FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - California Says Companies Should Embrace NSA-developed Data Protections - The state of California has put companies on notice that they should be following a basic set of 20 information security controls developed by the U.S. government's top code breakers. http://www.nextgov.com/cybersecurity/2016/02/california-says-companies-should-embrace-nsa-developed-data-protections/126151/

FYI - German police can now use spyware to monitor suspects - Spyware can only be installed when lives are at risk or nation is threatened. German police are now permitted to infect a suspect's computers, and mobile devices with special trojan software to monitor communications made with the systems, the country's interior ministry has confirmed. http://arstechnica.com/tech-policy/2016/02/german-police-can-now-use-spying-malware-to-monitor-suspects/

FYI - Jersey man gets 30 months for sabotaging former employer's servers - The U.S. Department of Justice yesterday announced that a N.J. man was sentenced to 30 months in prison for sending malicious code to the software company that formerly employed him as an information technology manager.http://www.scmagazine.com/jersey-man-gets-30-months-for-sabotaging-former-employers-servers/article/478804/

FYI - Feds spank Asus with 20-year audit probe for router security blunder - One vendor down, who's next? Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw. http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/

FYI - UK citizens relaxed about government snooping, survey reports - A majority of the UK population believe the government should be able to monitor mass communications in the interests of national security. http://www.scmagazine.com/uk-citizens-relaxed-about-government-snooping-survey-reports/article/479406/

FYI - VA sets goal of eliminating cyber material weaknesses by 2017 - The Veterans Affairs Department has a plan to finally get rid of more than two dozen long-standing cybersecurity weaknesses throughout the next 18 months. http://federalnewsradio.com/cybersecurity/2016/02/va-sets-goal-eliminating-cyber-material-weaknesses-2017/

FYI - EU adds detail to Privacy Shield agreement, prepares to give it force of law - The European Commission has detailed the steps businesses must take to comply with the Privacy Shield data protection agreement reached with U.S. authorities earlier this month, and published a draft of the order that will give it force of law. http://www.computerworld.com/article/3038690/data-privacy/eu-adds-detail-to-privacy-shield-agreement-prepares-to-give-it-force-of-law.html

FYI - Here Comes the Post-Safe Harbor EU Privacy Crackdown - The U.S. and EU are putting the finishing touches on “Privacy Shield,” the successor to their struck-down Safe Harbor data-transfer agreement, but it’s not quite there yet. And in the meantime, companies still sending people’s personal data from the EU to the U.S. under the Safe Harbor scheme are breaking the law. http://fortune.com/2016/02/25/safe-harbor-crackdown/?mod=djemRiskCompliance

FYI - Hacking the Pentagon could earn you some cash - A pilot program aims to help the US Defense Department beef up its networks by finding any vulnerabilities that could be exploited. Think you could hack your way into the Pentagon? A new competition will challenge qualified security pros to do just that. http://www.cnet.com/news/hack-the-pentagon-and-you-could-earn-some-cash/

FYI - Financial Institution Letters - FDIC Announces Webinar for National Consumer Protection Week 2016:  Cybersecurity Resources for Financial Institution Customers - The FDIC's Division of Depositor and Consumer Protection and Division of Risk Management Supervision will host a free webinar on March 9, 2016, from 2:00 p.m. to 3:00 p.m., titled Cybersecurity Resources to Help Your Customers Protect Themselves.  www.fdic.gov/news/news/financial/2016/fil16013.pdf 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - York Hospital breach compromises PII of 1,400 employees - York Hospital in Maine reported a breach of employees' identifying information. The hospital says patient information was not targeted. http://www.scmagazine.com/york-hospital-breach-compromises-pii-of-1400-employees/article/479549/

FYI - IRS now says 700K taxpayers accounts accessed - The Internal Revenue Service (IRS) has dramatically increased the number of citizens impacted by the May 2015 breach to 700,000 from the original 114,000 originally announced. http://www.scmagazine.com/irs-now-says-700k-taxpayers-accounts-accessed/article/479656/

