FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

FYI - No one is ready for California’s new consumer privacy law - Just like the GDPR, it’s not totally clear what it means to be compliant with the CCPA - The California Consumer Privacy Act goes into effect January 1st, and it doesn’t look like anyone, even the state of California itself, is totally ready. https://www.theverge.com/2019/12/31/21039228/california-ccpa-facebook-microsoft-gdpr-privacy-law-consumer-data-regulation

Colorado Town Wires Over $1 Million to BEC Scammers - Colorado Town of Erie lost more than $1 million to a business email compromise scam (BEC) that ended with the town's employees sending the funds to a bank account controlled by scammers. https://www.bleepingcomputer.com/news/security/colorado-town-wires-over-1-million-to-bec-scammers/

Cyberattack hits Las Vegas on opening day of CES - Las Vegas had an unwelcome visitor in the form of a cyberattack that struck early in the morning of January 7 that caused some service interruptions that have since been resolved. https://www.scmagazine.com/home/security-news/cyberattack/ces-cyberattack-hit-las-vegas/

China's TikTok banned by US Army amid security concerns: Report - The US Army has banned the use of popular Chinese social media video app TikTok, with Military.com first reporting it was due to security concerns. https://www.zdnet.com/article/chinas-tiktok-banned-by-us-army-amid-security-concerns-report/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Company shuts down because of ransomware, leaves 300 without jobs just before holidays - Company tells employees to seek new employment after suspending all operations right before Christmas. https://www.zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holidays/

Attackers sink their meathooks into Landry’s restaurants’ payment card data - The Houston-based steakhouse, restaurant and hospitality company Landry’s, Inc. has advised customers of a point-of-sale malware attack that stole payment card data from an order-entry system used to process kitchen and bar orders. https://www.scmagazine.com/home/security-news/data-breach/pos-malware-attack-landrys-restaurants/

Ransomware attack on maritime facility prompts Coast Guard warning - The U.S. Coast Guard last month issued a safety bulletin following a ransomware attack that impaired both the IT systems and industrial control systems of a facility regulated by the Maritime Transportation Security Act (MTSA), and prompted a 30-hour operational shutdown. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-on-maritime-facility-prompts-coast-guard-warning/

University Hit by Ransomware, Almost All Windows Systems Compromised -Maastricht University is the latest victim of ransomware, as hackers managed to compromise its Windows systems on December 23. https://news.softpedia.com/news/maastricht-university-hit-by-ransomware-almost-all-windows-systems-compromised-528718.shtml

IoT vendor Wyze confirms server leak - Wyze, a company that sells smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks, confirmed today a server leak that exposed the details of roughly 2.4 million customers. https://cntresisis.info/version/index.php?lpkey=15c0786b07a2982e75&clickid=e26bepmwhoca0e3d&uclick=pmwhoca0#

Starbucks Devs Leave API Key in GitHub Public Repo - One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users. https://www.bleepingcomputer.com/news/security/starbucks-devs-leave-api-key-in-github-public-repo/

Ransomware forces Richmond Community Schools to close - Students attending Richmond Community Schools received a belated Christmas present when a ransomware attack delayed the re-opening of school from its holiday break. https://www.scmagazine.com/home/security-news/ransomware/ransomware-forces-richmond-community-schools-to-close/

Ransomware attack on maritime facility prompts Coast Guard warning - The U.S. Coast Guard last month issued a safety bulletin following a ransomware attack that impaired both the IT systems and industrial control systems of a facility regulated by the Maritime Transportation Security Act (MTSA), and prompted a 30-hour operational shutdown. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-on-maritime-facility-prompts-coast-guard-warning/

Wheelie bad end to 2019 for Canyon Bicycles as hackers puncture IT systems - German cycle-maker Canyon Bicycles GmbG has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure padlocked by the perpetrators. https://www.theregister.co.uk/2020/01/07/hackers_canyon_bicycles/

Malware Hits Travelex Currency Exchange Service - The New Year's Eve malware attack forced Travelex employees to resort to manual operations. https://www.darkreading.com/threat-intelligence/malware-hits-travelex-currency-exchange-service/d/d-id/1336716

State actors may be behind ongoing cyberattack on Austria’s foreign ministry - An ongoing and “serious cyberattack” at Austria’s foreign ministry could be the work of nation-state actors, the country’s government said. https://www.scmagazine.com/home/security-news/state-actors-may-be-behind-ongoing-cyberattack-on-austrias-foreign-ministry/

School management software provider discloses severe security breach - Active Network discloses security incident that impacted school online stores built on the Blue Bear platform. https://www.zdnet.com/article/school-management-software-provider-discloses-severe-security-breach/

Breach of email accounts impacts 50,000 patients of Minnesota hospital - Minnesota-based hospital operator Alomere Health this month began notifying patients of a data breach affecting 49,351 individuals, after a malicious actor gained access to two employee email accounts in late October and early November. https://www.scmagazine.com/home/security-news/data-breach/breach-of-email-accounts-impacts-50000-patients-of-minnesota-hospital/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)
   
   PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response
   
   To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures.  These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.
   
   Banks can take the following steps to disable a spoofed Web site and recover customer information.  Some of these steps will require the assistance of legal counsel.
   
   *  Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
   *  Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
   *  Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
   *  Work with law enforcement; and
   *  Use other existing mechanisms to report suspected spoofing activity.
   
   The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:
   
   *  Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
   *  If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon.  This process allows banks to take action against domain name registrars to stop a spoofing incident.  However, banks must bear in mind that the UDRP can be relatively time-consuming.  For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
   *  Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d).  Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
   
   Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.
   
   A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.
   
   Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4 - COMMON THREATS: A BRIEF OVERVIEW
 
 Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks. Precision in estimating computer security-related losses is not possible because many losses are never discovered, and others are "swept under the carpet" to avoid unfavorable publicity. The effects of various threats varies considerably: some affect the confidentiality or integrity of data while others affect the availability of a system.
 
 This chapter presents a broad view of the risky environment in which systems operate today. The threats and associated losses presented in this chapter were selected based on their prevalence and significance in the current computing environment and their expected growth. This list is not exhaustive, and some threats may combine elements from more than one area. This overview of many of today's common threats may prove useful to organizations studying their own threat environments; however, the perspective of this chapter is very broad. Thus, threats against particular systems could be quite different from those discussed here.
 
 To control the risks of operating an information system, managers and users need to know the vulnerabilities of the system and the threats that may exploit them. Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it more cost-effective to simply tolerate the expected losses. Such decisions should be based on the results of a risk analysis.