#G7 FUNDAMENTAL ELEMENTS OF #CYBERSECURITY FOR THE FINANCIAL SECTOR

 Increasing in sophistication, frequency, and persistence, cyber risks are growing more dangerous and diverse, threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems. To address these risks, the below nonbinding, high-level fundamental elements are designed for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements.

The elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. The elements also provide steps in a dynamic process through which the entity can systematically re-evaluate its cybersecurity strategy and framework as the operational and threat environment evolves. Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.

Element 1: Cybersecurity Strategy and Framework.

 Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.The purpose of a cybersecurity strategy and framework is to specify how to identify, manage,and reduce cyber risks effectively in an integrated and comprehensive manner. Entities in the financial sector should establish cybersecurity strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture. Informed by the cyber threat and vulnerability landscape, a jurisdiction can also establish sector-wide cybersecurity strategies and frameworks that outline how cooperation occurs between entities and public authorities in the financial sector, with sectors upon which the financial sector depends, and with other relevant jurisdictions.

Element 2: Governance.

 Define and facilitate performance of roles and responsibilities for personnel implementing,
managing, and overseeing the effectiveness of the cybersecurity strategy and framework to
ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).Effective governance structures reinforce accountability by articulating clear responsibilities and lines of reporting and escalation. Effective governance also mediates competing objectives and fosters communication among operating units, information technology, risk, and controlrelated activities. Consistent with their missions and strategies, boards of directors (or similar oversight bodies for public entities or authorities) should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cybersecurity programs.

Element 3: Risk and Control Assessment.

 Identify functions, activities, products, and services—including interconnections, dependencies,and third parties—prioritize their relative importance, and assess their respective cyber risks.
Identify and implement controls—including systems, policies, procedures, and training—to
protect against and manage those risks within the tolerance set by the governing authority.Ideally as part of an enterprise risk management program, entities should evaluate the inherentcyber risk (or the risk absent any compensating controls) presented by the people, processes,technology, and underlying data that support each identified function, activity, product, and service. Entities should then identify and assess the existence and effectiveness of controls to protect against the identified risk to arrive at the residual cyber risk. Protection mechanisms can include avoiding or eliminating risk by not engaging in an identified activity. They can also include mitigating the risk through controls or sharing or transferring the risk. In addition to evaluating an entity’s own cyber risks from its functions, activities, products, and services, risk and control assessments should consider as appropriate any cyber risks the entity presents to others and the financial sector as a whole. Public authorities should map critical economic functions in their financial systems as part of their risk and control assessments to identify single points of failure and concentration risk. The sector’s critical economic functions range from deposit taking, lending, and payments to trading, clearing, settlement, and custody.

Element 4: Monitoring.

 Establish systematic monitoring processes to rapidly detect cyber incidents and periodically
evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.Effective monitoring helps entities adhere to established risk tolerances and timely enhance or remediate weaknesses in existing controls. Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike. Depending on the nature of an entity and its cyber risk profile and control environment, the testing and auditing functions should be appropriately independent from the personnel responsible for implementing and managing the cybersecurity program. Through examinations, on-site and other supervisory mechanisms, comparative analysis of entities’ testing results, and joint public-private exercises, public authorities can better understand sector-wide cyber threats and vulnerabilities, as well as individual entities’ relative risk profiles and capabilities.

Element 5: Response.

Timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and (d) coordinate joint response activities as needed.As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response. Among other things, these controls should clearly address decision-making responsibilities, define escalation procedures,and establish processes for communicating with internal and external stakeholders. Exercising protocols within and among entities and public authorities contributes to more effective responses. Exercising also enables entities and public authorities to identify how potential 3decisions could affect each other’s ability to maintain critical and other functions, services, and activities.

Element 6: Recovery. 

 Resume operations responsibly, while allowing for continued remediation, including by (a)
eliminating harmful remnants of the incident; (b) restoring systems and data to normal and
confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited;
(d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritization of critical economic and other functions and in accordance with objectives set by the relevant public authorities. Maintaining trust and confidence in the financial sector significantly improves when entities and public authorities have the ability to mutually assist each other in the resumption and recovery of critical functions, processes, and activities. Therefore, before an incident occurs, establishing and testing contingency plans for essential activities and key processes, such as funding, can contribute to a faster and more effective recovery.

Element 7: Information Sharing. 

 Engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage,increase situational awareness, and broaden learning.Sharing technical information, such as threat indicators or details on how vulnerabilities were exploited, allows entities to remain up-to-date in their defenses and learn about emerging methods used by attackers. Sharing broader insights among entities, between entities and public authorities, and among public authorities deepens collective understanding of how attackers may
exploit sector-wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability. Given its importance, entities and public authorities should identify and address impediments to information sharing.Element 8: Continuous Learning.Review the cybersecurity strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.Cyber threats and vulnerabilities evolve rapidly, as do best practices and technical standards to address them. The composition of the financial sector also changes over time, as new types of entities, products, and services emerge, and third-party service providers are increasingly relied
upon. Entity-specific, as well as sector-wide, cybersecurity strategies and frameworks need
periodic review and update to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources. Other sectors, such as energy and telecommunications, present external dependencies; therefore, entities and public authorities should consider developments in these sectors as part of any review process. 

Ec.europa.eu

Think changing your #Yahoo password is enough? Think again…

With the recent announcement of more than 500 million accounts impacted by a security breach, many Yahoo users have been changing their passwords. After all, that’s the official guidance. However, as ZDI’s Simon Zuckerbraun points out, a new password isn’t enough.

If you have a Yahoo account, chances are you’ve seen a notification that your account information has been stolen by attackers. You aren’t alone. According to public reports, more than half a billion accounts were impacted during a security breach in 2014. While it’s not known why it took Yahoo over 18 months to inform people, the notification from Yahoo CISO Bob Lord included the recommendation to change your password. While this is sound advice and a good first step, Zero Day Initiative (ZDI) researcher Simon Zuckerbraun found this step alone isn’t enough to protect your account.

Change your password. This should still be your first step. It should always be your first reaction after an account compromise. If you reused the compromised Yahoo password with other online services, you’ll need to change it there as well. Have trouble remembering different passwords? Try a password manager like the Trend Micro™ Password Manager. Set up two-factor authentication (2FA) or use Yahoo’s Account Key. This will make it more difficult for attackers to access your information even if your password is compromised. Just don’t expect 2FA to reset your iPhone Mail app settings. You still need to go through the website to remove a device. Review your devices and activity. Understanding which devices access your account is key to finding unusual or unauthorized activity. You should specifically look for connected apps listed on the “Recent Activity” tab, as well as check the “Account Security” tab for active application passwords.

Like many others, Simon received a notification that his account was included in the breach. Like many others, Simon logged in to his account and changed his password. He then opened his iPhone Mail application since he had configured the app to use his Yahoo account. He expected to be prompted for his new password and was more than a little surprised when he found it was not necessary. Even though he had changed the password associated with his Yahoo account, the phone was still connected.

Upon investigating, it became clear that Yahoo had issued a permanent credential to the device. This credential does not expire and is not revoked when the password changes. In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email.

This presents a couple of different problems. First, steps beyond changing your password are not being clearly communicated from Yahoo. This could lead to a situation where millions believe they are protected even though they aren’t. Additionally, even if you are security conscious like Simon and want to review your activity and devices, it’s not easy to find. Associated devices aren’t listed under the “Account Security” tab at all. As shown in Figure 1 (below), the “Account Security” tab has no mention of associated devices.

Figure 1 – Yahoo Security Tab

 The setting actually exists under the “Recent Activity” tab (Figure 2). Here you are able to see which applications are connected to your account with an option to remove them. It’s also interesting to see the apps and devices are just listed by product name – in this case “iOS” – and the date authorized. It’s up to the user to figure out what is legitimate and what’s not.

Figure 2 – Yahoo Recent Activity Tab

Looking at the phone settings (Figure 3) is of little help. Looking at the setting shows there is no option via the app to change the password. This is likely by design. When you set up your mail account on the device, it gets permanently credentialed until the credential is revoked through the server.

Figure 3 – iPhone Mail Settings

While it’s unfortunate Yahoo’s official advice for securing a hacked Yahoo account makes no mention of checking for or removing associated apps and devices, it definitely should be on your list. In fact, your list should look something like this:

The steps users take after a breach notification often determine whether further account damage occurs. It’s unknown if the attackers will be able to decrypt stolen passwords or how they intend to use other leaked data. Regardless, if you change your password and review the associated devices, you’re less likely to be impacted. By understanding all the actions needed, you can exert some control over your account’s security.











blog.trendmicro.com

Genesis mining promo code: CZL5k6

#FBI Official Explains What To Do In A #Ransomware Attack

Feds say even basic information can advance the agency's investigation.

