FYI - Remarks of Deputy Secretary Raskin at The Texas Bankers’ Association Executive Leadership Cybersecurity Conference - Cybersecurity for Banks: 10 Questions for Executives and their Boards. http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx

FYI - Infosec checklists becoming common, but they're not magic - Security checklists like the Australian Signals Directorate's Top 4 Mitigation Strategies are valuable, but to treat them as universal compliance mechanisms is a mistake. A risk-based approach is essential. http://www.zdnet.com/infosec-checklists-becoming-common-but-theyre-not-magic-7000036219/

FYI - Credit unions urge Congress to enforce security standards for retailers - A credit union trade group is urging Congress to take proactive steps in establishing national data security standards for retailers. http://www.scmagazine.com/credit-unions-urge-congress-to-enforce-security-standards-for-retailers/article/385529/

FYI - Beth Israel medical center to pay $100K over data breach - In addition to bolstering the security of the sensitive information it manages, the Beth Israel Deaconess Medical Center (BIDMC) in Boston has agreed to pay a $100,000 fine related to its 2012 data breach. http://www.scmagazine.com/beth-israel-medical-center-to-pay-100k-over-data-breach/article/385410/

FYI - Bank and account phishing tops list of U.S. SMS attacks - Bank and account phishing has become the top SMS attack in the U.S. in recent months, overtaking spam and other scams targeting mobile devices, according to new research from Cloudmark. http://www.scmagazine.com/bank-and-account-phishing-tops-list-of-us-sms-attacks/article/386546/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sony Pictures films leaked online following cyber attack - Nearly a week after its network was hacked, Sony Pictures Entertainment had multiple films leaked online.
http://www.scmagazine.com/brad-pitt-film-among-sony-pictures-leaks/article/386003/
http://www.cnet.com/news/hackers-leak-new-sony-movies-to-file-sharing-sites/

FYI - Phishing campaign spoofs emails from Costco, Home Depot - It's no surprise to discover that cybercriminals are leveraging the uptick in holiday shopping to further spread their malicious campaigns. http://www.scmagazine.com/phishing-campaign-spoofs-emails-from-costco-home-depot/article/385979/

FYI - Malware installed at 17 parking facilities, payment cards at risk - Parking facility service provider SP+ announced that customer payment card data may be at risk, including cardholder names, card numbers, expiration dates, and verification codes. http://www.scmagazine.com/malware-installed-at-17-parking-facilities-payment-cards-at-risk/article/385944/

FYI - Shutterfly Inc. websites have user data compromised - Tiny Prints, a cardstock vendor and part of Shutterfly Inc.'s brand portfolio, revealed that its systems were compromised in an attack that exposed user email addresses and encrypted passwords. http://www.scmagazine.com/tiny-prints-data-breached/article/385715/

FYI - Godiva notifies employees of stolen laptop containing their data - Chocolate maker Godiva is notifying an undisclosed number of employees that a suitcase containing a laptop was stolen from the rental car of a human resources employee and their personal information – including Social Security numbers – could be at risk. http://www.scmagazine.com/godiva-notifies-employees-of-stolen-laptop-containing-their-data/article/385982/

FYI - Phishing scam that penetrated Wall Street just might work against you, too - Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information. http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/

FYI - Unauthorized intruders gain access to ART Payroll database - Specialized payroll service American Residuals and Talent (ART Payroll) is notifying current and former clients and their employees that unauthorized intruders gained access to an ART Payroll database and may have compromised their data. http://www.scmagazine.com/unauthorized-intruders-gain-access-to-art-payroll-database/article/386223/

FYI - Anonymous takes down Fort Lauderdale city websites in "Operation Lift the Bans" - Upset with the city of Fort Lauderdale's recent ordinances that regulate the city's homeless, hacktivist collective Anonymous launched a denial-of-service attack on city websites Monday. http://www.scmagazine.com/anonymous-takes-down-fort-lauderdale-city-websites-in-operation-lift-the-bans/article/386527/

FYI - N.C. hospital patient info accessible via internet for longer than two years - Highlands-Cashiers Hospital in North Carolina is notifying about 25,000 patients that their personal information – including Social Security numbers – was accessible via the internet for longer than two years. http://www.scmagazine.com/nc-hospital-patient-info-accessible-via-internet-for-longer-than-two-years/article/386513/

FYI - Retailer Bebe suffers breach, stolen cards sold online - Bebe, a woman's clothing chain, is apparently the latest retailer targeted in a data breach, with fraudulent charges showing up on credit cards. http://www.scmagazine.com/retailer-bebe-suffers-breach-stolen-cards-sold-online/article/386771/

FYI - Visionworks announces second data incident affecting 48K Florida customers - Less than two weeks after issuing a similar statement in November, Texas-based eye care services provider Visionworks announced it is notifying approximately 48,000 customers who received services at its Mall of the Avenues location in Jacksonville, FL that a database server containing their personal information is missing. http://www.scmagazine.com/second-breach-hits-texas-eye-care-services-provider/article/386635/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound Security Control Practices for E-Banking
 
 1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.
 
 2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.
 
 3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.
 
 4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.
 
 5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:
 
 a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
 b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
 c)  Penetration testing of internal and external networks.
 
 6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

FFIEC INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INTRUSION DETECTION AND RESPONSE
 
 Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
 
 Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.
 
 A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.
 
 Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.
 
 Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
Chapter 18 - AUDIT TRAILS
 
18.4 Interdependencies
 
The ability to audit supports many of the controls presented in this handbook. The following paragraphs describe some of the most important interdependencies.
 
 Policy. The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.
 
 Assurance. System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.
 
 Identification and Authentication. Audit trails are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If a user is impersonated, the audit trail will establish events but not the identity of the user.
 
 Logical Access Control. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure that audit trails are not modified.
 
 Contingency Planning. Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).
 
 Incident Response. If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords?
 
 Cryptography. Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important.