FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - California AG Says Not Adopting Critical Security Controls Indicates "Failure to Provide Reasonable Security" - Data breaches hitting more Californians - A report released Tuesday from the California Attorney General’s Office found that between 2012 and 2015, there were 657 data breaches in the state, which compromised over 49 million records of Californians’ personal information.
http://www.turlockjournal.com/section/15/article/31313/
https://www.oag.ca.gov/sites/all/files/agweb/pdfs/dbr/breachreport2016.pdf

FYI - LA hospital coughs up $17,000 to free PCs held to ransom by hackers - How to make an infection go away in US healthcare system – throw money at it - A hospital in Los Angeles, California, has paid a US$17,000 (£11,900, AU$23,800) ransom to hackers who injected its computers with malware that scrambled its files. http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/

FYI - 41 percent of younger IT pros have hacked - A new survey of IT professionals casts light on some of the trust issues that plague the information security marketplace. http://www.scmagazine.com/report-41-percent-of-younger-it-pros-have-hacked/article/478059/

FYI - Utah systems attacked up to 300M times daily - The State of Utah, home of the National Security Agency (NSA) data center and the Hill Air Force Base, receives as many as 300,000,000 attacks per day, a local broadcast station reported. http://www.scmagazine.com/utah-systems-attacked-up-to-300m-times-daily/article/478661/

FYI - U.S. Navy charts a new course to avoid cyberattacks - The U.S. Navy may not be going back to the age of wooden ships and sails, but to defend against cyberattacks the service is stepping back from its current level of hyper-connectivity and instead looking at ways to limit which systems are networked at any given time. http://www.scmagazine.com/us-navy-charts-a-new-course-to-avoid-cyberattacks/article/478666/

FYI - Jersey man gets 30 months for sabotaging former employer's servers - The U.S. Department of Justice yesterday announced that Nikhil Nilesh Shah, 33, of Union, N.J., was sentenced to 30 months in prison for sending malicious code to the software company that formerly employed him as an information technology manager. http://www.scmagazine.com/jersey-man-gets-30-months-for-sabotaging-former-employers-servers/article/478804/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Vulnerabilities in healthcare devices show up woeful lack of security - Healthcare sector "10 to 15 years behind" in security according to expert - Healthcare security is lagging behind the rest of the security industry and will reach “breaking point” soon if action is not taken, according to a security advocate. http://www.scmagazine.com/vulnerabilities-in-healthcare-devices-show-up-woeful-lack-of-security/article/478210/

FYI - Kankakee Valley REMC breach affects more than 17K - Kankakee Valley REMC reported a possible data breach after a cybersecurity audit revealed a foreign Internet Protocol address had accessed a storage device on the cooperative's network. http://www.scmagazine.com/kankakee-valley-remc-breach-affects-more-than-17k/article/478371/

FYI - Linode probe into 2015 crack finds fake 2FA creds flaw - New API, policies and open source manager added to ward off future stolen creds attacks - Hosting outfit Linode has announced a slew of changes to its user procedures after a long analysis of the attack that led to a system-wide password reset in January. It's also determined that the breach was the result of customer credential theft. http://www.theregister.co.uk/2016/02/22/linode_lines_up_new_policy_features_after_2015s_breaches/

FYI - Linux Mint website hacked to trick users into downloading version with "backdoor" - A hacker modified a version of Linux Mint to contain a backdoor, then hacked the project's website to trick users into downloading the malicious version. http://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-version/

FYI - uKnowKids database error exposed info on 1.7K kids - Security Researcher Chris Vickery was accused of unethical hacking after he discovered an exposed database containing sensitive information that belonged to uKnowKids.com, an Arlington, Va.-based company that helps parents monitor their children's online activities. http://www.scmagazine.com/researcher-accused-of-unethical-hacking-after-reporting-exposed-database/article/478681/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership
 
 The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 KEY RISK ASSESSMENT PRACTICES (1 of 2)
 
 A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:
 
 1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.
 
 2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.
 
 3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

5.2.2 Basic Components of Issue-Specific Policy

As suggested for program policy, a useful structure for issue-specific policy is to break the policy into its basic components.

Issue Statement. To formulate a policy on an issue, managers first must define the issue with any relevant terms, distinctions, and conditions included. It is also often useful to specify the goal or justification for the policy - which can be helpful in gaining compliance with the policy. For example, an organization might want to develop an issue-specific policy on the use of "unofficial software," which might be defined to mean any software not approved, purchased, screened, managed, and owned by the organization. Additionally, the applicable distinctions and conditions might then need to be included, for instance, for software privately owned by employees but approved for use at work, and for software owned and used by other businesses under contract to the organization.
 
Statement of the Organization's Position. Once the issue is stated and related terms and conditions are discussed, this section is used to clearly state the organization's position (i.e., management's decision) on the issue. To continue the previous example, this would mean stating whether use of unofficial software as defined is prohibited in all or some cases, whether there are further guidelines for approval and use, or whether case-by-case exceptions will be granted, by whom, and on what basis.

Applicability. Issue-specific policies also need to include statements of applicability. This means clarifying where, how, when, to whom, and to what a particular policy applies. For example, it could be that the hypothetical policy on unofficial software is intended to apply only to the organization's own on-site resources and employees and not to contractors with offices at other locations. Additionally, the policy's applicability to employees traveling among different sites and/or working at home who need to transport and use disks at multiple sites might need to be clarified.

Roles and Responsibilities. The assignment of roles and responsibilities is also usually included in issue-specific policies. For example, if the policy permits unofficial software privately owned by employees to be used at work with the appropriate approvals, then the approval authority granting such permission would need to be stated. (Policy would stipulate, who, by position, has such authority.) Likewise, it would need to be clarified who would be responsible for ensuring that only approved software is used on organizational computer resources and, perhaps, for monitoring users in regard to unofficial software.

Compliance. For some types of policy, it may be appropriate to describe, in some detail, the infractions that are unacceptable, and the consequences of such behavior. Penalties may be explicitly stated and should be consistent with organizational personnel policies and practices. When used, they should be coordinated with appropriate officials and offices and, perhaps, employee bargaining units. It may also be desirable to task a specific office within the organization to monitor compliance.

Points of Contact and Supplementary Information. For any issue-specific policy, the appropriate individuals in the organization to contact for further information, guidance, and compliance should be indicated. Since positions tend to change less often than the people occupying them, specific positions may be preferable as the point of contact. For example, for some issues the point of contact might be a line manager; for other issues it might be a facility manager, technical support person, system administrator, or security program representative. Using the above example once more, employees would need to know whether the point of contact for questions and procedural information would be their immediate superior, a system administrator, or a computer security official.
 
Guidelines and procedures often accompany policy. The issue-specific policy on unofficial software, for example, might include procedural guidelines for checking disks brought to work that had been used by employees at other locations.

Some Helpful Hints on Policy

To be effective, policy requires visibility. Visibility aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. Management presentations, videos, panel discussions, guest speakers, question/answer forums, and newsletters increase visibility. The organization's computer security training and awareness program can effectively notify users of new policies. It also can be used to familiarize new employees with the organization's policies.

Computer security policies should be introduced in a manner that ensures that management's unqualified support is clear, especially in environments where employees feel inundated with policies, directives, guidelines, and procedures. The organization's policy is the vehicle for emphasizing management's commitment to computer security and making clear their expectations for employee performance, behavior, and accountability.

To be effective, policy should be consistent with other existing directives, laws, organizational culture, guidelines, procedures, and the organization's overall mission. It should also be integrated into and consistent with other organizational policies (e.g., personnel policies). One way to help ensure this is to coordinate policies during development with other organizational offices.