FYI - Interior Dept. must update access control standards to meet NIST guidelines - The U.S. Department of the Interior (DOI) must update its access controls to meet current standards, according to an inspector general report issued this week. http://www.scmagazine.com/interior-dept-must-update-access-control-standards-to-meet-nist-guidelines--report/article/515918/

FYI - EPA IG won't release report on cybersecurity practices - The Environmental Protection Agency's (EPA) Inspector General conducted an audit of the agency's cybersecurity and information security policies but will not release the full report, noting privacy issues. http://www.scmagazine.com/epa-ig-wont-release-report-on-cybersecurity-practices/article/515901/

FYI - 34% of users click on links due to human curiosity - With nearly a quarter of ID fraud victims being savvy users of mobile and social media platforms in the UK last year, regular device updates nor computer literacy are stopping users from engaging in harmful online behaviour. http://www.scmagazine.com/34-of-users-click-on-links-due-to-human-curiosity/article/515724/

FYI - Information on Current and Future States of Cybersecurity in the Digital Economy - The Commission on Enhancing National Cybersecurity requests information about current and future states of cybersecurity in the digital economy. https://www.federalregister.gov/articles/2016/08/10/2016-18948/information-on-current-and-future-states-of-cybersecurity-in-the-digital-economy

FYI - FDA Addresses Medical Device Cybersecurity Modifications - Draft Guidance Clarifies When Makers Must Get New FDA Review - New Food and Drug Administration draft guidance aims to alleviate a common topic of confusion in the healthcare sector: whether medical device makers need to submit for FDA review the modifications manufacturers make that affect cybersecurity in existing products. http://www.govinfosecurity.com/fda-addresses-medical-device-cybersecurity-modifications-a-9333

FYI - After the breach: Settlement expected for 50M Home Depot customers - A settlement is brewing between The Home Depot and the 50 million customers whose personally identifiable information (PII) was compromised in a massive hack in 2014. http://www.scmagazine.com/after-the-breach-settlement-expected-for-50m-home-depot-customers/article/516033/

FYI - Half of enterprises ill-prepared for inside attack, study - Nearly half of enterprises queried for a new survey were found to be ill-equipped to deal with threats from insiders. http://www.scmagazine.com/half-of-enterprises-ill-prepared-for-inside-attack-study/article/516765/

FYI - U.S. government extends offer to protect states from electoral cyberthreats - In a move to quell fears that the electoral process could be hacked and manipulated this November, the U.S. government has pledged to provide states with federal resources and assistance to help manage voting cyber risks. http://www.scmagazine.com/us-government-extends-offer-to-protect-states-from-electoral-cyberthreats/article/517104/

FYI - SWIFT did not monitor weak security practices of its users - The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has a history of failing to address security incidents involving clients of the financial messaging company, according to a Reuters report. http://www.scmagazine.com/swift-did-not-monitor-weak-security-practices-of-its-users--report/article/517064/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 'Video jacking' attack allows attacker to see what you see - If docking a phone at unfamiliar charging stations wasn't iffy enough, a “video-jacking” attack by researchers highlights yet another attack vector to consider. http://www.scmagazine.com/apple-android-devices-phones-susceptible-to-video-jacking-attacks/article/515890/

FYI - Just keep swimming: Swimming Australia website rides out waves of DDoS traffic - Days after Australian gold medalist swimmer Mack Horton accused his Chinese rival Sun Yang of doping, the Swimming Australia website has been experiencing a large increase in traffic, seemingly due to a distributed denial of service (DDoS) attack. http://www.scmagazine.com/just-keep-swimming-swimming-australia-website-rides-out-waves-of-ddos-traffic/article/515900/

FYI - Russian athlete whistleblower has online account hacked in major security leak - A Russian whistleblower who revealed state-backed athlete doping in the country has had her account on the World Anti-Doping Agency (WADA) website hacked, potentially revealing her whereabouts. http://www.v3.co.uk/v3-uk/news/2467917/russian-athlete-whistleblower-has-online-account-hacked-in-major-security-leak

FYI - Sage suffers data breach from insider - Software company Sage has reportedly suffered a data breach orchestrated by an insider of the company. The police are investigating and the ICO has been informed. http://www.scmagazineuk.com/sage-suffers-data-breach-from-insider/article/516006/

FYI - 20 top US hotels hit by fresh malware attacks - If you've stayed at these hotels and have taken out your credit card at shops, bars, or restaurants, your financial data may be at risk. http://www.zdnet.com/article/20-top-us-hotels-hit-by-fresh-malware-attacks/

FYI - NSA blames storm for website outage - The National Security Agency (NSA) blamed a partial shutdown of NSA.gov on a storm. http://www.scmagazine.com/nsa-blames-storm-for-website-outage/article/516909/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 VULNERABILITY ASSESSMENT TOOLS
 
 Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.
 
 In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.
 
 Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Protocols and Ports (Part 2 of 3)
 
 Other common protocols in a TCP/IP network include the following types.
 
 ! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.
 
 ! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.
 
 ! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.
 
 ! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.
 
 ! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.
 
 ! Post office protocol (POP) - Commonly used to receive e-mail.
 
 ! Hypertext transport protocol (HTTP) - Used for Web browsing.
 
 ! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.
 
 ! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 11.7 Interdependencies
 
 Since all controls help to prevent contingencies, there is an interdependency with all of the controls in the handbook.
 
 Risk Management provides a tool for analyzing the security costs and benefits of various contingency planning options. In addition, a risk management effort can be used to help identify critical resources needed to support the organization and the likely threat to those resources. It is not necessary, however, to perform a risk assessment prior to contingency planning, since the identification of critical resources can be performed during the contingency planning process itself.
 
 Physical and Environmental Controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters.
 
 Incident Handling can be viewed as a subset of contingency planning. It is the emergency response capability for various technical threats. Incident handling can also help an organization prevent future incidents.
 
 Support and Operations in most organizations includes the periodic backing up of files. It also includes the prevention and recovery from more common contingencies, such as a disk failure or corrupted data files.
 
 Policy is needed to create and document the organization's approach to contingency planning. The policy should explicitly assign responsibilities.
 
 11.8 Cost Considerations
 
 The cost of developing and implementing contingency planning strategies can be significant, especially if the strategy includes contracts for backup services or duplicate equipment. There are too many options to discuss cost considerations for each type.
 One contingency cost that is often overlooked is the cost of testing a plan. Testing provides many benefits and should be performed, although some of the less expensive methods (such as a review) may be sufficient for less critical resources.