FYI - Insurer sues web designer in bank breach - In an effort to shift financial responsibility for a data breach at a community bank, Travelers Casualty and Surety Co. of America has filed suit against the bank's web designer, claiming its negligence and “substandard” maintenance of a website set the stage for a breach. http://www.scmagazine.com/travelers-accuses-web-firm-of-shoddy-practices/article/394588/

FYI - FCC warns businesses: Wi-Fi blocking prohibited - After paying a $600,000 fine for blocking guests' personal Wi-Fi networks, Marriott International said it still wanted clarification from the Federal Communications Commission (FCC) on the matter. http://www.scmagazine.com/fcc-warns-businesses-wi-fi-blocking-prohibited/article/394998/

FYI - Study: 11 percent of banking-related Android apps flagged suspicious - Security firm tested more than 350,000 Android apps used for banking-related purposes and found that more than 11 percent were suspicious. http://www.scmagazine.com/study-11-percent-of-banking-related-android-apps-flagged-suspicious/article/393989/

FYI - Judge gives Home Depot till July to respond to class-action lawsuit allegations - Home Depot has until July to respond to lawsuit allegations surrounding the retailer's major data breach this past summer, a judge determined in a Georgia court hearing. http://www.scmagazine.com/lawsuit-deadlines-established-in-first-home-depot-hearing/article/393985/

FYI - Doubts Persist Over North Korean Link to Sony Hack Despite NSA Claim - Despite documents showing the U.S. National Security Agency has infiltrated North Korean networks, security experts continue to doubt the country orchestrated the cyber-attack on Sony Pictures. http://www.eweek.com/security/doubts-persist-over-north-korean-link-to-sony-hack-despite-nsa-claim.html

FYI - NSA Report: How To Defend Against Destructive Malware - In the wake of the Sony breach, spy agency's Information Assurance Directorate (IAD) arm provides best practices to mitigate damage of data annihilation attacks. http://www.darkreading.com/attacks-breaches/nsa-report-how-to-defend-against-destructive-malware/d/d-id/1318734

FYI - Australian traffic lights need better security says auditor-general - The Auditor-General of the Australian State of New South Wales (NSW) and the state's roads bureaucrats are at loggerheads over whether or not traffic signal infrastructure is vulnerable to attacks over the Internet. http://www.theregister.co.uk/2015/01/22/nsw_traffic_lights_need_better_infosec_auditorgeneral/

FYI - Fuel tank gauges vulnerable to attackers - The serial port interfaces of nearly 6,000 automated tank gauges (ATG) — 5,300 of them in the U.S. — aren't password protected, leaving them vulnerable to attackers, who with access to the interfaces, could shut down filling stations across the country. http://www.scmagazine.com/fuel-tank-gauges-vulnerable-to-attackers/article/394252/

FYI - Most U.S. weapons programs contain 'significant vulnerabilities' - An annual report released by the Pentagon's chief weapons tester indicates that a majority of the government's weapons programs contain “significant vulnerabilities.” http://www.scmagazine.com/report-most-us-weapons-programs-contain-significant-vulnerabilities/article/394499/

FYI - Changes made to Healthcare.gov regarding personal data sent to third parties - Changes made to the Healthcare.gov website have scaled back the amount of consumers' personal data sent to third parties. http://www.scmagazine.com/changes-made-to-healthcaregov-regarding-personal-data-sent-to-third-parties/article/394365/

FYI - China blocks virtual private network use - China has blocked several popular services that let citizens skirt state censorship systems. http://www.bbc.com/news/technology-30982198

FYI - CyberPatriot Reveals Top 28 Teams Advancing to National Finals Competition - The Air Force Association today announced 28 National Finalist teams selected to compete at the CyberPatriot National Finals Competition as the culminating event of the seventh season of the nation's largest youth cyber defense competition. http://www.prnewswire.com/news-releases/cyberpatriot-reveals-top-28-teams-advancing-to-national-finals-competition-300025297.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Two Illinois teenage students reportedly face felony charges for hacking - Two male teenagers face felony charges after authorities alleged that the 16-year-old Bartlett High School students in Illinois hacked into their school's computer system. http://www.scmagazine.com/two-illinois-teenage-students-reportedly-face-felony-charges-for-hacking/article/393724/

