FYI - Illinois hospital chain to pay record $5.5M for exposing data about millions of patients - Illinois' largest hospital chain today agreed to pay a $5.5 million fine by the government for lax data security that led to the exposure of more than 4 million electronic patient records.
http://www.computerworld.com/article/3104142/healthcare-it/illinois-hospital-chain-to-pay-record-55m-for-exposing-data-about-millions-of-patients.html
http://www.scmagazine.com/advocate-health-care-hit-with-largest-hipaa-settlement/article/514481/

FYI - Severe vulnerabilities discovered in HTTP/2 protocol - Four high-profile bugs have been found in the protocol, potentially placing 85 million websites at risk. Researchers have discovered a number of security issues related to the new HTTP/2 protocol which could place millions of websites at risk of attack. http://www.zdnet.com/article/severe-vulnerabilities-discovered-in-http2-protocol/

FYI - Investment in cybersecurity strong as cyberthreats increase - Venture capitalist investments in cybersecurity firms have seen a 235 percent growth rate over the past five years as cyberthreats increase, but the trend may not last long. http://www.scmagazine.com/venture-capitalist-investments-in-cybersecurity-up-but-not-for-long/article/514838/

FYI - 76% of organisations suffer loss or theft of data in past two years - Over the past two years, three out of every four organisations have been hit by the loss or theft of important data. http://www.scmagazine.com/76-of-organisations-suffer-loss-or-theft-of-data-in-past-two-years/article/514845/

FYI - Online retailer EZcontactsUSA.com to pay $100K over breach - Following a data breach that compromised 25,000 credit card numbers, the attorney general of New York reached a settlement with Provision Supply, d/b/a EZcontactsUSA.com. http://www.scmagazine.com/online-retailer-ezcontactsusacom-to-pay-100k-over-breach/article/514835/

FYI - White House finalizes Federal Source Code policy; will launch Code.gov within 90 days - The White House on Monday published its finalized Federal Source Code policy, designed to encourage federal agencies to share code with each other, as well as the open-source software (OSS) development community. http://www.scmagazine.com/white-house-finalizes-federal-source-code-policy-will-launch-codegov-within-90-days/article/515327/

FYI - Rise of the hacking machines - Will computers get better at cybersecurity than humans? Experts hope the answer is yes. http://www.cnet.com/news/rise-of-the-hacking-machines-darpa-cyber-grand-challenge/

FYI - Most Met police computers still using Windows XP - Nearly 30,000 London Metropolitan police computers are still using Windows XP, raising eyebrows among cyber-security experts who point out that XP no longer receives security updates from Microsoft. http://www.scmagazine.com/most-met-police-computers-still-using-windows-xp/article/515609/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Banner Health alerts 3.7M potential victims of hack of its computers - Banner Health, a provider of hospital services, has notified by mail 3.7 million people, including patients, health plan members, healthcare providers and customers at its food and beverage outlets, that their payment card and health plan data, among other information, may have been compromised. http://www.computerworld.com/article/3104039/security/banner-health-alerts-37m-potential-victims-of-hack-of-its-computers.html

FYI - O2 confirms USBs distributed in marketing campaign contain virus - USB pens distributed by the U.K.-based mobile network O2 as part of a promotional campaign for an eBook were discovered to contain a “Windows specific virus”, according to an O2 statement sent to SCMagazine.com. http://www.scmagazine.com/o2-confirms-usbs-distributed-in-marketing-campaign-contain-virus/article/514719/

FYI - Carbanak Gang likely behind Oracle MICROS customer service portal compromise - A breach of Oracle Corp. systems by Russian hackers has led to a compromise of the MICROS point-of-sale payment system customer support portal, prompting the company to urge customers to reset their passwords. http://www.scmagazine.com/carbanak-gang-likely-behind-oracle-micros-customer-service-portal-compromise/article/514752/

FYI - Newkirk medical records breach impacts 3.3M, Blue Cross Blue Shield customers affected - Newkirk Products, Inc, a service provider that issues healthcare ID cards for health insurance plans including several Blue Cross Blue Shield branches, has begun notifying approximately 3.3 million people of a data breach. http://www.scmagazine.com/unauthorized-individual-gains-access-to-a-server-containing-data-on-33m/article/514741/

