REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Organizations continue to lack incident response proficiency, study finds - Security professionals are anticipating breaches, but organizations continue to lack the necessary incident response capabilities, a recent study found. http://www.scmagazine.com/organizations-continue-to-lack-incident-response-proficiency-study-finds/article/336229/

FYI - New FBI boss says cyber crime, not terrorism, is top of Feds' todo list - Malware cousin of fingerprint and DNA database to be shared with infosec world - The FBI's new director James Comey has told the RSA security conference in San Francisco that he is making thwarting online crime the major focus for his agency in the coming decade. http://www.theregister.co.uk/2014/02/27/new_fbi_boss_pledges_cyber_crime_not_terrorism_will_dominate_agency_in_the_next_decade/

FYI - Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking - Police in Florida have offered a startling excuse for having used a controversial “stingray” cellphone tracking gadget 200 times without ever telling a judge: the device’s manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts. http://www.wired.com/threatlevel/2014/03/stingray/

FYI - Twitter system error accidentally resets users' passwords - Thousands of Twitter users thought their accounts were compromised yesterday after receiving an email from the company prompting them to reset their passwords. http://www.scmagazine.com/twitter-system-error-accidentally-resets-users-passwords/article/336785/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UK man charged with hacking Federal Reserve - The defendant is accused of stealing personal information of employees and publishing it on a website - A British man faces new charges in the U.S. for allegedly hacking into the Federal Reserve Bank's servers and stealing names, email addresses and other personal information of the bank's computer users.
http://www.computerworld.com/s/article/9246650/UK_man_charged_with_hacking_Federal_Reserve?taxonomyId=17
http://www.scmagazine.com/man-charged-with-using-sql-injection-to-access-federal-reserve-data/article/336228/

FYI - Black market lights up with 360M stolen credentials - Some 360 million account credentials are newly available for sale on the black market, according to one security firm, and may be from several yet-to-be-reported security breaches. http://news.cnet.com/8301-1009_3-57619567-83/black-market-lights-up-with-360m-stolen-credentials-report/

FYI - Web crawlers tap data, put about 146K Indiana Univ. students at risk - Nearly 146,000 former and current students of Indiana University may have had personal information – including Social Security numbers – exposed after three web indexing bots known as web crawlers accessed the data from an unsecured site. http://www.scmagazine.com/web-crawlers-tap-data-put-about-146k-indiana-univ-students-at-risk/article/336198/

FYI - Bank reports payment cards used in Chicago cabs being compromised - Travelers that recently charged a Chicago cab fare to a payment card may want to be on the lookout for fraudulent charges, according to Illinois-based First American Bank, which warned its own customers on Friday against using their MasterCard debit cards in Windy City taxis. http://www.scmagazine.com/bank-reports-payment-cards-used-in-chicago-cabs-being-compromised/article/336550/

FYI - Impact of Detroit breach could be greater than reported, expert says - Officials are notifying about 1,700 current and former Detroit fire and emergency medical services (EMS) employees that their personal information may have been compromised by malware that locked City files. http://www.scmagazine.com/impact-of-detroit-breach-could-be-greater-than-reported-expert-says/article/336567/

FYI - Russia Today defaced by hackers - Russia's biggest news channel website, Russia Today (RT), was compromised and defaced by hackers on Friday. http://www.scmagazine.com/russia-today-defaced-by-hackers/article/336560/

FYI - Las Vegas Sands confirms attackers accessed sensitive employee, customer info - Following an early February breach that affected Las Vegas Sands casino websites and internal office systems in the U.S., the corporation determined that the cyber attackers made off with “some legally protected data” belonging to employees and customers at the Bethlehem, Pa., hotel and casino, the company announced. http://www.scmagazine.com/las-vegas-sands-confirms-attackers-accessed-sensitive-employee-customer-info/article/336569/

FYI - Team Cymru spots 300,000 compromised SOHO gateways - Researchers spot attackers 'pharming' traffic with dodgy DNS - It's time to check the DNS settings on your broadband gateway, with security research group Team Cymru discovering an attack that could have redirected as many as 300,000 devices to a malicious resolver. http://www.theregister.co.uk/2014/03/04/team_cymru_ids_300000_compromised_soho_gateways/

FYI - Flexcoin hacked, Mt. Gox code leaks, but Bitcoin demand still grows - Following a strong rise to prominence in recent months, weaknesses in the anonymous and fairly unregulated virtual currency market are beginning to show. http://www.scmagazine.com/flexcoin-hacked-mt-gox-code-leaks-but-bitcoin-demand-still-grows/article/336782/

FYI - Sally Beauty investigates breach, no evidence of stolen payment cards - A weeks-old attempted intrusion is still being investigated, but Texas-based Sally Beauty has no evidence to suggest that 282,000 payment cards found in an online underground crime market were pilfered from the worldwide beauty supplies retailer - despite reports that suggest otherwise. http://www.scmagazine.com/sally-beauty-investigates-breach-no-evidence-of-stolen-payment-cards/article/336991/

FYI - Smucker's breached, possible ties to other high-profile attacks - The J.M. Smucker Company, an Ohio-based producer of fruit spreads and beverages, has shut down its Online Store following a data breach affecting its customers' personal financial information. http://www.scmagazine.com/smuckers-breached-possible-ties-to-other-high-profile-attacks/article/336996/

FYI - Payroll vendor breached, data on more than 43,000 employees at risk - More than 43,000 former and current employees of Chicago-based Assisted Living Concepts (ALC) are being notified that their personal data - including Social Security numbers and pay information - may be at risk after an unauthorized third party breached ALC's payroll vendor and gained access to sensitive files. http://www.scmagazine.com/payroll-vendor-breached-data-on-more-than-43000-employees-at-risk/article/336973/

FYI - North Dakota University System hacked, roughly 300K impacted - The North Dakota University System (NDUS) is notifying more than 290,000 former and current students and roughly 780 faculty and staff that their personal information – including Social Security numbers – may be at risk after an unauthorized party gained access to one of its servers. http://www.scmagazine.com/north-dakota-university-system-hacked-roughly-300k-impacted/article/337181/

FYI - Oregon man received thousands of medical records on his home fax - Patient data was compromised after a Wisconsin hospital unknowingly faxed their records to an Oregon man. http://www.scmagazine.com/oregon-man-received-thousands-of-medical-records-on-his-home-fax/article/337159

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Packet Filter Firewalls

Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.

Weaknesses associated with packet filtering firewalls include the following:

! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.

! Logging functionality is limited to the same information used to make access control decisions.

! Most do not support advanced user authentication schemes.

! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.

! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.

Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.

Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

39.  Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]