Businesses or consumers hit by ransomware should refuse to pay the ransom and immediately contact the FBI or file a complaint on www.ic3.gov, the federal government’s website for filing and sharing information about cybercrime, an FBI official said today.

Will Bales, supervisory special agent for the FBI’s Cyber Division, said any information, whether it’s a Bitcoin wallet address, transaction data, the hashtag of the malware, or any email correspondence, can help advance an FBI ransomware investigation.

“People have to remember that ransomware does not affect just one person or one business,” Bales said. “It will more than likely move on and affect somebody else. And for those who pay the ransom, it only encourages them to extort the next person.”

Bales was part of a panel discussion on ransomware today at the kickoff of the Federal Trade Commission’s Fall Technology Series held at the Constitution Center in Washington, DC.

FTC Chairwoman Edith Ramirez started the afternoon conference by underscoring how the threat of ransomware has increased in the past year.

Ramirez cited Justice Department data that said there have been 4,000 ransomware attacks daily since January 1, 2016 alone – a quadrupling of such attacks in just a year. In addition, PhishMe research found that 93% of phishing emails now contain some variant of ransomware.

“Ransomware attackers can access extremely sensitive personal information such as medical data, financial account numbers, and the contents of private communications, some of which may be sold on the dark web,” Ramirez said. “We are eager to expand our understanding of this growing threat … and for nearly a decade we’ve worked with other agencies and have provided guidance to consumers and businesses on how to best protect their computers and networks.”

The FTC Chairwoman also said the agency will be active in pressing cases against the attackers, pointing out that the agency has made at least 60 enforcement actions around companies not protecting consumer data. She said not protecting against ransomware may violate federal law.

The FBI’s Bales said the government has been making progress on prosecuting ransomware cases, but would give no real specifics other than to say they have been successful in working with other law enforcement agencies around the world in taking down the infrastructure of some of the ransomware criminals.

Bales indicated that there would be more news of success stories in the upcoming months.

Darkreading.com

Genesis mining promo code: get your 3% with: CZL5k6 

'Auction' of NSA Tools Sends #Security Companies Scrambling

 The leak of what purports to be a National Security Agency hacking tool kit has set the information security world atwitter — and sent major companies rushing to update their defenses.

 Experts across the world are still examining what amount to electronic lock picks. Here's what they've found so far.

WHAT'S IN THE RELEASE?

 The tool kit consists of a suite of malicious software intended to tamper with firewalls, the electronic defenses protecting computer networks. The rogue programs appear to date back to 2013 and have whimsical names like EXTRABACON or POLARSNEEZE. Three of them — JETPLOW, FEEDTROUGH and BANANAGLEE — have previously appeared in an NSA compendium of top secret cyber surveillance tools .

 The auctioneers claim the tools were stolen from the Equation Group, the name given to a powerful collective of hackers exposed by antivirus firm Kaspersky Lab in 2015. Others have linked the Equation Group to the NSA's hacking arm, although such claims are extraordinarily hard to settle with any certainty.
 The leaked tools "share a strong connection" with the Equation Group, Kaspersky said in a blog post late Tuesday. The Moscow-based company said the two used "functionally identical" encryption techniques.
 The leaked tools also appear to be powerful, according to a running analysis maintained by Richmond, Virginia-headquartered Risk Based Security. The group said several of the vulnerabilities targeted by the malware — including one affecting Cisco firewalls — were previously unknown, a sign of a sophisticated actor.
Security and networking companies scrambled to investigate the flaws exposed by the auction. Cisco Systems, Inc. issued an urgent update to its software late Wednesday. Fortinet, Inc., a Sunnyvale, California-based security company, also said it was investigating.
 Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, California, said that the news was terrible for the NSA no matter the circumstances behind the leak because companies like Cisco guard critical U.S. infrastructure.
"If the NSA discovered breach in 2013 and never told Cisco/Fortinet, this is VERY BAD," he said in a message posted to Twitter . "If they didn't know, this is VERY BAD."
The NSA has not returned repeated messages seeking comment.

WHO IS BEHIND THE LEAK?

 The documents have been leaked as part of a surreal online auction by a group calling itself "Shadow Brokers." Their madcap, Borat-like manifesto rails against the "Wealthy Elite" and the group's name appears to be a nod to the "Mass Effect" series of video games, where an elusive Shadow Broker traffics in sensitive information.
Few take the name or the manifesto at face value. Many have floated the possibility of Russian involvement, a theory that received unexpected support when NSA leaker Edward Snowden endorsed it on Twitter.