FYI - Grill parts website experiences system intrusion, payment card breach - Florida-based Barbecue Renew – which sells grill parts through its website www.grillparts.com – is notifying an undisclosed number of individuals that their payment card data may have been compromised as a result of a series of cyber attacks on its web server. http://www.scmagazine.com/grill-parts-website-experiences-system-intrusion-payment-card-breach/article/394116/

FYI - 20 million users' information compromised on Russian dating site - The personal information of up to 20 million users on a Russian dating site could be at-risk after their email addresses and usernames were stolen and put up for sale online. http://www.scmagazine.com/user-data-compromised-on-russian-dating-site-topface/article/394501/

FYI - Albany health system notifies more than 5,000 patients of data breach - Albany, NY-based St. Peter's Health Partners is notifying more than 5,000 patients at St. Peter's Medical Associates P.C., one of the system's physician groups, that a manager's cell phone – which contained their personal information – was stolen. http://www.scmagazine.com/albany-health-system-notifies-more-than-5000-patients-of-data-breach/article/394364/

FYI - Spam Campaign Business E-mail Compromise Pilfers $215 Million - The FBI and Internet Crime Complaint Center warns of a very profitable spam campaign that has already claimed more than 2,000 victims globally. http://www.eweek.com/security/spam-campaign-business-e-mail-compromise-pilfers-215-million.html

FYI - Malaysia Airlines website 'compromised' by hackers - Hackers claiming to be from the "Lizard Squad - Official Cyber Caliphate" group have attacked the official website of Malaysia Airlines. http://www.bbc.com/news/world-asia-30978299

FYI - Former California pharmacist employee accessed data without business or treatment purpose - California Pacific Medical Center (CPMC) is notifying more than 800 patients that a former pharmacist employee may have accessed their records without a business or treatment purpose. http://www.scmagazine.com/former-california-pharmacist-employee-accessed-data-without-business-or-treatment-purpose/article/394624/

FYI - Malware infects payment card system at French Lick Resort - Indiana-based French Lick Resort announced on Tuesday that malware had infected its payment card system, and any guest who used their credit and debit cards at any venue at the resort between April 23, 2014, and Jan. 21 may have had their personal information compromised. http://www.scmagazine.com/malware-infects-payment-card-system-at-french-lick-resort/article/395040/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)

Incident Response Programs:  Don't Get Caught Without One

Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.

Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.

To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.3.1 Secret Key Electronic Signatures

An electronic signature can be implemented using secret key message authentication codes (MACs). For example, if two parties share a secret key, and one party receives data with a MAC that is correctly verified using the shared key, that party may assume that the other party signed the data. This assumes, however, that the two parties trust each other. Thus, through the use of a MAC, in addition to data integrity, a form of electronic signature is obtained. Using additional controls, such as key notarization and key attributes, it is possible to provide an electronic signature even if the two parties do not trust each other.

Systems incorporating message authentication technology have been approved for use by the federal government as a replacement for written signatures on electronic documents.

19.2.3.2 Public Key Electronic Signatures

Another type of electronic signature called a digital signature is implemented using public key cryptography. Data is electronically signed by applying the originator's private key to the data. (The exact mathematical process for doing this is not important for this discussion.) To increase the speed of the process, the private key is applied to a shorter form of the data, called a "hash" or "message digest," rather than to the entire set of data. The resulting digital signature can be stored or transmitted along with the data. The signature can be verified by any party using the public key of the signer. This feature is very useful, for example, when distributing signed copies of virus-free software. Any recipient can verify that the program remains virus-free. If the signature verifies properly, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer.

NIST has published standards for a digital signature and a secure hash for use by the federal government in FIPS 186, Digital Signature Standard and FIPS 180, Secure Hash Standard.