FYI - Dr. Christina Handley Named OCC Chief Information Officer - The Office of the Comptroller of the Currency today announced the selection of Dr. Christina Handley to be the agency's Chief Information Officer, effective March 1, 2020. www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-13.html

February 3, 2020 - from The Wall Street Journal - New Tech Leader at FDIC Works on Upgrading - IT Sylvia Burns, promoted from deputy CIO to CIO, aims to test use of AI to boost bank examiners’ productivity. Is this possible? The full article is available on www.WSJ.com.

Cybersecurity lacking at most of the world’s major airports - When it comes to cybersecurity Amsterdam, Helsinki and Dublin were ranked the three safest airports by Immuniweb, but overall these facilities fared poorly when it came to protecting their websites, mobile platforms and systems. https://www.scmagazine.com/home/security-news/cybersecurity-lacking-at-most-of-the-worlds-major-airports/

US DOI halts operations for its entire drone fleet over Chinese cybersecurity concerns - The US Department of the Interior (DOI) has halted the operations of its entire drone fleet except in emergency situations as the department wants to review whether the drones manufactured by "designated foreign-owned companies" are a threat to national security. https://www.zdnet.com/article/us-doi-halts-operations-for-its-entire-drone-fleet-over-cybersecurity-concerns/

Regis Paid Ransom to Cyberattackers - Regis University suffered from a crippling cyberattack last year just as students returned to campus for the fall semester. IT leaders at the private university in Denver revealed for the first time this week that the attack was a ransomware attack and that they paid the ransom in hopes of restoring access to their network. https://www.insidehighered.com/quicktakes/2020/01/30/regis-paid-ransom-cyberattackers

Compliance: Watch your step! - It’s no secret that Fortune 1000 CISOs struggle with compliance, but the pitfalls that fuel the most fury aren’t typically the ones with regulators (although regulator arguments do come in a close second). https://www.scmagazine.com/home/security-news/features/watch-your-step/

Pentagon issues long-awaited cyber framework for Defense industry - The Defense Department on Friday published a set of sweeping cybersecurity standards that will begin to be incorporated into Defense contracts later this year, marking a major milestone in an overhaul of its procedures for enforcing IT security in its industrial base. https://federalnewsnetwork.com/defense-main/2020/01/pentagon-issues-long-awaited-cyber-framework-for-defense-industry/

Cybersecurity executive changes over the years - February 4, 2020 - Yassir Abousselham was named Splunk’s new Chief Information Security Office. Previously, Abousselham was CISO at Okta. In his new role he will report to Splunk CTO Tim Tully. https://www.scmagazine.com/home/security-news/corporate-news/cybersecurity-executive-changes-2/

Philips WiFi light bulb vulnerable to attack - The light given off by some WiFi light bulbs may expose more than just a dark room as Check Point researchers have found a vulnerability in Philips Hue smart bulbs and bridge enabling them to remotely infiltrate the device. https://www.scmagazine.com/home/security-news/iot/philips-wifi-light-bulb-vulnerable-to-attack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DOD contractor suffers ransomware infection - Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned. https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/

UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it - The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public. https://www.theregister.co.uk/2020/01/29/un_covered_up_hack/

Fake Exec Tricks New York City Medical Center into Sharing Patient Info - An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility's executives. https://www.infosecurity-magazine.com/news/fake-exec-tricks-new-york-city/

Ransomware knocks city of Racine offline - The city of Racine, Wis., was hit with a ransomware attack January 31 that knocked most of its non-emergency computer services offline. https://www.scmagazine.com/home/security-news/ransomware/ransomware-knocks-racine-city-offline/

Maze Ransomware Hits Law Firms and French Giant Bouygues - Cyber-criminals behind the Maze ransomware attacks have claimed several more scalps over the past few days, including five law firms and a French industrial giant, all of which are thought to have had sensitive internal data stolen. https://www.infosecurity-magazine.com/news/maze-ransomware-law-firms-french/

'Cyber security incident' takes its Toll on Aussie delivery giant as box-tracking boxen yanked offline - Australian courier company Toll has shut down several of its key systems after a "security incident" last week, prompting a backlash from frustrated customers. https://www.theregister.co.uk/2020/02/03/toll_group_security_incident_australia/

Japanese company NEC confirms 2016 security breach - NEC needed seven months to discover the hack, did not disclose it publicly. https://www.zdnet.com/article/japanese-company-nec-confirms-2016-security-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)
   
   Responding to E-Mail and Internet-Related Fraudulent Schemes
   Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:
   
   !  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
   !  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
   !  Increasing suspicious activity monitoring and employing additional identity verification controls;
   !  Offering customers assistance when fraud is detected in connection with customer accounts;
   !  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
   !  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.
   
   Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
   To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:
   
   !  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
   !  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
   !  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
   !  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
   !  Monitoring for fraudulent Web sites using variations of the financial institution's name;
   !  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
   !  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
   
   Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.
   
   Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.
   
   An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.
   
   Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.5 Malicious Hackers
 
 The term malicious hackers, sometimes called crackers, refers to those who break into computers without authorization. They can include both outsiders and insiders. Much of the rise of hacker activity is often attributed to increases in connectivity in both government and industry. One 1992 study of a particular Internet site (i.e., one computer system) found that hackers attempted to break in once at least every other day.
 The hacker threat should be considered in terms of past and potential future damage. Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage, the hacker problem is widespread and serious. One example of malicious hacker activity is that directed against the public telephone system.
 
 Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud. It also includes the ability to break into telecommunications systems (such as switches), resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage.
 
 The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons for this.
 
      First, the hacker threat is a more recently encountered threat. Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these measures are ineffective against outsiders who are not subject to the rules and regulations of the employer.
 
      Second, organizations do not know the purposes of a hacker -- some hackers browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations.
 
      Third, hacker attacks make people feel vulnerable, particularly because their identity is unknown. For example, suppose a painter is hired to paint a house and, once inside, steals a piece of jewelry. Other homeowners in the neighborhood may not feel threatened by this crime and will protect themselves by not doing business with that painter. But if a burglar breaks into the same house and steals the same piece of jewelry, the entire neighborhood may feel victimized and vulnerable.