FYI - NY bank regulator's cybersecurity plan has strong authentication, identity - New York is upgrading its evaluation of banks operating in the state to include specific questions and examinations on use of multi-factor authentication and identity and access management systems. http://www.zdnet.com/article/ny-bank-regulators-cybersecurity-plan-includes-strong-authentication-identity/

FYI - State-sponsored or not, Sony Pictures malware “bomb” used slapdash code - Malware was just good enough to do the job, perhaps what North Korea intended. Analysis by researchers at Cisco of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures revealed that the code was full of bugs and anything but sophisticated. http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-malware-bomb-used-slapdash-code/

FYI - Neglected Server Provided Entry for JPMorgan Hackers - The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack.
http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0
http://www.pcworld.com/article/2862672/twofactor-authentication-oversight-led-to-jpmorgan-breach-investigators-reportedly-found.html#tk.nl_today

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Park-n-Fly Online Card Breach - Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/

FYI - Roughly 1.16 million payment cards may have been affected in Staples breach - Staples announced on Friday that malware infected its point-of-sale systems at 115 of its 1,400 U.S. retail stores, possibly affecting roughly 1.16 million payment cards. http://www.scmagazine.com/roughly-116-million-payment-cards-may-have-been-affected-in-staples-breach/article/389369/

FYI - 40,000 federal employees impacted by contractor breach - The personal information of more than 40,000 federal workers may be at risk following a data breach at KeyPoint Government Solutions, a prominent federal contractor. http://www.scmagazine.com/40000-federal-employees-impacted-by-contractor-breach/article/389347/

FYI - Spearfishing campaign compromises ICANN systems - The Internet Corporation for Assigned Names and Numbers (ICANN) is investigating an apparent spear phishing attack that began in November and led to the exposure of information in some of ICANN's systems.
http://www.scmagazine.com/icann-deactivates-passwords-after-staff-credentials-compromised/article/389224/
http://www.theregister.co.uk/2014/12/19/icann_stresses_critical_internet_systems_not_hacked/

FYI - Northwestern Memorial HealthCare laptop stolen, patient data at risk - A Northwestern Memorial HealthCare (NMHC) laptop was stolen from an employee's vehicle, putting Northwestern Lake Forest Hospital, Northwestern Memorial Hospital, and Northwestern Medical Group patient data at risk. http://www.scmagazine.com/northwestern-memorial-healthcare-laptop-stolen-patient-data-at-risk/article/389596/

FYI - Hackers pop German steel mill, wreck furnace - Phishing proves too hot - Talented hackers have caused "serious damage" after breaching a German steel mill and wrecking one of its blast furnaces. http://www.theregister.co.uk/2014/12/22/hackers_pop_german_steel_mill_wreck_furnace/

FYI - Sneaky Russian hackers slurped $15 MILLION from banks - ATM malware, remote employee monitoring - you name it, they did it - Millions of dollars, credit cards and intellectual property have been stolen by a newly discovered group of cyber criminals. http://www.theregister.co.uk/2014/12/22/russian_cyber_heist_gang_rakes_in_15m/

FYI - Staples: 6-Month Breach, 1.16 Million Cards - Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. http://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/

FYI - Hackers pop German steel mill, wreck furnace - Phishing proves too hot for plant - Talented hackers have caused "serious damage" after breaching a German steel mill and wrecking one of its blast furnaces. http://www.theregister.co.uk/2014/12/22/hackers_pop_german_steel_mill_wreck_furnace/

FYI - Gang Hacked ATMs from Inside Banks - An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/

FYI - North Korea's internet access unstable - Just a few days after President Obama said the U.S. would react proportionately to North Korea's likely role in the Sony breach, access to the internet within the country has been unstable the past 24 hours, according to the website North Korea Tech. http://www.scmagazine.com/slowdown-makes-access-undependable/article/389485/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)
 
 4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
 
 a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.
 
 5. Banks should develop appropriate contingency plans for outsourced e-banking activities.
 
 a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.
 
 b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.
 
 c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.
 
 6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.
 
 a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INTRUSION DETECTION AND RESPONSE
 
 Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
 
 Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.
 
 Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.
 
 The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
 
 Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1 Basic Cryptographic Technologies

Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a key. In modern cryptographic systems, algorithms are complex mathematical formulae and keys are strings of bits. For two parties to communicate, they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. Many cryptographic keys must be kept secret; sometimes algorithms are also kept secret.

There are two basic types of cryptography: secret key systems (also called symmetric systems) and public key systems (also called asymmetric systems). The table compares some of the distinct features of secret and public key systems. Both types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid system to exploit the strengths of each type. To determine which type of cryptography best meets its needs, an organization first has to identify its security requirements and operating environment.