Of particular interest to us is its new Appendix J: Strengthening the Resilience of Outsourced Technology Services. It has a section titled Cyber Resilience, which contains clauses on the risks arising from malware, insider threats, Data or Systems Destruction and Corruption, Communications Infrastructure Disruption, and incident response.

The FFIEC agencies encourage financial institutions to adopt a cyclical, process-oriented approach to business continuity planning. This process-oriented approach will be discussed in the first part of the booklet, with additional information included in the appendices. The four steps in this process include:

1. Business Impact Analysis;
2. Risk assessment;
3. Risk management; and
4. Risk monitoring and testing.

The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.

And very interesting, the guidelines specify that key tests should be observed, verified, and evaluated by independent parties. This provides assurance to the board and other stakeholders of the validity of the testing process and the accuracy of test results. This independent assessment is typically conducted by internal audit, although it can be performed by other qualified third parties.

Newsweek reported the story Now, with the announcement of sanctions and perhaps other forms of civil retaliation this single act may be the starting point in which countries will start taking formal and public actions against cyber attacks. I don’t intend to speculate on what those actions may be but certainly a change, only time will tell if it’s for the good or the beginning of taking wars to the electronic frontier.

Hard to detect but with some behaviors that make detection possible. For instance outgoing traffic to 80.248.65.183 or the string “TREX_PID=%u” and “Remote VS is empty !” will help you identify the culprit.

Have your SIEMS or use our old friend grep or yara to look for these. Keep in ind that Turla is considered a sophisticated advanced persistent threat (APT).

Happy trojan hunting.

I would be very interested to find out more information about this and how they will engage the community.

http://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-speaks-cybercrime-2020-symposium

In the release they describe the workings of the malware. It attacks the MBR and all data files. After infection the infected systems to connect to one of three random, one of these three IP addresses (88.53.215.64, 217.96.33.164, 203.131.222.102) via either port 8080 or 8000.
Sony Pictures Entertainment is dealing with the aftermath of a massive infection that must be keeping them very busy and many people out of work.

Snort can be configured to detect the traffic. The FBI also release the following siganture:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;

It’s time to check your log files and check if those IPs are listed as destination IPs in any of your traffic or log data.

This week and next week, many organizations are consumed with keeping the lights on and making sure e-commerce platforms keep up with the anticipated spike in demand due to the big sale event. We are days away from Black Friday and many are crying foul before the whistle blows to start the game.

Justified or unjustified fear? I can tell you with certainty, coupled with many years of experience, that some of that fear is justified. American holidays such as Thanksgiving, Christmas and the Super Bowl are days when security operation center monitors go up, up, up in events volume.

So, make no mistake, Black Friday and Cyber Monday will not only attract shoppers, they will also attract hackers.

Unfortunately, most organizations do not have the resources to keep a fully staffed 24/7 network event monitoring effort, especially around non-working days such as weekends and holidays. Is it really necessary? My answer will bother some, but yes, it is necessary.

Why?

Well, is your network important to you? Are those assets important to you? Will your brand be affected by unauthorized access? Are there legal ramifications in the event of a data breach? The answer to all of these is most likely yes. However, the most important question is will a data breach negatively affect your clients? This is a yes/no question. If the answer is yes then, unequivocally, your organization must find ways to monitor your networks twenty-four hours a day seven days a week.

In that effort, I’d like to offer some insights:

• Monitor both external and internal events.
• Aggregate and analyze your logs to establish a baseline.
• If outsourcing is not possible, combine automatic alerting with on-call designations, or staff a 24/7 security operations center. A minimum of nine analysts with one manager should suffice. In terms of technologies, the options are plenty and varied.
• Reduce unnecessary noise without ignoring relevant events.
• Address the alerts generated, otherwise members of the organization will soon treat these alerts the same way they treat spam email.
• Define your incident response and apply the priority that the risk deserves. Not all threats are equal.
• Do not overlook access control related events such as failed logon attempts, even if it painful due to the volume.

In terms of commercial tools, there are many out there and some could be very pricey. In terms of open source tools, there are also plenty of options; icinga, snort, logstash, etc.

Is it possible to combine open source tools with commercial tools? Absolutely. It requires a solid architecture design and strategic planning, but very possible.

Although we read on a daily basis about these events we also know that not all data breach incidents are reported or who knows if even discovered.

More comprehensive stats are available are at DatalossDb where they are reporting that so far in 2014 there has been 831 incidents. The same site reported 1472 incidents for 2013. When we compare 2014 against 2013 it seem that 2014 has been better but it feels otherwise.

My take on this is that this year the press has been paying more attention to these type of news and the public is now more concerned about their credit cards.

Wondering what the level of forensics, if the incident response teams were in place to handle the incidents and aftermath. Is it based on NIST 800-61?

Who could it been? Russia, China, Venezuela, Brazil, a teenager from a basement?

On this day and age as soon as an organization is breach we get to read about the dirty details, the how, and more especially the who. How come we are not hearing these this time around?

The security community deserves an explanation and more importantly tax payers have the right to know.

Although HIPAA has been around for a while, and organizations have been preparing and complying with the mandates for quite some time, it is this and last year when we hear a lot about organizations being fined for HIPAA violations.

I’d love to see how Walgreens handles the issue and also to see if they attempt to transfer liability to the pharmacist, time will tell.