Types of Cyber Attacks - 10 Real World Cyber Attacks

A look into the haunting world of cyber warfare, presenting 10 chilling real-world cyber attacks that shook the foundations of our interconnected society. 

Witness the devastation caused by notorious cyber threats like Stuxnet, WannaCry, and NotPetya, as we dissect the sophisticated techniques employed by hackers and state-sponsored actors to breach critical infrastructure, cripple businesses, and compromise sensitive data. 

Through in-depth analysis and expert insights, we aim to shed light on the evolving cyber landscape, highlighting the importance of cybersecurity vigilance in safeguarding against these relentless digital assaults. Prepare to be awestruck and educated as we navigate through the dark realms of cyber warfare.

Deepfakes - Biggest Threat To National Security?

What are the imminent danger posed by DeepFakes? 

A brief history on the evolution of DeepFakes and the different types that have been used in the last few years.

Chinese Spies Accused of Using Huawei in Secret Telecom Hack

The U.S. government has warned for years that products from Chinese tech giant Huawei Technologies Co. pose a national security risk. Now, a Bloomberg investigation has found a key piece of evidence explaining why. Bloomberg's Jamie Tarabay reports on "Bloomberg Daybreak: Asia."

Cybersecurity: Are false positives real?

All alerts mean something, even if it's just that an employee needs more training. The threat of breach is constant, and those companies who make assumptions about alerts could be in big trouble.

Read the article "Cybersecurity: There's no such thing as a false positive" HERE.

Password managers - a necessary, yet vulnerable, last line of defense

The Passwordstate breach is forcing CISOs and researchers to review vendors and reassess security practices.

The supply chain breach of Passwordstate, an Australian-based enterprise-grade password manager, is the latest in a series of confidence-shaking breaches since the SolarWinds attack was disclosed in December.

While Passwordstate has a relatively low level of brand awareness in the U.S., more than 29,000 organizations across the globe and upwards of 370,000 IT and security professionals used the password manager.

While it's generally better practice than what most users do with their passwords (reusing predictable passwords or writing them down in a text file or post it note), it does represent a single point of failure that needs to be specially guarded.

Read the full story HERE .  

 

US advises against storing data within reach of China's government

The federal Department of Homeland Security is urging U.S. businesses and individuals to avoid storing data with Chinese companies due to the risk the country's government will demand and receive access to commercially valuable information.

Read more from PYMNTS

 

Smart Home devices are vulnerable to remote attacks

The number of connected devices in the average home is rising very rapidly. The Internet of Things (IoT), is likely to be the norm in the next couple of years. However the IoT can also contain many vulnerabilities and security issues.

Smart home devices may be vulnerable to attacks due to outdated software, or unpatched security flaws, or weak credentials according to a new report that was recently produced by Avast. This report can be accessed HERE.

16 million different home networks worldwide have been included in Avast’s study. The report focuses on 21 countries in North and South America, Europe, and the Asia Pacific region. 56 million devices were scanned as part of the study. Two out of five (40.8%) smart homes worldwide have at least one device that is vulnerable to attacks, out of which,69.2% are vulnerable due to weak credentials. The UK Government advocates that strong security should be built into internet-connected products by design.

In October 2018, the UK government published the Code of Practice for Consumer IoT Security to support all parties involved in the development, manufacturing and retail of consumer IoT. You can access this HERE.

Aditionally, the NCSC (National Cyber Security Centre) has called for the adoption of Secure by Default which covers the long-term technical effort to ensure that the right security primitivesare built in to software and hardware. Read that HERE.

Biometric security reaches the billions

From Deloitte CIO Journal

Prints charming: biometric security reaches the billions. Deloitte Global predicts that the active base of fingerprint-reader-equipped devices will top one billion for the first time in early 2017. There are multiple private and public organizations which should consider how best to exploit the growing base of fingerprint readers and the large number of individuals who have become accustomed to using them on their phones.

Handling Today’s Top Risk Challenges

From Bank Director

Sai Huda of FIS identifies how boards can stay on top of cybersecurity and compliance risks, based on the 2017 Risk Practices Survey.

A guide to FDIC and Cybersecurity Examinations – What should you focus on?