FYI - Snapchat payroll data snagged in phishing scam - The personal information of a number of former and current Snapchat employees was compromised after an employee fell for a phishing scheme.
http://www.scmagazine.com/snapchat-employee-data-compromised-in-phishing-scheme/article/479684/
http://www.cnet.com/news/snapchat-hit-by-email-phishing-scam/

FYI - Ransomware holds data hostage in two German hospitals - Two German hospitals have fallen victim to a ransomware attack that has left them unable to access their systems. It is thought the clean-up operation to remove all traces of the malware could take weeks. http://www.scmagazine.com/ransomware-holds-data-hostage-in-two-german-hospitals/article/479835/

FYI - Financial system breached at UC Berkeley campus, exposing 80K records - The University of California, Berkeley, is in damage-control mode after discovering that cyberattackers recently breached a system containing the Social Security and bank account numbers of approximately 80,000 students, faculty members and vendors.
http://www.scmagazine.com/financial-system-breached-at-uc-berkeley-campus-exposing-80k-records/article/479852/
http://www.zdnet.com/article/university-of-california-berkeley-once-again-becomes-victim-of-cyberattack/

FYI - Reinvented ransomware shifts from pwning PC to wrecking websites - 'CTB Locker' targets WordPress, offers live chat to help victims pay up - A new ransomware variant appears to be ripping through WordPress sites encrypting data and demanding a payment of half a bitcoin to release files. http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning_pc_to_wrecking_websites/

FYI - Wendy's breach losses may exceed those of Target, Home Depot incidents - The financial loss to credit unions affected by the Wendy's data breach uncovered earlier this month appears to be on pace to surpass damages incurred from the high-profile Target and Home Depot breach incidents, according to a report from Krebs on Security. http://www.scmagazine.com/krebs-wendys-breach-losses-may-exceed-those-of-target-home-depot-incidents/article/480789/

FYI - Direct deposits rerouted after Illinois State University data breach - An attacker compromised the accounts of 13 Illinois State University (ISU) employees and diverted their direct-deposit payroll payments to another account. http://www.scmagazine.com/illinois-state-university-data-breach-compromised-employee-payments/article/480815/

FYI - Personal details of 40K Cox employees shows up on dark web - Personal details of 40,000 employees of Cox Communications, an ISP and cable provider, have shown up for sale on the dark web. http://www.scmagazine.com/personal-details-of-40k-cox-employees-shows-up-on-dark-web/article/480972/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)
 
 The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.
 
 Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 KEY RISK ASSESSMENT PRACTICES (2 of 2)
 
 4)  Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.
 
 5)  Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.
 
 6)  Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.
 
 7)  Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.3 System-Specific Policy
 
 Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. It is much more focused, since it addresses only one system.
 
 Many security policy decisions may apply only at the system level and may vary from system to system within the same organization. While these decisions may appear to be too detailed to be policy, they can be extremely important, with significant impacts on system usage and security. These types of decisions can be made by a management official, not by a technical system administrator. (The impacts of these decisions, however, are often analyzed by technical system administrators.)
 
 To develop a cohesive and comprehensive set of security policies, officials may use a management process that derives security rules from security goals. It is helpful to consider a two-level model for system security policy: security objectives and operational security rules, which together comprise the system-specific policy. Closely linked and often difficult to distinguish, however, is the implementation of the policy in technology.
 
 System-specific security policy includes two components: security objectives and operational security rules. It is often accompanied by implementing procedures and guidelines.
 
 5.3.1 Security Objectives
 
 The first step in the management process is to define security objectives for the specific system. Although, this process may start with an analysis of the need for integrity, availability, and confidentiality, it should not stop there. A security objective needs to more specific; it should be concrete and well defined. It also should be stated so that it is clear that the objective is achievable. This process will also draw upon other applicable organization policies.
 Security objectives consist of a series of statements that describe meaningful actions about explicit resources. These objectives should be based on system functional or mission requirements, but should state the security actions that support the requirements.
 
 Development of system-specific policy will require management to make trade-offs, since it is unlikely that all desired security objectives will be able to be fully met. Management will face cost, operational, technical, and other constraints.
 
 Sample Security Objective:  Only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing.