FYI
- Court doc: Equifax allegedly used insecure password ‘admin’ to
protect portal - Failing to patch a critical vulnerability in its
Apache Struts software was not the only major security oversight
committed by Equifax in the lead-up to a highly damaging data breach
in 2017, according to a document filed as part of a securities fraud
class-action lawsuit filed earlier this year.
https://www.scmagazine.com/home/security-news/court-doc-equifax-allegedly-used-insecure-password-admin-to-protect-portal/
Hacker behind Montgomery County school data breach identified - A
Montgomery County, Md., high school student earlier this month
hacked into the Naviance college prep system and downloaded and
shared the PII from about 1,400 fellow students.
https://www.scmagazine.com/home/security-news/data-breach/hacker-behind-montgomery-county-school-data-breach-identified/
U.S. carried out secret cyber strike on Iran in wake of Saudi oil
attack: officials - The United States carried out a secret cyber
operation against Iran in the wake of the Sept. 14 attacks on Saudi
Arabia’s oil facilities, which Washington and Riyadh blame on
Tehran, two U.S. officials have told Reuters.
https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attack-officials-idUSKBN1WV0EK
US stopped using floppy disks to manage nuclear weapons arsenal - US
Air Force switches to secure solid-state-based solution to replace
antiquated floppy disks in SACCS nuclear weapons management system.
https://www.zdnet.com/article/us-stopped-using-floppy-disks-to-manage-nuclear-weapons-arsenal/
Girl Scouts of USA Launch First National Cybersecurity Challenge -
Girls across the United States of America will take part in the
country's first ever National Girl Scouts Cyber Challenge tomorrow.
https://www.infosecurity-magazine.com/news/us-girl-scouts-launch/
Tips for those of all ages interested in pursuing a career in
cybersecurity - Today, we are facing a frightening shortage of
cybersecurity professionals in the workforce. Specifically, this
widening gap is expected to lead to 3.5 million jobs left unfilled,
according to Cybersecurity Ventures, in the cybersecurity profession
by 2021.
https://www.scmagazine.com/home/opinion/executive-insight/tips-for-those-of-all-ages-interested-in-pursuing-a-career-in-cybersecurity/
Georgia Supreme Court rules that collection of vehicular data
requires warrant - The Georgia Supreme Court yesterday ruled that
law enforcement must obtain a warrant before pulling data from an
automobile as part of a crash investigation, overturning a verdict
previously rendered and later upheld by lower courts.
https://www.scmagazine.com/home/security-news/legal-security-news/georgia-supreme-court-rules-that-collection-of-vehicular-data-requires-warrant/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Avast’s network penetrated, CCleaner targeted again - The
Czech-based security firm Avast reported its internal network had
been accessed through a temporary and loosely protected VPN profile
with compromised credentials.
https://www.scmagazine.com/home/security-news/apts-cyberespionage/avasts-network-penetrated-ccleaner-targeted-again/
San Bernadino City schools hit with ransomware - The San Bernadino
City Unified School District has been knocked offline by a
ransomware attack.
https://www.scmagazine.com/home/security-news/ransomware/san-bernadino-city-schools-hit-with-ransomware/
2.8 million CenturyLink customer records exposed by unprotected
database -
https://www.scmagazine.com/?s=2.8+million+CenturyLink+customer+records+exposed+by+unprotected+database+
UC Browser potentially endangers 500 million users - The popular
Android browser UC Browser was found to break several Google mobile
app rules possibly placing up to 500 million of its users at risk.
https://www.scmagazine.com/home/security-news/mobile-security/uc-browser-potentially-endangers-500-million-users/
Phishing scam targets users of Stripe payment processing service -
Cybercriminals have devised a phishing campaign that that takes aim
at customers of the online payment processing company Stripe, with
the intention to steal their credentials, compromise their accounts
and presumably view their payment card data.
https://www.scmagazine.com/home/security-news/cybercrime/phishing-scam-targets-users-of-stripe-payment-processing-service/
Major German manufacturer still down a week after getting hit by
ransomware - Pilz, a German company making automation tool, was
infected with the BitPaymer ransomware on October 13.
https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/
Popular VPN service NordVPN confirms data center breach - NordVPN, a
popular virtual private network, said Monday it was the victim of a
data breach in 2018. The company said that so far the impact from
the hack was minor, but it plans on upping its security efforts.
https://www.cnet.com/news/best-buy-kicks-off-weekly-apple-deals-with-discounts-on-ipad-pro-and-apple-watch/
https://www.scmagazine.com/home/security-news/data-breach/nordvpn-confirms-2018-breach/
Phishing scam behind Kalispell Regional Healthcare data breach -
Kalispell Regional Healthcare (KRH) just reported a cyberattack that
took place in late August and exposed patients’ health information.
https://www.scmagazine.com/home/health-care/phishing-scam-behind-kalispell-regional-healthcare-data-breach/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding
FDIC Supervisory Insights regarding
Incident Response
Programs. (6 of 12)
Best
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum
requirements and incorporate industry best practices into its IRP.
As each bank tailors its IRP to match its administrative, technical,
and organizational complexity, it may find some of the following
best practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparation
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Source Code Review and Testing
Application and operating system source code can have numerous
vulnerabilities due to programming errors or misconfiguration. Where
possible, financial institutions should use software that has been
subjected to independent security reviews of the source code
especially for Internet facing systems. Software can contain
erroneous or intentional code that introduces covert channels,
backdoors, and other security risks into systems and applications.
These hidden access points can often provide unauthorized access to
systems or data that circumvents built-in access controls and
logging. The source code reviews should be repeated after the
creation of potentially significant changes.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We begin the series on the National
Institute of Standards and Technology (NIST) Handbook.
Section I. Introduction & Overview
Chapter 1
INTRODUCTION
1.1 Purpose
This handbook provides assistance in securing computer-based
resources (including hardware, software, and information) by
explaining important concepts, cost considerations, and
interrelationships of security controls. It illustrates the benefits
of security controls, the major techniques or approaches for each
control, and important related considerations.
The handbook provides a broad overview of computer security to help
readers understand their computer security needs and develop a sound
approach to the selection of appropriate security controls. It does
not describe detailed steps necessary to implement a computer
security program, provide detailed implementation procedures for
security controls, or give guidance for auditing the security of
specific systems. General references are provided at the end of this
chapter, and references of "how-to" books and articles are provided
at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but,
rather, to discuss the benefits of various computer security
controls and situations in which their application may be
appropriate. Some requirements for federal systems are noted in the
text. This document provides advice and guidance; no penalties are
stipulated.
1.2 Intended Audience
The handbook was written primarily for those who have computer
security responsibilities and need assistance understanding basic
concepts and techniques. Within the federal government, this
includes those who have computer security responsibilities for
sensitive systems.
For the most part, the concepts presented in the handbook are also
applicable to the private sector. While there are differences
between federal and private-sector computing, especially in terms of
priorities and legal constraints, the underlying principles of
computer security and the available safeguards -- managerial,
operational, and technical -- are the same. The handbook is
therefore useful to anyone who needs to learn the basics of computer
security or wants a broad overview of the subject. However, it is
probably too detailed to be employed as a user awareness guide, and
is not intended to be used as an audit guide. |