- Meet the scholar challenging the cyber deterrence paradigm - In
recent years, U.S. thinking on a national cyber strategy has
included, at least in part, a focus on the concept of cyber
deterrence. The deterrence theme has been prevalent in civilian
government and military leaders' speeches, as well as congressional
hearings and scholarly literature.
State Department reorganization to shutter cyber office, lower
priority - A reorganization at the State Department will lead to the
shutdown of the Office of the Coordinator for Cyber Issues, the
group that helped broker the U.S. cyber pact with China to eliminate
corporate cyberattacks, and fold it into the Bureau of Economic and
Cisco predicts a major increase in cyberattacks designed to destroy
systems - Cisco researchers are predicting more and larger
cyberattacks that have the goal of destroying their targets systems,
instead of financial gain or stealing information.
Millions of IoT devices are vulnerable to widespread bug -
Researchers find a flaw that could let hackers take over millions of
security cameras and other connected devices.
So, FCC, how about that massive DDoS? Hello? Hello...? You still
there? Like trying to get blood out of a stone - Updated America's
broadband watchdog, the FCC, has declined to share any more details
on the cyber-assault that apparently downed its website shortly
after it announced its intent to kill net neutrality.
UK government wants to give 6,000 teenagers cyber security training
- Government launches £20m Cyber Schools Programme aimed at students
aged between 14 and 18 - The Department for Digital, Culture, Media
and Sport (DCMS) is to launch a cyber security training programme
for schoolchildren later this year.
Easily guessed password led to downfall of Russian cybercriminal's
empire, DOJ officials say - The fate of convicted Russian hacker
Roman Seleznev was all but sealed after federal authorities were
able to easily gain access to his confiscated laptop containing
incriminating information, according to U.S. Department of Justice
officials who spoke at Black Hat on Wednesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- $32 million worth of Ethereum stolen from Parity client - Just
days after an attacker made off with $7 million worth of Ethereum, a
separate heist managed to make away with nearly $32 million worth of
cryptocurrency from at least three accounts by exploiting a critical
vulnerability in the Ethereum client Parity.
International operation takes down AlphaBay, Hansa dark web markets
- Working with the support of Europol, the FBI, the U.S. Drug
Enforcement Agency (DEA) and the Dutch National Police brought down
two of the top three darkweb markets, AlphaBay and Hansa darkweb,
Millions of SSN across 10 states leaked in Kansas Commerce Dept.
breach - The personal information of millions of job seekers across
ten states was compromised when an attacker managed to exploit a
vulnerability in the application code of the America's Job Link
Alliance division of the Kansas Department of Commerce.
Prospective students tricked into handing over confidential
information - Criminals have set up a realistic looking website
called Newcastle International University, complete with information
about courses. The URL doesn't point to a UK educational domain (.ac.uk),
but students unfamiliar with such details may be tricked into
applying for non-existent courses.
Chipotle data breach leads to illegal ATM withdrawal - In another
case of a cybercrime pushing its way into the physical world, the
Gainsville, Fla. police department are searching for a man spotted
allegedly stealing $17,000 from an ATM by using login credentials
taken during the Chipotle data breach earlier this year.
Hacking Nemo: Adversary compromises smart fish tank at casino - A
new report has revealed that an unknown actor recently succeeded in
hacking into a tank... Relax, not the military kind. Rather, it was
a "smart" fish tank operated by a North American casino.
Sweden transport agency slips up, leaks top secret data - Believing
it was moving sensitive data to the cloud under a 2015 outsourcing
agreement with IBM, Sweden's Transport Agency inadvertently sent
information on every vehicle nationwide to marketers that subscribed
to it and then allegedly covered up the leak, with only a slap on
the wrist to the agency's director.
UniCredit Bank's third party leads to hack on 400,000 clients - An
attack on Italian bank, UniCredit, has led to the accounts of
400,000 loan customers being accessed.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A honeypot is a network device that the institution uses to
attract attackers to a harmless and monitored area of the network.
Honeypots have three key advantages over network and host IDS
systems. Since the honeypot's only function is to be attacked, any
network traffic to or from the honeypot potentially signals an
intrusion. Monitoring that traffic is simpler than monitoring all
traffic passing a network IDS. Honeypots also collect very little
data, and all of that data is highly relevant. Network IDS systems
gather vast amounts of traffic which must be analyzed, sometimes
manually, to generate a complete picture of an attack. Finally,
unlike IDS, a honeypot does not pass packets without inspection when
under a heavy traffic load.
Honeypots have two key disadvantages. They are ineffective unless
they are attacked. Consequently, organizations that use honeypots
for detection usually make the honeypot look attractive to an
attacker. Attractiveness may be in the name of the device, its
apparent capabilities, or in its connectivity. Since honeypots are
ineffective unless they are attacked, they are typically used to
supplement other intrusion detection capabilities.
Honeypots also introduce the risk of being compromised without
triggering an alarm, then becoming staging grounds for attacks on
other devices. The level of risk is dependent on the degree of
monitoring, capabilities of the honeypot, and its connectivity. For
instance, a honeypot that is not rigorously monitored, that has
excellent connectivity to the rest of the institution's network, and
that has varied and easy - to - compromise services presents a high
risk to the confidentiality, integrity, and availability of the
institution's systems and data. On the other hand, a honeypot that
is rigorously monitored and whose sole capability is to log
connections and issue bogus responses to the attacker, while
signaling outside the system to the administrator, demonstrates much
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
All personnel should be trained in their contingency-related
duties. New personnel should be trained as they join the
organization, refresher training may be needed, and personnel will
need to practice their skills.
Training is particularly important for effective employee response
during emergencies. There is no time to check a manual to determine
correct procedures if there is a fire. Depending on the nature of
the emergency, there may or may not be time to protect equipment and
other assets. Practice is necessary in order to react correctly,
especially when human safety is involved.
11.6 Step 6: Testing and Revising
A contingency plan should be tested periodically because there will
undoubtedly be flaws in the plan and in its implementation. The plan
will become dated as time passes and as the resources used to
support critical functions change. Responsibility for keeping the
contingency plan current should be specifically assigned. The extent
and frequency of testing will vary between organizations and among
systems. There are several types of testing, including reviews,
analyses, and simulations of disasters.
Contingency plan maintenance can be incorporated into procedures
for change management so that upgrades to hardware and software are
reflected in the plan.
A review can be a simple test to check the accuracy of contingency
plan documentation. For instance, a reviewer could check if
individuals listed are still in the organization and still have the
responsibilities that caused them to be included in the plan. This
test can check home and work telephone numbers, organizational
codes, and building and room numbers. The review can determine if
files can be restored from backup tapes or if employees know
An analysis may be performed on the entire plan or portions of it,
such as emergency response procedures. It is beneficial if the
analysis is performed by someone who did not help develop the
contingency plan but has a good working knowledge of the critical
function and supporting resources. The analyst(s) may mentally
follow the strategies in the contingency plan, looking for flaws in
the logic or process used by the plan's developers. The analyst may
also interview functional managers, resource managers, and their
staff to uncover missing or unworkable pieces of the plan.
Organizations may also arrange disaster simulations. These tests
provide valuable information about flaws in the contingency plan and
provide practice for a real emergency. While they can be expensive,
these tests can also provide critical information that can be used
to ensure the continuity of important functions. In general, the
more critical the functions and the resources addressed in the
contingency plan, the more cost-beneficial it is to perform a
The results of a "test" often implies a grade assigned for a
specific level of performance, or simply pass or fail. However, in
the case of contingency planning, a test should be used to improve
the plan. If organizations do not use this approach, flaws in the
plan may remain hidden and uncorrected.