FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Businesses are still scared of reporting cyberattacks to the police - Report suggests organisations, be it because of embarrassment or ignorance, aren't seeking help from the authorities when they're victims of cybercrime. http://www.zdnet.com/article/businesses-are-still-scared-of-reporting-cyberattacks-to-the-police/

FYI - Dwolla dwamned for destroywing defwences: $100k fine for insecurity - Payment upstart encouraged people to send passport scans, SSNs in plain email - Updated US payment processor Dwolla has been slapped with a US$100,000 fine for wrongly claiming it was super secure. http://www.theregister.co.uk/2016/03/03/dwolla_slapped_for_slack_security/

FYI - Breach: Before and after - It may be a tired mantra for those dealing with the prospect of data breaches – “It's not if, it's when” – but it's no less true today. http://www.scmagazine.com/breach-before-and-after/article/481636/

FYI - UK firms at risk due to employees' lack of cyber-security awareness - UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective cyber-security awareness and ability to defend against cyber-attacks, according to a new report. http://www.scmagazine.com/uk-firms-at-risk-due-to-employees-lack-of-cyber-security-awareness/article/481396/

FYI - Dwolla to pay $100K fine after regulatory probe into deceptive cybersecurity - In a move that signals regulators may be adopting a new approach in dealing with the fast-growing financial technology sector, the Consumer Financial Protection Bureau (CFPB) fined Iowa-based digital payment platform Dwolla for allegedly making false representations about the company's cybersecurity practices. http://www.scmagazine.com/dwolla-to-pay-100k-fine-after-regulatory-probe-into-deceptive-cybersecurity/article/481401/

FYI - Home Depot creates $19.5M fund to settle breach class action suit - Home Depot has created a $19.5 million fund to settle a class action suit related to the 2014 breach that affected about 56 million of the home improvement chain's customers. http://www.scmagazine.com/home-depot-creates-195m-fund-to-settle-breach-class-action-suit/article/481956/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Pirates, Ships, And A Hacked CMS: Inside Verizon's Breach Investigations - Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year. http://www.darkreading.com/operations/pirates-ships-and-a-hacked-cms--inside-verizons-breach-investigations/d/d-id/1324474

FYI - Cox investigates possible data breach: report - Cox Communications is investigating a possible breach exposing the personal information of 40,000 of its employees. http://thehill.com/policy/cybersecurity/271604-cox-investigates-possible-data-breach-report

FYI - Pirates hack into shipping company's CMS for insights on cargo to plunder - Real-life pirates—the swashbuckling kind, not digital thieves—are hacking into the systems of shipping companies in order to get a sneak preview of their cargo, allowing them to more efficiently target and raid ships. http://www.scmagazine.com/pirates-hack-into-shipping-companys-cms-for-insights-on-cargo-to-plunder/article/481275/

FYI - Seagate Phish Exposes All Employee W-2’s- Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

FYI - Stolen laptop exposes PII of over 200K Premier Healthcare patients - Premier Healthcare, a Bloomington, Indiana-based healthcare provider, suffered a data breach when a thief stole a laptop containing patient information from the company's billing department. http://www.scmagazine.com/stolen-laptop-exposes-pii-of-over-200k-premier-healthcare-patients/article/481817/

FYI - Extended stay: Data-stealing malware hides on Rosen Hotels' payment card network for over year - Guests who recently lodged at Rosen Hotels & Resorts properties in theme-park destination Orlando, Fla. must hope their data hasn't been taken for a wild ride, after the hospitality company announced its properties have suffered a long-undiscovered payment card data breach. http://www.scmagazine.com/extended-stay-data-stealing-malware-hides-on-rosen-hotels-payment-card-network-for-over-year/article/481837/

FYI - Finland's foreign ministry hacked by Russian or Chinese spies - Finland's foreign ministry computer network has been infiltrated by spies, foreign minister Erkki Tuomioja has revealed to the media. http://www.scmagazine.com/finlands-foreign-ministry-hacked-by-russian-or-chinese-spies/article/481968/

FYI - Oncology clinic breached, patient data stolen - 21st Century Oncology was asked by the Federal Bureau of Investigation to delay notification of patients that there information had been taken when a third-party gained unauthorized access to one of its databases, the cancer clinic said in a Wednesday notification letter to patients. http://www.scmagazine.com/unauthorized-third-party-pilfered-info-from-21st-century-oncology/article/482180/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements
 
 Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.
 
 In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY STRATEGY (1 of 2)
 
 Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include
 
 1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
 2)  Layered controls that establish multiple control points between threats and organization assets, and
 3)  Policies that guide officers and employees in implementing the security program.
 
 An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.
 
 The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.3.2 Operational Security Rules
 
 After management determines the security objectives, the rules for operating a system can be laid out, for example, to define authorized and unauthorized modification. Who (by job category, organization placement, or name) can do what (e.g., modify, delete) to which specific classes and records of data, and under what conditions.
 
 The degree of specificity needed for operational security rules varies greatly. The more detailed the rules are, up to a point, the easier it is to know when one has been violated. It is also, up to a point, easier to automate policy enforcement. However, overly detailed rules may make the job of instructing a computer to implement them difficult or computationally complex.
 
 In addition to deciding the level of detail, management should decide the degree of formality in documenting the system-specific policy. Once again, the more formal the documentation, the easier it is to enforce and to follow policy. On the other hand, policy at the system level that is too detailed and formal can also be an administrative burden. In general, good practice suggests a reasonably detailed formal statement of the access privileges for a system. Documenting access controls policy will make it substantially easier to follow and to enforce.  Another area that normally requires a detailed and formal statement is the assignment of security responsibilities. Other areas that should be addressed are the rules for system usage and the consequences of noncompliance.
 
 Policy decisions in other areas of computer security, such as those described in this handbook, are often documented in the risk analysis, accreditation statements, or procedural manuals. However, any controversial, atypical, or uncommon policies will also need formal statements. Atypical policies would include any areas where the system policy is different from organizational policy or from normal practice within the organization, either more or less stringent. The documentation for a typical policy contains a statement explaining the reason for deviation from the organization's standard policy.
 
 Sample Operational Security Rule:
  
 Personnel clerks may update fields for weekly attendance, charges to annual leave, employee addresses, and telephone numbers. Personnel specialists may update salary information. No employees may update their own records.