FYI - FDIC leads agencies in major cyber incidents - The Federal Deposit Insurance Corporation was responsible for 10 of 16 major information security incidents in FY2016, according to the annual report of the Office of Management and Budget. https://fcw.com/articles/2017/03/10/fisma-report-omb.aspx?m=1

Government Isn't Sharing Cyber Threats As Promised, Private Sector Says - When it comes to cyber threat information sharing, it’s government that’s not holding up its end of the bargain, industry officials told lawmakers Thursday. http://www.nextgov.com/cybersecurity/2017/03/government-isnt-sharing-cyber-threats-promised-private-sector-says/136035/

Home Depot to pay $25M in breach settlement - Following a massive breach, retailer Home Depot has agreed to pay off a settlement of $25 million for damages resulting from the incursion in 2014 that exposed personal information of more than 50 million customers. https://www.scmagazine.com/home-depot-to-pay-25m-in-breach-settlement/article/643491/

US telecoms regs bow to ISPs, customers no longer federally protected - The US Federal Communications Commission has bowed to the telecoms lobby in blocking a regulation which would make ISPs take 'reasonable measures' to protect customer data. https://www.scmagazine.com/us-telecoms-regs-bow-to-isps-customers-no-longer-federally-protected/article/643307/

Israel-UK cyber-security lessons - shared concerns, shared responses - Israel is under constant threat and conscription gives its army access to its brightest students - what can the UK learn from its approach to and understanding of cyber-terrorism? https://www.scmagazine.com/israel-uk-cyber-security-lessons--shared-concerns-shared-responses/article/643511/

VA chief swears off software development - For the past year or more at congressional hearings and public appearances, senior officials from the Department of Veterans Affairs have been warming up to the idea of moving to commercial software for electronic health records, scheduling, acquisitions and other core business processes. https://fcw.com/articles/2017/03/10/shulkin-commerical-it.aspx

Researchers hack Fitbits and other IoT devices using sound - Researchers from the University of Michigan and the University of South Carolina were able to develop a series of attacks that manipulate internet of things (IoT) devices using sound. https://www.scmagazine.com/researchers-develop-sound-based-attacks-on-iot-devices/article/644249/

312 and counting data breaches, in 2017, report - So far this year, there have been 312 data breaches as of March 14, 2017, which have compromised a combined total of more than 1.3 million records. https://www.scmagazine.com/report-finds-more-than-312-data-breaches-this-year/article/644421/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Payments Giant Verifone Investigating Breach - Credit and debit card payments giant Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. http://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

Canadian tax and labor websites taken offline this weekend - Canada's Revenue and Statistics agencies were knocked offline Friday when officials, concerned about several vulnerabilities, took down the sites as a precautionary measure. https://www.scmagazine.com/canadian-tax-and-labor-websites-taken-offline-this-weekend/article/643629/

Hackers steal personal data of thousands of hospital staff - Information on staff accessed through attack on IT contractor's server. Hackers have stolen information about thousands of NHS medical professionals by compromising the server of a private contractor. http://www.zdnet.com/article/hackers-steal-personal-data-of-thousands-of-hospital-staff/

Encrypting data at rest is vital, but it's just not happening - Regulators and security strategists recommend encrypting data at rest, but few organisations do it, and most get it wrong. Good thing there are bigger problems to tackle first. The Office of the Australian Information Commissioner (OAIC) has been clear about encrypting personal data, both in its guidelines and in recent data breach investigations. But according to Chris Gatford, director of penetration testing firm Hacklabs, very few organisations are living up to expectations. http://www.zdnet.com/article/encrypting-data-at-rest-is-vital-but-its-just-not-happening/

Over 33M records leaked from US corporate database - The database contains email addresses and other contact information for thousands of corporate and government employees. https://www.cnet.com/news/more-than-33-million-records-leaked-from-us-corporate-database/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
Board and Management Oversight - Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
  
  To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.
  
  The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:
  
  1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.
  
  2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.
  
  3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
 
 Security Controls in Application Software
 
 Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).
 
 Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.1.2 Determining Position Sensitivity
 
 Knowledge of the duties and access levels that a particular position will require is necessary for determining the sensitivity of the position. The responsible management official should correctly identify position sensitivity levels so that appropriate, cost-effective screening can be completed.
 
 Various levels of sensitivity are assigned to positions in the federal government. Determining the appropriate level is based upon such factors as the type and degree of harm (e.g., disclosure of private information, interruption of critical processing, computer fraud) the individual can cause through misuse of the computer system as well as more traditional factors, such as access to classified information and fiduciary responsibilities. Specific agency guidance should be followed on this matter.
 
 It is important to select the appropriate position sensitivity, since controls in excess of the sensitivity of the position wastes resources, while too little may cause unacceptable risks.