Just a Reminder - If you have not already done so, update your pandemic policy and perform a pandemic test of the policy. Help protect your customers as well as your employees.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - Banning end-to-end encryption sounds authoritarian, warns social scientist - Proposals for a U.S. federal law that would require tech companies to build backdoors into their end-to-end encrypted communications services sound like they are lifted from an authoritarian country’s playbook, warned Dr. Andrea Little Limbago, chief social scientist at Virtru, in a podcast interview with SC Media. https://www.scmagazine.com/home/security-news/podcasts/sc-podcast-investigating-the-human-side-of-cybersecurity/

GAO: Critical Infrastructure Must Adopt NIST Cyber Framework - According to a report from the Government Accountability Office (GAO), federal agencies that have the lead in protecting critical infrastructure sectors (sector specific agencies, or SSAs) have for the most part not taken adequate steps to ensure that the sectors they oversee have adopted the National Institute of Standards and Security’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity. https://www.gao.gov/assets/710/704808.pdf

ACMA mandates stronger identity checks when porting Australian mobile numbers - The Australian Communications and Media Authority (ACMA) has moved to make telcos seek further approval from customers before a mobile number can be ported from one mobile provider to another. https://www.zdnet.com/article/acma-mandates-stronger-identity-checks-when-porting-australian-mobile-numbers/

Ransomware victims are paying out millions a month. One particular version has cost them the most - Ransomware victims have paid out more than $140 million to crooks over the last six-and-a-half years, according to calculations by the FBI. https://www.zdnet.com/article/fbi-ransomware-victims-have-paid-out-140-million-one-version-has-cost-them-the-most/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ryuk ransomware shuts down New Mexico school district a second time - For the second time in less than a year, ransomware forced Gadsden Independent School District in Las Cruces, New Mexico, to take its systems offline Monday. https://edscoop.com/ryuk-ransomware-shuts-down-new-mexico-school-district-second-time/

DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw - Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability. https://www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/

Customer data stolen in data breach of facial recognition company Clearview AI - Controversial facial recognition company Clearview AI Inc. has suffered a data breach, and the company’s advising customers that an intruder “gained unauthorized access” to its list of customers. https://siliconangle.com/2020/02/26/customer-data-stolen-data-breach-facial-recognition-company-clearview-ai/

Walgreens mobile app leaked PII, PHI on ‘small percentage’ of customers - A leak in the Walgreens mobile app’s messaging service exposed personal information – including what the company said was “limited health-related data” – on a “small percentage” of customers who used the app between Jan. 9-15. https://www.scmagazine.com/home/security-news/walgreens-mobile-app-leaked-pii-phi-on-small-percentage-of-customers/

Data-stealing ransomware hits parts maker for Tesla, Boeing and Lockheed Martin - Visser Precision, a parts maker and manufacturing solutions provider for the aerospace, automotive, industrial and manufacturing industries, has reportedly suffered a combination ransomware attack and data breach that has compromised files pertaining to multiple business partners, including Tesla, SpaceX, Boeing and Lockheed Martin. https://www.scmagazine.com/home/security-news/cybercrime/data-stealing-ransomware-hits-parts-maker-for-tesla-boeing-and-lockheed-martin/

Redcar & Cleveland Council confirms ransomware attack - Redcar & Cleveland Borough Council in northern England has confirmed it has fallen victim to a ransomware attack targeting its server estate, which has kept it offline since the weekend of 8 February. https://www.computerweekly.com/news/252479241/Redcar-Cleveland-Council-confirms-ransomware-attack

RailWorks Corporation Disclosed Catastrophic Ransomware Infection - RailWorks Corporation has disclosed a ransomware attack that has resulted in the exposure of PII (personally identifiable information) of current and former employees, as well as their beneficiaries and dependents. https://www.technadu.com/railworks-corporation-disclosed-catastrophic-ransomware-infection/94045/

Rail station wi-fi provider exposed traveller data - Network Rail and the service provider C3UK confirmed the incident three days after being contacted by BBC News about the matter. https://www.bbc.com/news/technology-51682280

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)
   
   Service Provider Oversight
   
   Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.
   
   Summary
   
   The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  INTRUSION RESPONSE  (Part 1 of 2)
  
  Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.
  
  The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.
  
  Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:
  
  ! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
  ! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
  ! How to control the frequently powerful intrusion identification and response tools.
  ! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
  ! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
  ! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
  ! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
  ! How to document and maintain the evidence, decisions, and actions taken.
  ! What criteria must be met before compromised services, equipment and software are returned to the network.
  ! How to learn from the intrusion and use those lessons to improve the institution's security.
  ! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5
 
 COMPUTER SECURITY POLICY
 
 In discussions of computer security, the term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. 
 
 Policy means different things to different people. The term "policy" is used in this chapter in a broad manner to refer to important computer security-related decisions.
 
 In this chapter the term computer security policy is defined as the "documentation of computer security decisions"-which covers all the types of policy described above. In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority. In this chapter we use the term policy in a broad manner to encompass all of the types of policy described above-regardless of the level of manager who sets the particular policy.
 
 Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:
 
 1)  Program policy is used to create an organization's computer security program.
 2)  Issue-specific policies address specific issues of concern to the organization.
 3)  System-specific policies focus on decisions taken by management to protect a particular system.
 
 Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.
 
 Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.
 These types of policy are described to aid the reader's understanding. It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.