 In a series of messages , Snowden wondered aloud whether the server the data was stolen from might be linked to a U.S. attempt to influence a foreign election. That would be a politically charged development in the context of recent allegations that Russia is trying to tamper with America's presidential campaign.
The leak looks like a warning that any attempt to point the finger at Moscow over alleged electoral interference "could get messy fast," Snowden tweeted. He did not return messages seeking further comment.
Comae Technologies founder Matt Suiche said the theory of a disgruntled insider couldn't be ruled out.
In a blog post , Suiche said he'd been contacted by a former NSA hacker who pointed out that the tools leaked online normally resided on a segregated network and that the way they were named suggests the data was copied direct from the source. Suiche cautioned it was just a theory.
"We'll never know," he said in a message to AP.
Repeated emails and online messages seeking comment from the Shadow Brokers went unreturned.

HOW DOES THE AUCTION WORK?

 Shadow Brokers have already published much of the data they claim to have. The rest — "the best files" — will be released, they claim, to whoever wins the auction.
The content of the files is secret, the group said in its announcement. So too is the length of the auction, which it said would end, in its signature broken English, "when we feel is time to end."
Many dismiss the auction as a stunt.
Hopeful bidders have been invited to send bitcoins — the borderless electronic currency — but as of late Wednesday the address specified by the group had only gathered 1.72 bitcoins, or $981.
It's more than pocket change. But the group's stated goal is 1,000,000 bitcoins, or $570 million.

Nytimes.com



Genesis mining promo code CZL5k6

Why you should hurry up and preorder the Galaxy #Note7 as soon as possible

We’re nearly there, Android fans. The Galaxy Note 7 is about to be unveiled and word on the street is that Samsung will make it available for preorder right away, as soon as the keynote on Tuesday ends. That’s great news for anyone looking to upgrade to Samsung’s latest flagship phablet, even if it’s supposedly going to be Samsung’s most expensive flagship to date.

If you’re not sure whether you should spend a lot of money on a new Samsung phone, then you should know Samsung is going to bundle the Galaxy Note 7 with a few exciting items during the preorder period.

Preordering the Galaxy Note 7 will get you either a Gear VR headset, likely the new model that accommodates USB-C ports, or a 256GB micro SD card. The phone will supposedly ship with 64GB of onboard memory and microSD card support. Scoring a 256GB card from the start will get you 320GB of total storage, which is an incredible amount of space for the new phone.

It’s unclear at this time whether the Galaxy Note 7 ships with a regular microSD slot or if it’ll have a hybrid slot that would support Samsung’s newest expandable memory cards, which are even faster than the top microSD cards out there.

Unfortunately, nothing is confirmed at this point. The news comes fromSamMobile’s Faryaab Sheikh, who posted about it on Twitter late last week:

 Follow

Faryaab Sheikh @Faryaab

Samsung will be offering a choice between a free Gear VR and a 256GB microSD card to customers who pre-order the Galaxy Note 7.

10:51 PM - 29 Jul 2016

 
•  129129 Retweets
 
•  209209 likes

Famed leaker Evan Blass retweeted that message, adding credence that the rumor might be accurate. Samsung will unveil the Galaxy Note 7 during an August 2nd event in New York.

Bgr.com

Genesis mining promo code CZL5k6

#Audi Plans Three Electric Vehicles by Decade’s End

As parent company Volkswagen Group shifts from diesel to electric vehicles, Audi plans to have at least three EVs by 2020 as part of a new major plan.

The shift in focus was presented to managers last week, and CEO Rupert Stadler told a German newspaper that it expects electric vehicles to account for 25 to 30 percent of its sales by 2025.

Standler also told the daily Heilbronner Stimme in an interview the electric car line up would also include an entry-level A- (minicar) segment car.

The first electric model will be an electric crossover SUV based on the e-tron quattro concept that was unveiled at the 2015 Frankfurt Motor Show.

Arriving in 2018, the SUV is rumored to be called Audi Q6 e-tron and will be built at the company’s Belgium facility.

In addition to EVs, Audi will invest more resources in digital services and autonomous driving technologies Automotive News reported.

The German automaker will set up a new subsidiary that will work on self-driving vehicles called the SDS Company.

“This is about a robot car that may not even need a steering wheel or pedals, so it’s ideal for urban traffic,” Stadler said.

But like Volvo, Audi is in need of collaboration and partners to help with the technology.

