FYI - PCI compliance not synonymous with security, panel says - None of the companies in a soon-to-be released Verizon report that experienced a data breach “were fully PCI [Payment Card Industry Data Security Standard] compliant at the time of breach.” http://www.scmagazine.com/pci-compliance-not-synonymous-with-security/article/393403/

FYI - With crypto in UK crosshairs, secret US report says it’s vital - Newly reported Edward Snowden document aired as UK prime minister presses US. As UK Prime Minister David Cameron forges ahead with a campaign pledge to ban encrypted messaging apps unless his government is given backdoors, that country's Guardian newspaper has aired a secret US report warning that government and private computers were at risk because cryptographic protections aren't being implemented fast enough. http://arstechnica.com/security/2015/01/with-crypto-in-uk-crosshairs-secret-us-report-says-its-vital/

FYI - Marriott hotels do U-turn over wi-fi hotspot blocks - Hotel group Marriott International has announced it will stop blocking guests from using personal wi-fi kits. The firm was fined $600,000 (£395,000) last year by a US watchdog after a complaint that it had jammed mobile hotspots at a hotel in Nashville. http://www.bbc.com/news/technology-30827706

FYI - Man sentenced to 10 years over $1.2M website domain scam - A California man has been sentenced to 10 years in prison for running a website scam that defrauded investors for a total of $1.2 million. http://www.scmagazine.com/man-sentenced-to-10-years-over-12m-website-domain-scam/article/392570/

FYI - HITRUST forms working group for medical device, health system security - The Health Information Trust Alliance (HITRUST) will develop a working group, which will focus on improving the security of health information technology, such as systems in use at health care entities and medical devices. http://www.scmagazine.com/working-group-looks-to-improve-health-information-technology/article/392797/

FYI - Judge caps Schnucks's liability to payment-processing partners in breach case - A federal judge has capped the liability that Schnuck Markets' is responsible to pay its payment-processing partners to $500,000 in relation to its data breach case. http://www.scmagazine.com/judge-caps-schnuckss-liability-to-payment-processing-partners-in-breach-case/article/393010/

FYI - States pen letter to JPMorgan chief privacy officer requesting further info on breach - States investigating the data breach at JPMorgan Chase this past summer are requesting that the bank hand over detailed information on its security practices and are looking to confirm whether the bank is sure that no sensitive account data was stolen. http://www.scmagazine.com/states-ask-for-more-information-from-jpmorgan-chase/article/392820/

FYI - NJ law requires health insurance carriers to encrypt sensitive data - New Jersey has passed a law requiring health insurance carriers to encrypt sensitive patient data. http://www.scmagazine.com/christie-signs-bill-to-protect-personal-information/article/392123/

FYI - Kansas City Fed tech staff to increase by up to 200 - To support the work of the nation’s central bank, the Federal Reserve Bank of Kansas City expects to hire up to 200 technology professionals over the next three years.  www.kc.frb.org/publicat/newsroom/2014pdf/Press.Release.01.20.15.pdf

FYI - Most common passwords of 2014 released; '123456' tops list, again - Again this year, in a pool of more than 3 million leaked passwords, “123456” and “password” topped the list of the most popular passwords. http://www.scmagazine.com/splashdata-releases-list-of-most-popular-and-worst-password-of-2014/article/393443/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LinkedIn credentials being harvested via bogus security notifications - Criminals are targeting LinkedIn users with messages masquerading as legitimate security alerts in a bid to steal log-in credentials. http://www.v3.co.uk/v3-uk/news/2390485/linkedin-credentials-being-harvested-via-bogus-security-notifications

FYI - About 19K French websites attacked since last week, report says - Since last week's attacks in France, hacking attempts have been made against roughly 19,000 French websites, the AP reported on Thursday, citing Admiral Arnaud Coustilliere, head of cyberdefense for the French military. http://www.scmagazine.com/about-19k-french-websites-attacked-since-last-week-report-says/article/393037/

FYI - Payment cards targeted in attack on pet supplies website - Tennessee-based ValuePetSupplies.com is notifying several thousand customers that unauthorized persons accessed its servers and installed malicious files to capture personal information – including payment card data – entered into its website. http://www.scmagazine.com/payment-cards-targeted-in-attack-on-pet-supplies-website/article/392821/