By Stanley Epstein

FDIC – what is does and how it operates

The United States “Federal Deposit Insurance Corporation” (FDIC) plays a very important role in the preservation and promotion of public confidence in the U.S. financial system by insuring deposits in banks and thrift institutions; by identifying, monitoring and addressing risks to the deposit insurance funds; and by limiting the effect on the U.S. economy and the financial system when a bank or thrift fails.

The FDIC was created in 1933, as an independent agency of the federal government. This was a response to the thousands of bank failures that occurred during the 1920s and early 1930s.

The FDIC receives no government funds - it is backed by premiums that banks and thrifts pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. About $9 trillion of deposits in U.S. banks and thrifts are insured by FDIC.

The FDIC also directly examines and supervises more than 4,500 banks and savings banks for operational safety and soundness, more than half of the institutions in the U.S. banking system.

Why doesn’t the FDIC cover all U.S. banks? Well, this is dependent on whether banks have been chartered by states or by the federal government. Banks chartered by states also have the choice of whether to join the Federal Reserve System. The FDIC is the main federal regulator of banks that are chartered by the states that do not join the Federal Reserve System. The FDIC is also the back-up supervisor for the remaining insured banks and thrifts.

The FDIC also has a major role in compliance; it examines banks for compliance with consumer protection laws, which include the Fair Credit Billing Act, the Fair Credit Reporting Act, the Truth-In-Lending Act, and the Fair Debt Collection Practices Act, among others. The FDIC also examines banks for compliance with the Community Reinvestment Act (CRA) which requires banks to help meet the credit needs of the communities they were chartered to serve.

When a bank or thrift fails the FDIC responds immediately to protect insured depositors. The failed institution is generally closed by its chartering authority - the state regulator, or the Office of the Comptroller of the Currency. While the FDIC has several options for resolving institution failures, the one used most often is to sell the deposits and loans of the failed institution to another institution. Customers of the failed institution automatically become customers of the assuming institution. Most of the time, from the customer's point of view the transition is seamless.

FDIC Examinations

FDIC bank examinations generally focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), which is based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of service providers.

The examination process relies on bank management attestations regarding the extent to which IT risks are being managed and controlled. Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate. Nonetheless, reports by the Office of the Inspector General within the FDIC indicate that examiners may not be consistent in their review of bank compliance with the Interagency Guidelines and do not regularly provide a clear statement of adequacy on intrusion detection programs and incident response plans.

The following provides a snapshot of information concerning FDIC IT examinations.

• Currently about 2,300 IT examinations at financial institutions and technology service providers are conducted by FDIC in a year.
• IT examinations at a financial institution that is found to have adequate security takes between 8 – 10 days to complete.
• IT examinations at a financial institution that is found to have some degree of supervisory concern take a while longer –15 to 20 days on average. 

Being prepared for an FDIC examination  
 
As IT examinations are a regular feature of the FDIC’s work, the boards of banks and bank directors should be adequately prepared for these. The question is where should their focus be when making such preparations?

Below are 10 key points that need to be take into account when such preparations are made;

1. Is bank management properly qualified to manage all aspects of the bank’s IT operations? Does this include compliance with all the relative data security laws and regulations? Is the bank’s Board happy with the qualification of bank management to handle this?
2. Does the bank have a designated “Vendor Management Coordinator”? Does she/he have the appropriate level of due diligence and vendor risk modeling experience that matches the type and quality of the bank’s IT services?
3. Do the bank Directors have a clear understanding of what services are outsourced? Does the banks Vendor Management Program meet the requirements and guidance of the FFIEC IT Examination Handbook, “Outsourcing Technology Services”?
4. What about the bank’s “Business Continuity Planning/Disaster Recovery Plan”? Does it adequately address the sudden loss of IT services?
5. When was the last time that your senior management reviewed the “Incident Response” section of your BCP/DR plan?
6. Has your bank carried out a strategic test of your “Incident Response” plan (e.g. a tabletop simulation)?
7. Has your bank carried out an operational test of your “Incident Response” plan (e.g. breach simulation)?
8. Does your bank have a plan regarding how you would communicate news of a breach to bank customers, regulators and law enforcement?
9. Does your bank have cyber insurance coverage? Does your management understand what is and is not covered under this policy?
10. Does your bank have the necessary external resources identified and contractually bound to give you assistance and support in the event of a security incident?