FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - UK high-street banks accused of "shockingly bad" online security - Over half of the UK's high-street banks and building societies use outdated SSL security that means their online customers can be attacked by low-skilled cyber-criminals, and “they don't seem to care”, according to a security firm. http://www.scmagazine.com/uk-high-street-banks-accused-of-shockingly-bad-online-security/article/463241/

FYI - BIMCO releases first cybersecurity guidelines for shipping industry - The Baltic and International Maritime Council (BIMCO) today launched the first set of cybersecurity guidelines for the global shipping industry to prevent issues that could arise from cyber incidents at sea. http://www.scmagazine.com/bimco-launches-guidelines-to-prevent-and-address-maritime-cyber-issues/article/462932/

FYI - Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact - People need encryption to be safe and secure, says ministry - A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands." http://www.theregister.co.uk/2016/01/04/dutch_government_says_no_to_backdoors/

FYI - Pentagon Grants Contractors an Extension on Hack Detection Rules - The Pentagon has updated data breach rules for defense contractors to allow companies an extra year-and-a-half to comply with one portion. http://www.nextgov.com/cybersecurity/2016/01/pentagon-grants-contractors-extension-hack-detection-rule/124846/

FYI - BlackBerry to stay in Pakistan after government backs down on access and content demands - The Canadian phone maker has reneged on its decision to exit the Pakistani market following talks with the country's government on the privacy of its customers. http://www.zdnet.com/article/blackberry-to-stay-in-pakistan-despite-security-concernsblackberry-to-stay-in-pakistan-after/

FYI - NYC begins rolling out free public Wi-Fi. Will others follow suit? - The city plans to provide up to 10,000 hotspots over the next decade, replacing phonebooths with hi-tech kiosks. The first hubs were installed this week. http://www.csmonitor.com/Technology/2015/1230/NYC-begins-rolling-out-free-public-Wi-Fi.-Will-others-follow-suit

FYI - Canadian cyberthreats differ from those in the U.S., report says - The U.S. and Canada both see their fair shares of malware such as Dridex and other banking trojans, but there was one threat conspicuously absent from Canada's list of common threats - ransomware. http://www.scmagazine.com/ransomware-not-on-canadas-threat-landscape-researchers-find/article/463527/

FYI - Loose talk on social media big security risk for firms - Employees are risking their organisations' IT security and their own personal data by sharing too much information on social media. http://www.scmagazine.com/loose-talk-on-social-media-big-security-risk-for-firms-says-kaspersky/article/463339/

FYI - House Small Business Committee grills SBA on weak security - Weak information security was at the top of the House Small Business Committee's agenda when it met Wednesday and Thursday to discuss several areas of mismanagement at the Small Business Administration (SBA). http://www.scmagazine.com/house-small-business-committee-grills-sba-on-weak-security/article/463815/

FYI - Henry Schein to pay $250K to FTC for misleading encryption claims - In an enforcement action that aimed the spotlight squarely at encryption, the Federal Trade Commission (FTC) and the Henry Schein Practice Solutions, Inc. agreed to pay a $250,000 fine for falsely advertising the level of encryption it used to safeguard patient data. http://www.scmagazine.com/henry-schein-to-pay-250k-to-ftc-for-misleading-encryption-claims/article/463824/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Series of DDoS attacks plague Linode data centers, infrastructure - Cloud hosting company Linode reported that a set of distributed denial of service (DDoS) attacks have caused service interruptions at DNS infrastructure and data center locations in the U.S. and the U.K., including Dallas, London, Atlanta, Frankfurt, Newark, N.J., Tokyo, Singapore and Fremont, Calif. http://www.scmagazine.com/cloud-hosting-company-linode-sees-service-interruptions-for-ddos-attacks/article/462535/

FYI - BBC sites hit with possible DDoS attack - The British Broadcasting Corporation's (BBC) websites were shut down Thursday morning by what is believed to have been a massive distributed denial-of-service (DDoS) attack.
http://www.scmagazine.com/bbc-websites-and-associated-content-targeted-in-cyber-attack/article/462513/
http://www.computerworld.com/article/3018738/cloud-computing/bbc-ddos-fail-itbwcw.html

FYI - Steam confirms info on 34K users likely exposed in Christmas Day DoS attack - Steam confirmed in a statement on its website that a midday denial-of-service attack on Christmas likely exposed the personal information of 34,000 users via store page requests made between 11:52 a.m. and 13:20 p.m. PST. http://www.scmagazine.com/steam-confirms-info-on-34k-users-likely-exposed-in-christmas-day-dos-attack/article/462526/

