Blog: Security and Compliance

The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity (http://www.ffiec.gov/cybersecurity.htm). The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

1. Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls
4. Service Provider and Vendor Risk Management
5. Cyber Incident Management and Resilience
   

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf

Crucial M500 SSDs support self-encrypting drive (SED) technology which allows BitLocker for Windows 8 to simply be used for encryption key management rather than software-based encryption.  Out of the box, the drive encrypts all written data and decrypts all read data - and functions like a non-SED drive until key management software like Windows 8 (and Server 2012) BitLocker is used. [more]

When you turn BitLocker on using Windows 8 and a compliant SSD like the M500, you don't have to wait for the whole disk to be rewritten and it's encrypted.  Thus, you can encrypt the whole drive in a couple of minutes or less.  As far as BitLocker and Windows is concerned, it functions just like traditional non-SED drives do regarding pre-boot passwords, recovery keys, etc. 

An interesting spec is Crucial states their SSDs are designed to support 72TB total bytes written (TBW) - which is equal to 40GB per day for 5 years.  It stands to reason that if you don't have to rewrite every byte of an SSD when you use BitLocker to encrypt or decrypt the whole drive, it should help the life expectancy of the drive. 

So, since the drive I/O specs include the hardware encryption overhead, you lose no performance whatsoever when you implement whole disk encryption using BitLocker for Windows 8 on these drives. 

A very basic description of Crucial M500 encryption can be found at

http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/An-introduction-to-the-encryption-features-of-the-M500/ta-p/128272 

More specs are available (since this is a Micron drive) from:

http://www.micron.com/~/media/Documents/Products/Data%20Sheet/SSD/m500_2_5_ssd.pdf

On June 6th, the FFIEC announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.  To read the Press Release, visit http://www.ffiec.gov/press/pr060613.htm

Few apps are as widely installed as an underlying operating system and thus, until fairly recently, the OS is where crooks have directed most of their attacks. However, the criminals are now aiming a large percentage of their attacks at ubiquitous apps like Adobe Reader and Java. In an astonishing turn of events, the security firm, Kaspersky, recently reported “in the last quarter, 56 per cent of all attacks on systems in its security network sought to exploit unpatched Java flaws as an entry point for malware attacks”. The report went on to state that Adobe Acrobat Reader was the second most targeted app (with 25% of reported attacks) and Microsoft Windows was a distant third, with only 4% of reported attacks.

Why Java, in particular? Oracle’s Java page reports there are 1.1 BILLION desktops running Java, almost 1 BILLION downloads each year, 3 BILLION mobile phones running Java and 3 times more Java phones shipped annually than iOS and Android phones combined. That’s a ton of potential targets for a crook’s exploit to wreak havoc. And, financial institutions, companies and individuals generally have much less of a handle on keeping Java and Adobe apps patched than they do on patching the Windows OS.

Why all this background info, much of which you probably already know?

Oracle just announced it will stop patching Java 6 after February 19, 2013. Oracle has been issuing patches for both Java 6 and the current version, Java 7, for some time. As a result, many individuals and enterprises have resisted the move to Java 7. The good news is Oracle says the next Java patch, after February 19th, will be released on June 18, 2013. However, Oracle cannot possibly guarantee it will not issue any patches during those 4 months because currently undiscovered vulnerabilities might need to be patched during that period.

“Java 6's support death presents special problems for Mac users. While Java 7 runs on all current editions of Windows, including the 11-year-old Windows XP, it requires OS X 10.7, aka Lion, or its successor, Mountain Lion, on Macs,” reports Gregg Keizer with Computerworld.

Well, best to start investigating potential compatibility issues with Java 7 sooner than later. Because in 60 days, Java 6 will reach its end-of-support.

http://goo.gl/H3XyC
http://goo.gl/MuhHf

When working on a compromised system, it's always good to have a "toolkit" available on read-only media (in case built-in utilities, like netstat, have been replaced on the compromised machine to hide the attackers activities).  However, you also need to know how to USE the tools in your toolkit.  At my training last week I was working to recover a compromised web server.  After doing some cleanup and removing some clearly malicious software, I tried to use netstat to verify the current listening ports/services on the machine (along with associated processes).  The local netstat on the machine had been hacked to return no output, but thankfully the netstat EXE on my "toolkit" CD was working.  I quickly combed through the list of ports that were labeled "LISTENING".  I didn't see anything listening that was out of the ordinary.  However, when the following prompt popped up I knew the attacker still had remote access to my machine. [more]

Upon a closer look at the netstat output, I noticed there was an "ESTABLISHED" connection to TCP port 23 on my host (typically used for telnet).  P0wn3d!

Lesson learned… verify ESTABLISHED sessions in addition to actively LISTENING services.

I was attempting to remove malware from an infected PC and was unable to install Malwarebytes. I have found that sometimes infections will prevent Malwarebytes from being installed. I did a quick search based on the Malware I suspected of being installed and discovered a new feature in Malwarebytes called Chameleon.  In order for this to work, you will need a second PC which is not infected and a USB flash drive or blank CD and CD burner or some other means to transfer files from one computer to the other.  Here are the instructions for using the Chameleon feature: [more]

1. From your clean computer, download and install Malwarebytes Anti-Malware
2. Once installed, open the folder where the program was installed (usually C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware)
3. Once there, right-click on the Chameleon folder and choose Copy
4. Close the Malwarebytes' Anti-Malware folder
5. Right-click on your USB flash drive or blank CD and choose Paste and proceed to burn the CD if using a blank CD or remove your flash drive if using a flash drive
6. Now, insert your USB flash drive or CD which should now contain the Chameleon folder into the infected PC
7. Open the USB flash drive or CD and copy/paste the Chameleon folder from the drive to the desktop of your infected PC.  Make certain that your infected PC is connected to the internet and then open the Chameleon folder which now resides on the desktop of your infected computer and double-click on the Chameleon help file chameleon.chm.  If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose).
8. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you
9. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
10. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
11. Upon completion of the scan, if anything has been detected, click on Show Result
12. Have Malwarebytes Anti-Malware remove any threats that are detected and click 'Yes' if prompted to reboot your computer to allow the removal process to complete
13. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats