrared communications to minimize their chances of getting caught. https://www.scmagazine.com/scammers-stealing-atm-data-using-infrared-tech/article/675044/

NotPetya cyberattack results still linger at FedEx, will result in lower earnings - FedEx reported today in its 10-K financial filing that last month's NotPetya malware attack on its TNT Express subsidiary will negatively impact the corporation's financial results for fiscal 2017. https://www.scmagazine.com/notpetya-cyberattack-results-still-linger-at-fedex-will-result-in-lower-earnings/article/675555/

Identity of Securitas chief executive stolen, bankruptcy filed - The chief executive of Swedish security firm Securitas AB, Alf Göransson, has been declared bankrupt after having his identity stolen. https://www.scmagazine.com/identity-of-securitas-chief-executive-stolen-bankruptcy-filed/article/675343/

Ashley Madison agrees to $11.2M settlement for 2015 data breach - Ruby Corp. and Ruby Life, the parent organizations behind the adult dating website Ashley Madison, have agreed to an $11.2 million settlement with its customers who had their private information released during a 2015 data breach.https://www.scmagazine.com/ashley-madison-agrees-to-112m-settlement-for-2015-data-breach/article/675360/

Cybersecurity spending outlook: $1 trillion from 2017 to 2021 - Cybercrime growth is making it difficult for researchers and IT analyst firms to accurately forecast cybersecurity spending. http://www.csoonline.com/article/3083798/security/cybersecurity-spending-outlook-1-trillion-from-2017-to-2021.html

Hospitals to receive £21m to increase cybersecurity at major trauma centres - Hospitals responsible for treating patients from major incidents including terrorist attacks will receive £21m to beef up their cybersecurity in the wake of the WannaCry assault on NHS IT systems. https://www.theguardian.com/society/2017/jul/12/hospitals-to-receive-21m-to-increase-cybersecurity-at-major-trauma-centres

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 14M Verizon customer records exposed on Amazon server - A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed on a misconfigured server. https://www.scmagazine.com/misconfigured-server-leaves-14-million-verizon-customer-records-exposed/article/674590/

Trump Hotels joins Hard Rock, Loews and Four Seasons as victims of Sabre hospitality breach - Trump International Hotels Management is now the latest in a series of hotel and resort chain operators to inform customers that their card payment data was compromised due to a breach at third-party hospitality solutions provider Sabre Corporation. https://www.scmagazine.com/trump-hotels-joins-hard-rock-loews-and-four-seasons-as-victims-of-sabre-hospitality-breach/article/674910/

Staffing agency employee allegedly distributes patient information illegally - The Detroit Medical Center (DMC) has alerted more than 1,500 of a data breach caused by an employee who shared personal information with unauthorized individuals. https://www.scmagazine.com/staffing-agency-employee-allegedly-distributes-patient-information-illegally/article/674727/

SC Media asks the industry: Is cyberattack insurance worth it? - UK financial services body the Prudential Regulation Authority (PRA) has issued a warning to insurers regarding the risk of claims for damages arising from cyber-attacks on their customers. https://www.scmagazine.com/sc-media-asks-the-industry-is-cyberattack-insurance-worth-it/article/675045/

Hacker steals $7 million in Ethereum cryptocurrency after compromising start-up's token sale - A mysterious cyberthief made off with $7 million in the cryptocurrency Ethereum on Monday after hacking a virtual currency trading platform during its Initial Coin Offering and inserting a malicious address where digital investors were tricked into sending their funds. https://www.scmagazine.com/hacker-steals-7-million-in-ethereum-cryptocurrency-after-compromising-start-ups-token-sale/article/675846/

Millions of Dow Jones customer records exposed due an internal error - A misconfigured database on an Amazon S3 server may have exposed the data of between two and four million Dow Jones & Co. customers, a report on the incident stated. https://www.scmagazine.com/millions-of-dow-jones-customer-records-exposed-due-an-internal-error/article/675843/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (9 of 12)
 
 Organize a public relations program.
 
 Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.
 
 Recovery
 
 Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.
 
 Determine whether configurations or processes should be changed.
 
 If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
  
  Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.
  
  Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.
  
  The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
  
  Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.5    Step 5: Implementing the Contingency Strategies
 
 Once the contingency planning strategies have been selected, it is necessary to make appropriate preparations, document the strategies, and train employees. Many of these tasks are ongoing.
 
 11.5.1 Implementation
 
 Much preparation is needed to implement the strategies for protecting critical functions and their supporting resources. For example, one common preparation is to establish procedures for backing up files and applications. Another is to establish contracts and agreements, if the contingency strategy calls for them. Existing service contracts may need to be renegotiated to add contingency services. Another preparation may be to purchase equipment, especially to support a redundant capability.
 
 It is important to keep preparations, including documentation, up-to-date. Computer systems change rapidly and so should backup services and redundant equipment. Contracts and agreements may also need to reflect the changes. If additional equipment is needed, it must be maintained and periodically replaced when it is no longer dependable or no longer fits the organization's architecture.
 
 Preparation should also include formally designating people who are responsible for various tasks in the event of a contingency. These people are often referred to as the contingency response team. This team is often composed of people who were a part of the contingency planning team.
 
 There are many important implementation issues for an organization. Two of the most important are 1) how many plans should be developed? and 2) who prepares each plan? Both of these questions revolve around the organization's overall strategy for contingency planning. The answers should be documented in organization policy and procedures.
 
 Backing up data files and applications is a critical part of virtually every contingency plan. Backups are used, for example, to restore files after a personal computer virus corrupts the files or after a hurricane destroys a data processing center.
 
 How many plans?
 
 Some organizations have just one plan for the entire organization, and others have a plan for every distinct computer system, application, or other resource. Other approaches recommend a plan for each business or mission function, with separate plans, as needed, for critical resources.
 
 The answer to the question, therefore, depends upon the unique circumstances for each organization. But it is critical to coordinate between resource managers and functional managers who are responsible for the mission or business.
 
 Who Prepares the Plan?
 
 If an organization decides on a centralized approach to contingency planning, it may be best to name a contingency planning coordinator. The coordinator prepares the plans in cooperation with various functional and resource managers. Some organizations place responsibility directly with the functional and resource managers.
 
 Relationship Between Contingency Plans and Computer Security Plans
 
 For small or less complex systems, the contingency plan may be a part of the computer security plan. For larger or more complex systems, the computer security plan could contain a brief synopsis of the contingency plan, which would be a separate document.
 
 11.5.2 Documenting
 
 The contingency plan needs to be written, kept up-to-date as the system and other factors change, and stored in a safe place. A written plan is critical during a contingency, especially if the person who developed the plan is unavailable. It should clearly state in simple language the sequence of tasks to be performed in the event of a contingency so that someone with minimal knowledge could immediately begin to execute the plan. It is generally helpful to store up-to-date copies of the contingency plan in several locations, including any off-site locations, such as alternate processing sites or backup data storage facilities.