FYI - French submarine builder DCNS springs leak: India investigates - The French are said to be going ballistic - India is investigating a security breach affecting its French-built Scorpene-class submarines after more than 22,000 pages covering its secret capabilities were leaked. http://www.theregister.co.uk/2016/08/24/indian_submarine_secrets_leaked_after_frances_dcns_/

FYI - Russia's Central Bank introduces new mandatory cyber-security regulations - Russian banks will be faced with a whole range of new regulations, and penalties for non-compliance, when it comes to cyber-security, according to the country's Central Bank. http://www.scmagazineuk.com/russias-central-bank-introduces-new-mandatory-cyber-security-regulations/article/517638/

FYI - Two swing states decline DHS security for voting machines - Two swing states, Pennsylvania and Georgia, are declining an offer from the Department of Homeland Security (DHS) to scan their voting systems ahead of the 2016 elections. http://thehill.com/policy/technology/293522-two-swing-states-decline-dhs-security-for-voting-machines

FYI - Muddying the waters of infosec: Cyber upstart, investors short medical biz - then reveal bugs - Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. http://www.theregister.co.uk/2016/08/26/muddy_waters_medsec_st_jude_security_flaws/

FYI - Hacker who stole 2.9 million credit card numbers is Russian lawmaker’s son - On Thursday, a federal jury in Seattle found the son of Russian Parliament member guilty of stealing millions of credit card numbers and selling them online to other fraudsters. http://arstechnica.com/security/2016/08/hacker-who-stole-2-9-million-credit-card-numbers-is-russian-lawmakers-son/

FYI - Fiat Chrysler locks down on DealerCONNECT security after car theft - Fiat Chrysler Association (FCA) on Aug. 25 updated its DealerCONNECT terms of use to threaten civil or criminal action to anyone who provides unauthorized third parties access to "key codes, radio codes and other anti-theft or security measures." http://www.scmagazine.com/fiat-chrysler-threatens-legal-actions-against-unauthorized-software-use/article/519251/

FYI - Privacy advocates upset over FAA drone regulations, citizen takes action - The Federal Aviation Administration's (FAA) small unmanned aircraft system rule went into effect Aug. 29 broadly authorizing commercial drone operations but noticeably lacking privacy specific standards, still some citizens managed to take the security of their airspace into their own hands. http://www.scmagazine.com/faa-drone-regulations-lack-privacy-specifications/article/519459/

FYI - Dropbox commended for its handling of massive data breach involving 68M users - What started out last week as a warning by Dropbox to its users that some login data may have been compromised has exploded into a massive data breach with an estimated 68 million Dropbox user credentials being exposed on the web, but industry insiders say the company has handled the problem quite well. http://www.scmagazine.com/dropbox-commended-for-its-handling-of-massive-data-breach-involving-68m-users/article/519763/

FYI - Increasing use of encryption technology causes more cyber-attacks - An outcome of the growing use of encryption technology to keep network data safe is an increase in cyber-attacks. http://www.scmagazine.com/increasing-use-of-encryption-technology-causes-more-cyber-attacks/article/519734/

FYI - China allows foreign tech firms to participate in creating cybersecurity standards - China appears to have taken a more global approach to discussions involving the country's cybersecurity standards. http://www.scmagazine.com/china-allows-foreign-tech-firms-to-participate-in-creating-cybersecurity-standards/article/519466/

FYI - Rental car or loaner flash drive? FTC warns rental cars store user data - The Federal Trade Commission is warning consumers to be careful when using the infotainment systems of rental cars. http://www.scmagazine.com/ftc-warns-users-to-be-careful-when-syncing-devices-to-rental-cars/article/519569/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - GozNym malware is proficient in German, new malicious campaign proves - Thirteen German financial institutions and their subsidiaries are probably feeling weltschmerz (look it up) after their customers became targets of the latest campaign from hybrid downloader and banking malware GozNym. http://www.scmagazine.com/goznym-malware-is-proficient-in-german-new-malicious-campaign-proves/article/517793/

FYI - Dropbox recommending some users update account credentials - Dropbox is recommending to some users update the log in credentials for their account because a group of member emails and passwords may have been compromised. http://www.scmagazine.com/dropbox-recommending-some-users-update-account-credentials/article/518668/

FYI - State wildlife agencies halt license sales after apparent vendor breach - The fish and wildlife agencies of Washington, Oregon and Idaho have temporarily suspended the sale of hunting and fishing licenses and tags after the vendor operating their online licensing system was apparently breached. http://www.scmagazine.com/state-wildlife-agencies-halt-license-sales-after-apparent-vendor-breach/article/518677/

FYI - Voter databases in two states breached by foreign hackers, FBI - The FBI's Cyber Division revealed in a "flash" report that it uncovered evidence that the election databases were hacked, which led to the agency issuing warnings to election officials across the country to strengthen the security of their computer ystems. http://www.scmagazine.com/voter-databases-in-two-states-breached-by-foreign-hackers-fbi/article/519094/

FYI - GoDaddy customers target of phishing scam - A phishing scam aimed at GoDaddy customers lures victims by notifying them that they can't receive any more email because their email storage has reached capacity. http://www.scmagazine.com/godaddy-customers-target-of-phishing-scam/article/519092/

FYI - Cozy Bear suspected of hacking Russia-focused think tanks in D.C. - The same Russian-backed cybergang which launched cyber attacks against the Pentagon, State Department and DNC is also believed to have targeted Russia-focused think tanks based in Washington D.C. http://www.scmagazine.com/researchers-believe-russian-backed-cybergang-is-targeting-us-think-tanks/article/519118/

