FYI - CMS Offers HIPAA Guidance on Ransomware - Dispelling a common notion, the agency says HIPAA breach disclosure rules usually apply to ransomware. http://www.healthleadersmedia.com/leadership/cms-offers-hipaa-guidance-ransomware#

FYI - 38% of UK orgs have no data loss prevention solutions - Most security pros (88 percent) say that they are happy with their organisation's security strategy, but 38 percent admit that their company doesn't have dedicated data loss prevention solutions in place. http://www.scmagazine.com/38-of-uk-orgs-have-no-data-loss-prevention-solutions/article/510029/

FYI - UK rail network suffers four cyber-attacks in past 12 months - The UK rail network has been hit by cyber-attacks at least four times in the past 12 months. http://www.scmagazine.com/uk-rail-network-suffers-four-cyber-attacks-in-past-12-months/article/510027/

FYI - Russian security firm linked to Carbanak cybergang - The Carbanak cybergang which facilitated the heist of $1 billion from banks around the world last year, was linked to the Russian security firm Infocube. http://www.scmagazine.com/researcher-links-carbanak-cybergang-to-russian-security-firm/article/510316/

FYI - Cardinals exec who hacked Astros sentenced to 46 months in the grand slammer - The former St. Louis Cardinals baseball executive who illegally hacked into the Houston Astros' computer systems in order to gather intelligence and obtain an unfair advantage was sentenced in Houston yesterday to 46 months in federal prison. http://www.scmagazine.com/jailbird-cardinals-exec-who-hacked-astros-sentenced-to-46-months-in-the-grand-slammer/article/510315/

FYI - Hackers compromising checkout process on retail sites, redirecting shoppers to phishing page - Here's a two-for-one deal that no retail customer wants: Researchers at Sucuri has uncovered a sampling of novel e-commerce attacks that combine the classic duplicity of phishing schemes with the insidiousness of malicious webpage redirects. http://www.scmagazine.com/hackers-compromising-checkout-process-on-retail-sites-redirecting-shoppers-to-phishing-page/article/510823/

FYI - IT jobs volume hits peak despite slow start in 2016 - Despite a slow start at the beginning of 2016, the IT jobs market in London experienced an upturn in the number of jobs with June being the highest month so far for job volume in 2016. http://www.scmagazine.com/it-jobs-volume-hits-peak-despite-slow-start-in-2016/article/510922/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chinese hackers blamed for multiple breaches at U.S. banking agency - The FDIC failed to promptly report breaches, a congressional report says. Breaches at the FDIC in 2010, 2011 and 2013 were caused by an "advanced persistent threat ... believed to have been the Chinese government." http://www.computerworld.com/article/3095295/security/chinese-hackers-blamed-for-multiple-breaches-at-us-banking-agency.html

FYI - UK rail network hit by multiple cyber attacks last year - The UK railway network was the victim of at least four major cyber attacks in the last 12 months, according to a private security company that works with the network. http://www.telegraph.co.uk/technology/2016/07/12/uk-rail-network-hit-by-multiple-cyber-attacks-last-year/

FYI - The Hacking of Ubuntu Linux Forums: Lessons Learned - Two million usernames and emails were exposed after the breach of unpatched forum software. Here's what happened and what we should learn from it. http://www.eweek.com/security/hacking-of-ubuntu-linux-forums-lessons-learned.html

FYI - Dunlop online slideshow reportedly compromised, visitors redirected to Neutrino kit - A website for the rubber goods brand Dunlop was compromised to distribute CryptXXX ransomware to customers viewing a slideshow of DIY projects featuring its product line. http://www.scmagazine.com/burned-rubber-dunlop-online-slideshow-reportedly-compromised-visitors-redirected-to-neutrino-kit/article/510537/

FYI - BT Broadband outage blamed on power failure [updated] - BT Broadband has suffered a major outage this morning and it's pointing the finger at a power-outage in one of its central London service providers. http://www.scmagazine.com/bt-broadband-outage-blamed-on-power-failure-updated/article/510638/

FYI - Second BT outage calls into question security of critical infrastructure - The second consecutive outage of BT broadband in two days calls into question the security of the country's critical communications infrastructure. http://www.scmagazine.com/second-bt-outage-calls-into-question-security-of-critical-infrastructure/article/510930/

FYI - Cicis Pizza delivers the bad news, confirms breach at 138 locations - Cicis Pizza has officially acknowledged a payment card data breach in 138 of its restaurant locations, after reports of a point-of-sale malware attack first came to light last month. http://www.scmagazine.com/cicis-pizza-delivers-the-bad-news-confirms-breach-at-138-locations/article/511096/

FYI - Library of Congress systems back to normal after four-day DDoS attack - After a four-day long DDoS assault, the Library of Congress announced its computer systems have returned to normal. http://www.scmagazine.com/library-of-congress-fends-off-massive-ddos-attack/article/511084/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 Performing the Risk Assessment and Determining Vulnerabilities 
 
 Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.
 
 When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system. 

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)
 
 Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.
 
 Client attacks are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware -  or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.
 
 Replay attacks occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.
 
 Hijacking is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.1 Human Resources
 
 To ensure an organization has access to workers with the right skills and knowledge, training and documentation of knowledge are needed. During a major contingency, people will be under significant stress and may panic. If the contingency is a regional disaster, their first concerns will probably be their family and property. In addition, many people will be either unwilling or unable to come to work. Additional hiring or temporary services can be used. The use of additional personnel may introduce security vulnerabilities.
 
 Contingency planning, especially for emergency response, normally places the highest emphasis on the protection of human life.
 
 11.4.2 Processing Capability
 
 Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.
 
 1. Hot site -- A building already equipped with processing capability and other services.
 2. Cold site -- A building for housing processors that can be easily adapted for use.
 3. Redundant site -- A site equipped and configured exactly like the primary site. (Some organizations plan on having reduced processing capability after a disaster and use partial redundancy. The stocking of spare personal computers or LAN servers also provides some redundancy.)
 4. Reciprocal agreement -- An agreement that allows two organizations to back each other up. (While this approach often sounds desirable, contingency planning experts note that this alternative has the greatest chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change.)
 5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency.
 
 Recovery may include several stages, perhaps marked by increasing availability of processing capability. Resumption planning may include contracts or the ability to place contracts to replace equipment.