FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - NSA chief: Encryption is here to stay - National Security Agency Director Adm. Michael Rogers on Thursday insisted “encryption is foundational to the future.” http://thehill.com/policy/cybersecurity/266624-nsa-chief-encryption-is-foundational-to-the-future

FYI - Dridex trojan targeting UK banks with Dyre-like 'redirection' techniques - Researchers from IBM Security have revealed that a new variant of the Dridex malware has taken inspiration from the Dyre banking Trojan and is launching attacks on UK bank accounts. http://www.v3.co.uk/v3-uk/news/2442758/dridex-trojan-targeting-uk-banks-with-dyre-like-redirection-techniques

FYI - 64 percent of IT execs think achieving basic compliance will stop most breaches - In a survey of large enterprises, 64 percent of more than 1,100 senior IT executives believe that simply meeting cybersecurity compliance requirements, as opposed to striving for best practices, is “very” or “extremely” effective at preventing data breaches. http://www.scmagazine.com/survey-64-percent-of-it-execs-think-achieving-basic-compliance-will-stop-most-breaches/article/466925/

FYI - Cyber Hit on China-Owned Boeing Supplier Sends Stock Down 19% - Cyberfraud sent shares of Austria’s FACC AGto their steepest drop since the supplier of parts to Boeing Co.and Airbus Group SE began trading in 2014. The company put damages at 50 million euros ($55 million) -- one of biggest losses after a hacking event for its size. http://www.bloomberg.com/news/articles/2016-01-20/cyberattack-sends-shares-of-aerospace-supplier-facc-19-lower

FYI - Survey says: Data breaches in other industries will damage financial institutions - Respondents to a new survey from Silicon Valley-based software company FICO unanimously agreed: Data breaches this year in other industries will damage financial institutions. http://www.scmagazine.com/survey-says-data-breaches-in-other-industries-will-damage-financial-institutions/article/467086/

FYI - U.S. Supreme Court affirms Exel exec's hacking conviction - The felony conviction of former Exel Transportation Services (ETS) President, who used the information he pilfered from his former employer to start a new company, still stands, the U.S. Supreme Court said Monday. http://www.scmagazine.com/us-supreme-court-affirms-exel-execs-hacking-conviction/article/467253/

FYI - Advocacy groups call for repeal Cybersecurity Act of 2015 - A coalition that includes the American Civil Liberties Union (ACLU), FreedomWorks, and other digital privacy advocacy groups sent a letter to members of the U.S. House of Representatives urging them to support a bipartisan bill that would repeal the Cybersecurity Act of 2015. http://www.scmagazine.com/conservative-liberal-groups-pen-letter-to-repeal-cybersecurity-act-of-2015/article/467509/

FYI - Feds say 'Oops!' in anti-hacking deal - An update to an international accord potentially opens everyone to attacks, something the US government didn't figure out until after it was signed. To fight hackers and oppressive rulers, the US government updated a deal with 40 countries last May to keep dangerous software from moving from one nation to another. http://www.cnet.com/news/hacking-deal-in-dispute-as-the-world-tries-to-control-dangerous-hacking-tools/

FYI - Apple can read your iMessages despite them being encrypted - Despite Apple taking a pro-encryption stance, with its CEO insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form, it uses its own key. http://www.scmagazine.com/apple-can-read-your-imessages-despite-them-being-encrypted/article/467675/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ukraine energy utilities attacked again with open source Trojan backdoor - Macro phish attempts to hook BlackEnergy borscht and battered sector - Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts.
http://www.theregister.co.uk/2016/01/21/ukraine_energy_utilities_attacked_again_with_open_source_trojan_backdoor/
http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

FYI - San Diego County employees data mistakenly sent to Wells Fargo - San Diego Country, California employees mistakenly had their personal information, to include Social Security numbers, forwarded to Wells Fargo late last year. http://www.scmagazine.com/san-diego-county-employees-data-mistakenly-sent-to-wells-fargo/article/466905/

FYI - FACC AG, Belgian bank fall victim to BEC - An aircraft components designer and a Belgian bank were the latest victims of the business email compromise (BEC) scam, prompting the IC3 to issue an alert.
http://www.scmagazine.com/facc-ag-belgian-bank-fall-victim-to-bec/article/467260/
http://www.zdnet.com/article/university-of-virginia-data-breach-exposed-financial-data/

FYI - University of Virginia hit with Phishing scam, 1,400 affected - The University of Virginia (UVA) suffered a data breach that was initiated via a phishing scam that revealed the tax and banking data of some of the school's employees. http://www.scmagazine.com/university-of-virginia-hit-with-phishing-scam-1400-affected/article/467224/

FYI - Flint hospital hit with cyber attack after Anonymous threatens action - Hurley Medical Center in Flint, Mich. was hit by a cyber attack Thursday, one day after the hacktivist group, Anonymous, threatened to take action for the city's water crisis in a YouTube video. http://www.scmagazine.com/flint-medical-center-hit-with-cyber-attack-following-anonymous-call-for-action-against-gov-snyder/article/466912/

FYI - N.Y. state police uncover horseracing hack for inside information - A former jockey agent has been charged by the District Attorney of Queens County, New York, with illegally accessing the New York Racing Association's (NYRA) computer system to obtain information that would help him find horses for his jockey to race. http://www.scmagazine.com/ny-state-police-uncover-horseracing-hack-for-inside-information/article/467683/

FYI - Missing drives contained PHI on 950K Centene customers - Six hard drives containing personal and health information on clients of health insurance company Centene Corp. have gone missing. http://www.scmagazine.com/missing-drives-contained-phi-on-950k-centene-customers/article/467860/

FYI - Lawsuit dismissed in Georgia after state admits to massive breach - Plaintiffs in Atlanta had a class-action lawsuit dismissed on Monday following the state's acknowledgement it had put at risk the data of six million voters. http://www.scmagazine.com/lawsuit-dismissed-in-georgia-after-state-admits-to-massive-breach/article/467701/

FYI - NCH Healthcare suffers data breach - NCH Healthcare Systems, which operates two hospitals in the Naples, Fla. area, notified employees and medical staff last week that two servers containing some personal information were accessed by unauthorized personnel. http://www.scmagazine.com/nch-healthcare-suffers-data-breach/article/469192/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 6 of  6)
 
 President’s Identity Theft Task Force
 
 On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.
 
 Conclusion
 
 Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 KEY STEPS
 
 Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.
 
 INFORMATION GATHERING
 
 Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:
 
 1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.
 
 2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).
 
 3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).
 
 4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).
 
 5)  Documenting current controls and security processes, including both information technology and physical security.
 
 6)  Identifying security requirements and considerations (e.g., GLBA).
 
 7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5
 
 COMPUTER SECURITY POLICY
 
 In discussions of computer security, the term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. 
 
 Policy means different things to different people. The term "policy" is used in this chapter in a broad manner to refer to important computer security-related decisions.
 
 In this chapter the term computer security policy is defined as the "documentation of computer security decisions"-which covers all the types of policy described above. In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority. In this chapter we use the term policy in a broad manner to encompass all of the types of policy described above-regardless of the level of manager who sets the particular policy.
 
 Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:
 
 1)  Program policy is used to create an organization's computer security program.
 2)  Issue-specific policies address specific issues of concern to the organization.
 3)  System-specific policies focus on decisions taken by management to protect a particular system.
 
 Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.
 
 Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.
 These types of policy are described to aid the reader's understanding. It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.