FYI - US 'tapped N Korea computers in 2010' report claims - The US knew North Korea was behind the Sony Pictures hack because it had secretly infiltrated the country's computer networks in 2010. http://www.bbc.com/news/technology-30879637

FYI - New York Post Twitter account hacked, UPI's compromised, too - The Twitter account of the New York Post was hacked, and UPI's was also apparently hit, the latest in a string of attacks that have hit the social media channels of high-profile organizations. http://www.computerworld.com/article/2871800/new-york-post-twitter-account-hacked-upis-compromised-too.html

FYI - Malware found on POS systems at four Wingstop locations - Texas-based restaurant chain Wingstop is notifying an undisclosed number of customers that malware was found on point-of-sale (POS) systems at four locations, and it could have enabled attackers to capture customer payment card information. http://www.scmagazine.com/malware-found-on-pos-systems-at-four-wingstop-locations/article/393402/

FYI - Over 870K personal records leaked following Australian insurer breach - Information from a large-scale data breach that impacted Australian travel insurance company Aussie Travel Cover (ATC) in December was leaked online by a teenage hacker. http://www.scmagazine.com/over-870k-personal-records-leaked-following-australian-insurer-breach/article/393459/

FYI - Minnesota university warns of 'likely' breach - Minnesota-based Metropolitan State University has issued a notification, alerting faculty, staff and students that an attacker may have breached its web server to access a database that contained their personal information. http://www.scmagazine.com/minnesota-university-warns-of-likely-breach/article/393569/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Capacity, Business Continuity and Contingency Planning Practices for E-Banking

1. All e-banking services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.

2. A risk assessment for each critical e-banking service and application, including the potential implications of any business disruption on the bank's credit, market, liquidity, legal, operational and reputation risk should be conducted.

3. Performance criteria for each critical e-banking service and application should be established, and service levels should be monitored against such criteria.  Appropriate measures should be taken to ensure that e-banking systems can handle high and low transaction volume and that systems performance and capacity is consistent with the bank's expectations for future growth in e-banking.

4. Consideration should be given to developing processing alternatives for managing demand when e-banking systems appear to be reaching defined capacity checkpoints.

5. E-banking business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.

6. E-banking contingency plans should set out a process for restoring or replacing e-banking processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-banking systems and applications in the event of a business disruption.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE  (Part 2 of 2)

Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.

Institutions can assess best the adequacy of their preparations through testing.

While containment strategies between institutions can vary, they typically contain the following broad elements:

! Isolation of compromised systems, or enhanced monitoring of intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
! Communication with effected parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.3 Electronic Signatures

Today's computer systems store and process increasing numbers of paper-based documents in electronic form. Having documents in electronic form permits rapid processing and transmission and improves overall efficiency. However, approval of a paper document has traditionally been indicated by a written signature. What is needed, therefore, is the electronic equivalent of a written signature that can be recognized as having the same legal status as a written signature. In addition to the integrity protections, discussed above, cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures can use either secret key or public key cryptography; however, public key methods are generally easier to use.

Cryptographic signatures provide extremely strong proof that a message has not been altered and was signed by a specific key.¹³⁷ However, there are other mechanisms besides cryptographic-based electronic signatures that perform a similar function. These mechanisms provide some assurance of the origin of a message, some verification of the message's integrity, or both.¹³⁸

• Examination of the transmission path of a message. When messages are sent across a network, such as the Internet, the message source and the physical path of the message are recorded as a part of the message. These can be examined electronically or manually to help ascertain the origin of a message.
  
• Use of a value-added network provider. If two or more parties are communicating via a third party network, the network provider may be able to provide assurance that messages originate from a given source and have not been modified.
  
• Acknowledgment statements. The recipient of an electronic message may confirm the message's origin and contents by sending back an acknowledgment statement.
  
• Use of audit trails. Audit trails can track the sending of messages and their contents for later reference.

Simply taking a digital picture of a written signature does not provide adequate security. Such a digitized written signature could easily be copied from one electronic document to another with no way to determine whether it is legitimate. Electronic signatures, on the other hand, are unique to the message being signed and will not verify if they are copied to another document.