FYI - More banks plundered through SWIFT attacks - Shape up, cause the Bangladesh Bank hack is just the start, SWIFT warns - Criminals have hacked an unspecified number of new banks, using the SWIFT messaging system already implicated in one of the most lucrative breaches in history. http://www.theregister.co.uk/2016/08/31/swift_reuters/

FYI - Facial recognition tech nabs ID fraudsters - A man with a suspended commercial driver’s license attempted to get a new one using a stolen identity, but he was stopped. About two dozen people used fake information to get a second Social Security numbers and try to get new licenses, but they were stopped. https://gcn.com/articles/2016/08/31/ny-dmv-facial-recognition.aspx?admgarea=TC_SecCybersSec

FYI - Rental cars can be data thieves, warns FTC - The convenience of automotive IT systems that connect smartphones with onboard media players might not be worth the risk of data loss when it comes to rental cars, according to the Federal Trade Commission. https://fcw.com/articles/2016/08/31/ftc-cert-rockwell.aspx

FYI - Military Supermarket Chain's Encryption Setup is 'Unacceptable,' Commissary Says - The Defense Department's $6 billion supermarket chain needs tighter security for the secret keys fastening its hundreds of databases, Pentagon officials say. http://www.nextgov.com/cybersecurity/2016/09/military-supermarket-chains-encryption-setup-unacceptable-commissary-says/131241/

FYI - Gugi mobile banking malware reportedly tweaked to defeat Android 6 security permissions - The developers of the mobile banking trojan Gugi have introduced modifications to sidestep two key security features of Android 6, Kaspersky Lab researcher Roman Unuchek has reported in the Securelist blog. http://www.scmagazine.com/gugi-mobile-banking-malware-reportedly-tweaked-to-defeat-android-6-security-permissions/article/520809/

FYI - Congressional report faults OPM over breach preparedness and response - The massive breach at the U.S. Office of Personnel Management (OPM), announced in June 2015, might have been prevented had the agency followed basic cybersecurity guidelines, according to the findings of a congressional investigation. http://www.scmagazine.com/congressional-report-faults-opm-over-breach-preparedness-and-response/article/520976/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dropbox hack leaks 68 million usernames and passwords - A hack from 2012 reportedly resulted in the breach of far more user information than previously believed. Wait, how many accounts were affected by a 2012 hack on Dropbox? About 68 million, according to multiple reports. http://www.cnet.com/news/dropbox-hack-leaks-more-than-60-million-usernames-and-passwords/

FYI - Kimpton Hotels Acknowledges Data Breach - Kimpton Hotels on Wednesday formally acknowledged that malware found on payment terminals in many of its hotels and restaurants may have compromised credit/debit cards of guests who patronized the properties in the first half of this year. http://krebsonsecurity.com/2016/09/kimpton-hotels-acknowledges-data-breach/

FYI - Leoni AG suffers £34 million whaling attack - Leoni AG, Europe's biggest manufacturer of wires and electrical cables, has announced losses of £34 million ($44.6 million) following a whaling attack. http://www.scmagazine.com/leoni-ag-suffers-34-million-whaling-attack/article/520682/

FYI - Derriford hospital hit by ransomware - A Freedom of Information (FoI) request filed by the Plymouth Herald has revealed that Plymouth's Derriford Hospital has suffered a ransomware attack. http://www.scmagazine.com/derriford-hospital-hit-by-ransomware/article/520680/

FYI - Austrian officials investigate attempted cyberattack of Vienna's airport - Austria's Interior Ministry is reportedly investigating a hacking group known as ‘Aslan Neferler Tim' that has claimed responsibility for an attempted cyberattack of Vienna's airport. http://www.scmagazine.com/austrian-officials-investigate-attempted-cyberattack-of-viennas-airport/article/521123/

FYI - University of Alaska breach may have exposed student info - On Tuesday, University of Alaska officials announced an attacker using employee credentials may have accessed student information. http://www.scmagazine.com/university-of-alaska-breach-may-have-exposed-student-info/article/520975/

FYI - Hutton Hotel guests credit card info exposed during three-year long breach - The Hutton Hotel became the latest hospitality company to report a breach of its payment card system warning guests that their information may have been compromised. http://www.scmagazine.com/hutton-hotel-guests-credit-card-info-exposed-during-three-year-long-breach/article/520968/

Return to the top of the newsletter

Lightspeed PoS vendor breached, sensitive database tapped - Vendor: 'We've applied new patches and access controls!' Sys admin: 'Whaddya mean NEW?!' - Point of sales vendor Lightspeed has been breached with password, customer data, and API keys possibly exposed. http://www.theregister.co.uk/2016/09/02/lightspeed_pos_vendor_breached_sensitive_database_tapped/

WEB SITE COMPLIANCE -  We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 PENETRATION ANALYSIS (Part 2 of 2)
 
 A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:
 
 1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.
 
 2) If using internal testers, the independence of the testers from system administrators.
 
 3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
 
 4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.
 
 FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your compnay a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Routing (Part 1 of 2)
 
 Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.
 
 A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination.  Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.
 
 A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.3 Overview of the Computer System Life Cycle
 
 There are many models for the computer system life cycle but most contain five basic phases:
 
 1)  Initiation. During the initiation phase, the need for a system is expressed and the purpose of the system is documented.
 
 2)  Development/Acquisition. During this phase the system is designed, purchased, programmed, developed, or otherwise constructed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle.
 
 3)  Implementation. After initial system testing, the system is installed or fielded.
 
 4)  Operation/Maintenance. During this phase the system performs its work. The system is almost always modified by the addition of hardware and software and by numerous other events.
 
 5)  Disposal. The computer system is disposed of once the transition to a new computer system is completed.
 
 Each phase can apply to an entire system, a new component or module, or a system upgrade. As with other aspects of systems management, the level of detail and analysis for each activity described here is determined by many factors including size, complexity, system cost, and sensitivity.
 
 Many people find the concept of a computer system life cycle confusing because many cycles occur within the broad framework of the entire computer system life cycle. For example, an organization could develop a system, using a system development life cycle. During the system's life, the organization might purchase new components, using the acquisition life cycle.
 
 Moreover, the computer system life cycle itself is merely one component of other life cycles. For example, consider the information life cycle. Normally information, such as personnel data, is used much longer than the life of one computer system. If an employee works for an organization for thirty years and collects retirement for another twenty, the employee's automated personnel record will probably pass through many different organizational computer systems owned by the company. In addition, parts of the information will also be used in other computer systems, such as those of the Internal Revenue Service and the Social Security Administration.
 
 Many different "life cycles" are associated with computer systems, including the system development, acquisition, and information life cycles.