In order to focus on EVs and autonomous technologies, the company will reduce complexity in other areas of its business, Stadler said.

“We have discussed what would happen if we dropped the two-door version of the A3,” he commented. “I think we would barely lose any customers. We’d rather invest the money that is freed up in new models and other derivatives,” Stadler said.

In addition to electric and autonomous vehicles, Stadler said, fuel cell cars are a “must,” though he couldn’t say how large a market it might be. “That is less a question of technology, we are already quite good at that. It’s rather going to be a question of infrastructure,” he said.

In a separate interview, Audi’s technical development chief Stefan Knirsch told another German newspaper he expected production of a fuel cell car would not start before 2020 because of the lack of fueling stations.

Hybridcars.com

Genesis mining promo code CZL5k6

Lessons From the #Tesla Crash

 A recent fatal crash in Florida involving aTesla Model S is an example of how a new technology designed to make cars safer could, in some cases, make them more dangerous. These risks, however, could be minimized with better testing and regulations.

 Tesla says that the wrecked car’s assisted-driving system, called Autopilot, did not detect a white tractor-trailer when — against a bright sky — it turned in front of the car. The driver, Joshua Brown, who died in the crash, also did not hit the brakes, possibly because he was distracted.

 More than 35,200 people were killed in car crashes in this country last year, up 7.7 percent from 2014. People caused most of those accidents. Driverless cars could help reduce that toll substantially, but those vehicles are still years away. In the meantime, many car companies are trying to improve safety in other ways. For example, some systems, primarily found in luxury cars like Teslas, can slow or stop cars when drivers are not paying attention.

 Tesla’s electric cars are not self-driving, but when the Autopilot system is engaged it can keep the car in a lane, adjust its speed to keep up with traffic and brake to avoid collisions. Tesla says audio and visual alerts warn drivers to keep their hands on the steering wheel and watch the road. If a driver is unresponsive to the alerts, the car is programmed to slow itself to a stop.

 Such warnings aren’t sufficient, though; some Tesla drivers, as shown invideos on YouTube, have even gotten into the back seat while the car was moving. Such reckless behavior threatens not just the drivers but everyone else on the road, too.

 It’s not surprising that technology that helps drivers can lull them into thinking they need not pay attention at all. Chris Urmson, who heads Google’s driverless car project, said in a TED talk last year that when his company tested a driver assistance system some drivers became so dangerously distracted that Google pulled back on that concept. It has decided to focus its efforts on fully self-driving cars instead.

 The National Highway Traffic Safety Administration should study how automakers can minimize driver distraction. This will become more urgent as advanced systems become available in cars made for the mass market.

 A recent fatal crash in Florida involving aTesla Model S is an example of how a new technology designed to make cars safer could, in some cases, make them more dangerous. These risks, however, could be minimized with better testing and regulations.

 Tesla says that the wrecked car’s assisted-driving system, called Autopilot, did not detect a white tractor-trailer when — against a bright sky — it turned in front of the car. The driver, Joshua Brown, who died in the crash, also did not hit the brakes, possibly because he was distracted.

 More than 35,200 people were killed in car crashes in this country last year, up 7.7 percent from 2014. People caused most of those accidents. Driverless cars could help reduce that toll substantially, but those vehicles are still years away. In the meantime, many car companies are trying to improve safety in other ways. For example, some systems, primarily found in luxury cars like Teslas, can slow or stop cars when drivers are not paying attention.

 Tesla’s electric cars are not self-driving, but when the Autopilot system is engaged it can keep the car in a lane, adjust its speed to keep up with traffic and brake to avoid collisions. Tesla says audio and visual alerts warn drivers to keep their hands on the steering wheel and watch the road. If a driver is unresponsive to the alerts, the car is programmed to slow itself to a stop.

 Such warnings aren’t sufficient, though; some Tesla drivers, as shown invideos on YouTube, have even gotten into the back seat while the car was moving. Such reckless behavior threatens not just the drivers but everyone else on the road, too.

 It’s not surprising that technology that helps drivers can lull them into thinking they need not pay attention at all. Chris Urmson, who heads Google’s driverless car project, said in a TED talk last year that when his company tested a driver assistance system some drivers became so dangerously distracted that Google pulled back on that concept. It has decided to focus its efforts on fully self-driving cars instead.

 The National Highway Traffic Safety Administration should study how automakers can minimize driver distraction. This will become more urgent as advanced systems become available in cars made for the mass market.

Nytimes.com

Genesis mining promo code CZL5k6