FYI - Sacramento County data exposed for nearly a year - Sacramento County has notified citizens whose data may have been left exposed for nearly a year. http://www.scmagazine.com/sacramento-county-data-exposed-for-nearly-a-year/article/519085/

FYI - Opera resets all user passwords following incursion - Opera is alerting customers of its web browser that its sync system was breached. http://www.scmagazine.com/opera-resets-all-user-passwords-following-incursion/article/518940/

FYI - Voter database hack in Illinois by foreign intruder compromises info of 200K - Personal information of Illinois voters was likely siphoned off in a cyberattack, possibly of foreign origin. http://www.scmagazine.com/voter-database-hack-in-illinois-by-foreign-intruder-compromises-info-of-200k/article/519226/

FYI - 87K affected in SCAN Health Plan breach - SCAN Health Plan is notifying users that remote attackers were able to gain access to the contact sheets system and accessed the personal information of past and current members and some non-plan members of SCAN Health Plan, SCAN Health Plan Arizona, and VillageHealth plans. http://www.scmagazine.com/87k-affected-in-scan-health-plan-breach/article/519407/

FYI - SWIFT warns of new attacks, pushes for security upgrades - While six Democratic senators were beseeching President Obama in a letter to make cybercrime a priority at this weekend's Group of 20 Summit in China, SWIFT was sending a letter of its own to clients alerting them to additional attacks on member banks. http://www.scmagazine.com/swift-warns-of-new-attacks-pushes-for-security-upgrades/article/519774/

FYI - Jerry's Artarama hit with hack - A letter has gone out to customers of Jerry's Artarama advising that its online portal "may have been attacked" by a hacker and customer information "may have been compromised." http://www.scmagazine.com/jerrys-artarama-hit-with-hack/article/519580/

FYI - Kimpton Hotels details data breach, dozens of properties impacted - The Kimpton Hotel chain officially notified its customers that its point-of-sale system severs had been infected with malware earlier this year, possibly exposing payment card information and cardholder names. http://www.scmagazine.com/kimpton-hotels-details-data-breach-dozens-of-properties-impacted/article/519905/

FYI - Mr. Chow restaurants website hacked to distribute ransomware - If you thought too much MSG was the most dangerous thing about ordering Chinese food, consider this: the website for the upscale Mr. Chow restaurants has reportedly been compromised to deliver ransomware to visitors. http://www.scmagazine.com/misfortune-cookie-mr-chow-restaurants-website-hacked-to-distribute-ransomware/article/519887/

FYI - User data of 43.6M Last.fm subscribers made public - The user data of 43,570,999 subscribers to the Last.fm music site were posted on the pwned repository LeakedSource. http://www.scmagazine.com/user-data-of-436m-lastfm-subscribers-made-public/article/519915/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 PENETRATION ANALYSIS (Part 1 of 2)
 
 After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.
 
 A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.
 
 The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.
 
 A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.
 
 FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 TCP/IP Packets
 
 TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0  -  10.255.255.255, 172.16.0.0  -  172.31.255.255, and 192.168.0.0  -  192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.
 
 If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.
 
 Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.2 Benefits of Integrating Security in the Computer System Life Cycle
 
 Although a computer security plan can be developed for a system at any point in the life cycle, the recommended approach is to draw up the plan at the beginning of the computer system life cycle. Security, like other aspects of a computer system, is best managed if planned for throughout the computer system life cycle. It has been a tenet of the computer community that it costs ten times more to add a feature in a system after it has been designed than to include the feature in the system at the initial design phase. The principal reason for implementing security during a system's development is that it is more difficult to implement it later (as is usually reflected in the higher cost of doing so). It also tends to disrupt ongoing operations.
 
 Security also needs to be incorporated into the later phases of the computer system life cycle to help ensure that security keeps up with changes in the system's environment, technology, procedures, and personnel. It also ensures that security is considered in system upgrades, including the purchase of new components or the design of new modules. Adding new security controls to a system after a security breach, mishap, or audit can lead to haphazard security that can be more expensive and less effective that security that is already integrated into the system. It can also significantly degrade system performance. Of course, it is virtually impossible to anticipate the whole array of problems that may arise during a system's lifetime. Therefore, it is generally useful to update the computer security plan at least at the end of each phase in the life cycle and after each re-accreditation. For many systems, it may be useful to update the plan more often.
 
 Life cycle management also helps document security-relevant decisions, in addition to helping assure management that security is fully considered in all phases. This documentation benefits system management officials as well as oversight and independent audit groups. System management personnel use documentation as a self-check reminder of why decisions were made so that the impact of changes in the environment can be more easily assessed. Oversight and independent audit groups use the documentation in their reviews to verify that system management has done an adequate job and to highlight areas where security may have been overlooked. This includes examining whether the documentation accurately reflects how the system is actually being operated.
 
 Within the federal government, the Computer Security Act of 1987 and its implementing instructions provide specific requirements for computer security plans. These plans are a form of documentation that helps ensure that security is considered not only during system design and development but also throughout the rest of the life cycle. Plans can also be used to be sure that requirements of Appendix III to OMB Circular A-130, as well as other applicable requirements, have been addressed.
 
 Different people can provide security input throughout the life cycle of a system, including the accrediting official, data users, systems users, and system technical staff.