FYI - The Department of Justice (DOJ) has made clear that it interprets the ADA as applicable to websites.  Is your web site compliant with the Americans with Disabilities Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

FYI - New York State revises its sweeping cyber regulation proposal for financial sector - First-in-the-Nation Proposed Rule Aims to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises.
https://www.scmagazine.com/new-york-state-revises-its-sweeping-cyber-regulation-proposal-for-financial-sector/article/628720/
http://www.dfs.ny.gov/about/press/pr1612281.htm 

FDA Issues Final Guidance for Medical Device Security - With all the current concern over IoT being insecure from cyberattacks, the U.S. Food & Drug Administration (FDA) has posted the agency's final guidance for medical device safety. https://www.scmagazine.com/fda-issues-final-guidance-for-medical-device-security/article/628711/

Accused hackers make millions off insider trading info - Three Chinese men allegedly hacked two New York law firms and made more than $4 million from the information they stole. https://www.cnet.com/news/hackers-china-millions-off-stolen-insider-trading-info-lawyers/

Czechs build new cyber-security HQ - A ten-fold increase in staffing is planned for the Czech National Cyber-Security Centre (NCSC) according to recently announced government plans. https://www.scmagazine.com/czechs-build-new-cyber-security-hq/article/629187/

Ransomware crime bill goes into effect in California - Beware perpetrators of ransomware in California: Under a new bill that went into effect on Jan.1, you will now face four years in a state prison. https://www.scmagazine.com/ransomware-crime-bill-goes-into-effect-in-california/article/629451/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Top-Secret-cleared SOCOM medics hit in 11GB govt database leak - Dismissed hacker calls buddy to nix exposed database - A Pentagon subcontractor has exposed the names, locations, Social Security Numbers, and salaries of US Military Special Operations Command (SOCOM) healthcare professionals. http://www.theregister.co.uk/2017/01/03/top_secret_cleared_socom_staff_in_11gb_govt_contractor_breach/

Holiday Inn Parent IHG Probes Breach Claims - InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations. http://krebsonsecurity.com/2016/12/holiday-inn-parent-ihg-probes-breach-claims/

Arenas Entertainment hit with ransomware demand - A new ransomware attack has reportedly hit Arenas Entertainment, a Los Angeles-based film company tailored to Hispanic audiences worldwide. https://www.scmagazine.com/arenas-entertainment-hit-with-ransomware-demand/article/629454/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.
  
 Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet.  (Part 1 of 2)
  
  It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.
  
  Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.
  
  Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.
  
  Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)
 
 Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
 
 Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
 
 An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
 
 Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
 
 14.2 Software Support
 
 Software is the heart of an organization's computer operations, whatever the size and complexity of the system. Therefore, it is essential that software function correctly and be protected from corruption. There are many elements of software support.
 
 One is controlling what software is used on a system. If users or systems personnel can load and execute any software on a system, the system is more vulnerable to viruses, to unexpected software interactions, and to software that may subvert or bypass security controls. One method of controlling software is to inspect or test software before it is loaded (e.g., to determine compatibility with custom applications or identify other unforeseen interactions). This can apply to new software packages, to upgrades, to off-the-shelf products, or to custom software, as deemed appropriate. In addition to controlling the loading and execution of new software, organizations should also give care to the configuration and use of powerful system utilities.  System utilities can compromise the integrity of operating systems and logical access controls.
 
 A second element in software support can be to ensure that software has not been modified without proper authorization. This involves the protection of software and backup copies. This can be done with a combination of logical and physical access controls.
 
 Many organizations also include a program to ensure that software is properly licensed, as required. For example, an organization may audit systems for illegal copies of Copyright 2013ed software. This problem is primarily associated with PCs and LANs, but can apply to any type of system.
 
 Viruses take advantage of the weak software controls in personal computers. Also, there are powerful utilities available for PCs that can restore deleted files, find hidden files, and interface directly with PC hardware, bypassing the operating system. Some organizations use personal computers without floppy drives in order to have better control over the system.
 
 There are several widely available utilities that look for security problems in both networks and the systems attached to them. Some utilities look for and try to exploit security vulnerabilities.