FYI - Oregon State Hospital notifies patients of breach - Oregon State Hospital's maximum security ward is notifying patients of a data breach after a psychiatrist accidentally sent a photograph of patient records to people outside of the hospital. http://www.scmagazine.com/employee-accidentally-compromises-oregon-state-hospital-patient-data/article/514598/

FYI - Irish cops probe mystery malware attack - External attempts to hack into the IT systems of the Garda Síochána prompted a temporary shut down of several Irish police systems last week. http://www.theregister.co.uk/2016/08/08/irish_police_malware_attack/

FYI - Apparent Walmart.com phishing emails coming from legit company email address - Walmart.com customers are being flooded with repetitive emails urging them to reset their passwords in what looks to be a phishing attack. http://www.scmagazine.com/report-apparent-walmartcom-phishing-emails-coming-from-legit-company-email-address/article/515005/

FYI - Instagram accounts hacked - Symantec researchers spotted an influx over the last few months in hacked Instagram accounts used to promote dating spam to earn money through an affiliate program. http://www.scmagazine.com/researchers-spot-hacked-instagram-accounts-promoting-adult-content/article/515148/

FYI - Australian online census swamped by DDoS attack - The website hosting the online form for Australia's national census was brought down by a series of distributed denial of service (DDoS) attacks on Tuesday, temporarily preventing some of the country's citizens from participating in the population survey, which takes place every five years. http://www.scmagazine.com/overpopulated-with-traffic-australian-online-census-swamped-by-ddos-attack/article/515152

FYI - Breach of Dota 2 gaming forum exposes 1.9 million accounts - While players of Valve Corporation's online battle arena game Dota 2 were busy fighting each other for supremacy, a real-life adversary recently pulled off his own conquest, stealing 1,923,972 account records from the official Dota 2 forum's database. http://www.scmagazine.com/damage-dealer-breach-of-dota-2-gaming-forum-exposes-19-million-accounts/article/515596/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:
 
 Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
 
 Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
 
 Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 
 
 Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Protocols and Ports (Part 1 of 3)
 
 Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.
 
 The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.5.3 Training
 
 All personnel should be trained in their contingency-related duties. New personnel should be trained as they join the organization, refresher training may be needed, and personnel will need to practice their skills.
 
 Training is particularly important for effective employee response during emergencies. There is no time to check a manual to determine correct procedures if there is a fire. Depending on the nature of the emergency, there may or may not be time to protect equipment and other assets. Practice is necessary in order to react correctly, especially when human safety is involved.
 
 11.6    Step 6: Testing and Revising
 
 A contingency plan should be tested periodically because there will undoubtedly be flaws in the plan and in its implementation. The plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned. The extent and frequency of testing will vary between organizations and among systems. There are several types of testing, including reviews, analyses, and simulations of disasters.
 
 Contingency plan maintenance can be incorporated into procedures for change management so that upgrades to hardware and software are reflected in the plan.
 
 A review can be a simple test to check the accuracy of contingency plan documentation. For instance, a reviewer could check if individuals listed are still in the organization and still have the responsibilities that caused them to be included in the plan. This test can check home and work telephone numbers, organizational codes, and building and room numbers. The review can determine if files can be restored from backup tapes or if employees know emergency procedures.
 
 An analysis may be performed on the entire plan or portions of it, such as emergency response procedures. It is beneficial if the analysis is performed by someone who did not help develop the contingency plan but has a good working knowledge of the critical function and supporting resources. The analyst(s) may mentally follow the strategies in the contingency plan, looking for flaws in the logic or process used by the plan's developers. The analyst may also interview functional managers, resource managers, and their staff to uncover missing or unworkable pieces of the plan.
 
 Organizations may also arrange disaster simulations. These tests provide valuable information about flaws in the contingency plan and provide practice for a real emergency. While they can be expensive, these tests can also provide critical information that can be used to ensure the continuity of important functions. In general, the more critical the functions and the resources addressed in the contingency plan, the more cost-beneficial it is to perform a disaster simulation.
 
 The results of a "test" often implies a grade assigned for a specific level of performance, or simply pass or fail. However, in the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden and uncorrected.