Blog: Security and Compliance

The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity (http://www.ffiec.gov/cybersecurity.htm). The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. Service Provider and Vendor Risk Management
  5. Cyber Incident Management and Resilience
The pilot program is expected to last about 4 weeks and include regulators from the FDIC, OCC, Federal Reserve, NCUA, and the States.

 

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

Crucial M500 SSDs support self-encrypting drive (SED) technology which allows BitLocker for Windows 8 to simply be used for encryption key management rather than software-based encryption.  Out of the box, the drive encrypts all written data and decrypts all read data - and functions like a non-SED drive until key management software like Windows 8 (and Server 2012) BitLocker is used. [more]

When you turn BitLocker on using Windows 8 and a compliant SSD like the M500, you don't have to wait for the whole disk to be rewritten and it's encrypted.  Thus, you can encrypt the whole drive in a couple of minutes or less.  As far as BitLocker and Windows is concerned, it functions just like traditional non-SED drives do regarding pre-boot passwords, recovery keys, etc. 

An interesting spec is Crucial states their SSDs are designed to support 72TB total bytes written (TBW) - which is equal to 40GB per day for 5 years.  It stands to reason that if you don't have to rewrite every byte of an SSD when you use BitLocker to encrypt or decrypt the whole drive, it should help the life expectancy of the drive. 

So, since the drive I/O specs include the hardware encryption overhead, you lose no performance whatsoever when you implement whole disk encryption using BitLocker for Windows 8 on these drives. 

A very basic description of Crucial M500 encryption can be found at

http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/An-introduction-to-the-encryption-features-of-the-M500/ta-p/128272 

More specs are available (since this is a Micron drive) from:

http://www.micron.com/~/media/Documents/Products/Data%20Sheet/SSD/m500_2_5_ssd.pdf


 
 

Few apps are as widely installed as an underlying operating system and thus, until fairly recently, the OS is where crooks have directed most of their attacks. However, the criminals are now aiming a large percentage of their attacks at ubiquitous apps like Adobe Reader and Java. In an astonishing turn of events, the security firm, Kaspersky, recently reported “in the last quarter, 56 per cent of all attacks on systems in its security network sought to exploit unpatched Java flaws as an entry point for malware attacks”. The report went on to state that Adobe Acrobat Reader was the second most targeted app (with 25% of reported attacks) and Microsoft Windows was a distant third, with only 4% of reported attacks.

Why Java, in particular? Oracle’s Java page reports there are 1.1 BILLION desktops running Java, almost 1 BILLION downloads each year, 3 BILLION mobile phones running Java and 3 times more Java phones shipped annually than iOS and Android phones combined. That’s a ton of potential targets for a crook’s exploit to wreak havoc. And, financial institutions, companies and individuals generally have much less of a handle on keeping Java and Adobe apps patched than they do on patching the Windows OS.

Why all this background info, much of which you probably already know?

Oracle just announced it will stop patching Java 6 after February 19, 2013. Oracle has been issuing patches for both Java 6 and the current version, Java 7, for some time. As a result, many individuals and enterprises have resisted the move to Java 7. The good news is Oracle says the next Java patch, after February 19th, will be released on June 18, 2013. However, Oracle cannot possibly guarantee it will not issue any patches during those 4 months because currently undiscovered vulnerabilities might need to be patched during that period.

“Java 6's support death presents special problems for Mac users. While Java 7 runs on all current editions of Windows, including the 11-year-old Windows XP, it requires OS X 10.7, aka Lion, or its successor, Mountain Lion, on Macs,” reports Gregg Keizer with Computerworld.

Well, best to start investigating potential compatibility issues with Java 7 sooner than later. Because in 60 days, Java 6 will reach its end-of-support.

http://goo.gl/H3XyC
http://goo.gl/MuhHf


 

When working on a compromised system, it's always good to have a "toolkit" available on read-only media (in case built-in utilities, like netstat, have been replaced on the compromised machine to hide the attackers activities).  However, you also need to know how to USE the tools in your toolkit.  At my training last week I was working to recover a compromised web server.  After doing some cleanup and removing some clearly malicious software, I tried to use netstat to verify the current listening ports/services on the machine (along with associated processes).  The local netstat on the machine had been hacked to return no output, but thankfully the netstat EXE on my "toolkit" CD was working.  I quickly combed through the list of ports that were labeled "LISTENING".  I didn't see anything listening that was out of the ordinary.  However, when the following prompt popped up I knew the attacker still had remote access to my machine. [more]

Upon a closer look at the netstat output, I noticed there was an "ESTABLISHED" connection to TCP port 23 on my host (typically used for telnet).  P0wn3d!

Lesson learned… verify ESTABLISHED sessions in addition to actively LISTENING services.


 

I was attempting to remove malware from an infected PC and was unable to install Malwarebytes. I have found that sometimes infections will prevent Malwarebytes from being installed. I did a quick search based on the Malware I suspected of being installed and discovered a new feature in Malwarebytes called Chameleon.  In order for this to work, you will need a second PC which is not infected and a USB flash drive or blank CD and CD burner or some other means to transfer files from one computer to the other.  Here are the instructions for using the Chameleon feature: [more]

  1. From your clean computer, download and install Malwarebytes Anti-Malware
  2. Once installed, open the folder where the program was installed (usually C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware)
  3. Once there, right-click on the Chameleon folder and choose Copy
  4. Close the Malwarebytes' Anti-Malware folder
  5. Right-click on your USB flash drive or blank CD and choose Paste and proceed to burn the CD if using a blank CD or remove your flash drive if using a flash drive
  6. Now, insert your USB flash drive or CD which should now contain the Chameleon folder into the infected PC
  7. Open the USB flash drive or CD and copy/paste the Chameleon folder from the drive to the desktop of your infected PC.  Make certain that your infected PC is connected to the internet and then open the Chameleon folder which now resides on the desktop of your infected computer and double-click on the Chameleon help file chameleon.chm.  If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose).
  8. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you
  9. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
  10. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
  11. Upon completion of the scan, if anything has been detected, click on Show Result
  12. Have Malwarebytes Anti-Malware remove any threats that are detected and click 'Yes' if prompted to reboot your computer to allow the removal process to complete
  13. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats

 

After working with SecurID to migrate to a new server (which requires a complete new server, fresh install of the software, access to the original seeds, backup and restore of the current database, etc.), we finally got the RADIUS server responsive, but I still could not get it working with the Cisco routers.  One particularly aggravating issue that held me up for a while is that the router not only allows for the configuration of multiple RADIUS servers, but it allows multiple entries for the same server.  Thus, if you initially use the wrong port numbers, and you re-enter the line with the correct port numbers, the line with the incorrect information will remain active and your RADIUS tests will continue to fail.

Lesson learned:  Sometimes you have to read through your configuration again, to make sure everything is the way you “know” it is.