FYI - U.K. school tries to improve cyber hygiene after memory stick lost - The third-oldest school in the U.K. is working to improve cyber hygiene after an employee lost a memory stick that belonged to the school while on public transport. http://www.scmagazine.com/uk-school-tries-to-improve-cyber-hygiene-after-memory-stick-lost/article/462522/

FYI - Hillsides worker emails PII to unencrypted address, 1,000 affected - Hillsides child-services and welfare agency in Pasadena, Calif., reported a data breach on December 30 that could impact about 1,000 clients and staff members. http://www.scmagazine.com/hillsides-worker-emails-pii-to-unencrypted-address-1000-affected/article/462514/

FYI - Did AVG leave your personal data exposed? - It turns out that even the companies whose job it is to keep us safe can't seem to do it. What hope is there? http://www.cnet.com/news/flaw-found-in-avgs-web-safety-software-9-million-people-exposed/

FYI - Kurdish group claims responsibility for hacking Idaho city website - McCall City, Idaho's municipal website was hacked and defaced late last week by a Kurdish group claiming to be anti-ISIS and anti-Turkey. http://www.scmagazine.com/kurdish-group-claims-responsibility-for-hacking-idaho-city-website/article/462904/

FYI - "Russian" BlackEnergy malware strikes at Ukrainian media and energy firms - Cyber-criminals behind the BlackEnergy trojan made a comeback in 2015, launching attacks against media and energy companies in the Ukraine, according to infosec researchers. http://www.scmagazine.com/russian-blackenergy-malware-strikes-at-ukrainian-media-and-energy-firms/article/462916/

FYI - Hackers cause electricity 'blackout' in Ukraine - In a worrying sign of potential cyber attacks to come, thousands of people in Ukraine were left without electricity after hackers hit electrical substations, it has been claimed. http://www.wired.co.uk/news/archive/2016-01/05/cyberattack-power-electricity-ukraine

FYI - Researchers Out Default Passwords Packaged With ICS/SCADA Wares - ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice. http://www.darkreading.com/endpoint/researchers-out-default-passwords-packaged-with-ics-scada-wares/d/d-id/1323755

FYI - Sony PSN downed; hacking group claims DDOS attack - The hacking group Phantom Squad is claiming responsibility for a distributed denial of service (DDOS) attack that brought down Sony's PlayStation Network offline worldwide for most of the day Monday. http://www.scmagazine.com/sony-psn-downed-hacking-group-claims-ddos-attack/article/463065/

FYI - PayPal investigates account compromised twice in one day - PayPal is investigating an incident in which a user's account was compromised and used in a thwarted attempt to send money to a dead ISIS hacker. http://www.scmagazine.com/paypal-to-investigate-bizarre-account-hack-that-included-attempt-to-transfer-funds-to-a-dead-isis-hacker/article/463235/

FYI - Anonymous takes credit for shutting down 14 Thai police wesbites - The hacking collective Anonymous claimed responsibility for shutting down 14 Thailand police websites on Tuesday to protest the death sentences of two Myanmar migrant workers convicted of murdering two British tourists. http://www.scmagazine.com/anonymous-attacks-thai-police-websites/article/463188/

FYI - Mystery database leaks conservative's personal details - Just after it was revealed that 191 million voter records were exposed to the public due to a misconfigured MongoDB database, another 56 million records have been leaked from what researchers believe is a right-wing Christian group originating in the US. http://www.scmagazine.com/mystery-database-leaks-conservatives-personal-details/article/463192/

FYI - 2 million sets of personal records stolen in 2015 Japanese cyber-attacks - At least 2.07 million data sets with personal information have been leaked or feared leaked from 140 organisations in Japan during 2015. http://www.scmagazine.com/2-million-sets-of-personal-records-stolen-in-2015-japanese-cyber-attacks/article/463340/

FYI - Time Warner Cable says 320,000 customer emails potentially stolen - Time Warner Cable (TWC) blamed a phishing attack conducted on one of its vendors for a data breach that may have resulted in 320,000 TWC customer emails and other personal information being stolen. http://www.scmagazine.com/320k-time-warner-cable-customers-possibly-victimized/article/463803/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 3 of  6)
 
 FDIC Response to Identity Theft
 
 The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
 
 ROLES AND RESPONSIBILITIES (2 of 2)
 
 Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.
 
 Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should
 
 1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
 2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
 3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
 4)  Coordinate information security with physical security.
 
 Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.
 
 Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.
 
 Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.6 Industrial Espionage
 
 Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company(ies). Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Since information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information.
 
 Industrial espionage is on the rise. A 1992 study sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985. The data indicated 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58 percent of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans.
 
 Within the area of economic espionage, the Central Intelligence Agency has stated that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation concurs that technology-related information is the main target, but also lists corporate proprietary information, such as negotiating positions and other contracting data, as a target.