FYI - Treasury Begins Automating Cyber Tip-Sharing with Banks - The Treasury Department has begun automating the flow of cyber threat tips back and forth between financial institutions and the government. http://www.nextgov.com/cybersecurity/2015/03/treasury-begins-automating-cyber-tip-sharing-banks/107382/

FYI - US industrial control systems attacked 245 times in 12 months - US industrial control systems were hit by cyber attacks at least 245 times over a 12-month period, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has revealed.
http://www.v3.co.uk/v3-uk/news/2399334/us-industrial-control-systems-attacked-245-times-in-12-months
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf

FYI - Notice of Special Rapid Hiring Authority for Federal Cyber Security (March 5, 2015) The US federal government Office of Personnel Management (OPM) for excepted service for up to 3,000 positions requiring "unique cyber security skills."
https://www.federalregister.gov/articles/2015/03/05/2015-05185/excepted-service

FYI - Dutch court suspends mandatory data-retention legislation - A district court in The Hague has struck down a Dutch law requiring telecommunications companies to retain customer data for law enforcement for between six and 12 months. http://www.zdnet.com/article/dutch-court-suspends-mandatory-data-retention-legislation/

FYI - Driver sues Uber after breach - An Uber driver in Portland, Ore., has filed what may turn out to be a class-action lawsuit against the internet car service, claiming, in the wake of a breach, that it had not imposed the appropriate security measures to safeguard the personal information of its drivers. http://www.scmagazine.com/driver-sues-uber-after-breach/article/403655/

FYI - NYPD officer arrested for hacking FBI databases - A New York City Police Department (NYPD) auxiliary deputy inspector was arrested Wednesday morning for allegedly hacking into a restricted NYPD computer and other sensitive law enforcement databases. http://www.scmagazine.com/nypd-officer-hacked-databases-to-get-info-on-accident-victims/article/404250/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 'TeslaCrypt' holds video game files hostage in ransomware first - Online gamers are no longer spared the wrath of crypto-ransomware, with a recently discovered attack encrypting game files, as well as iTunes files. http://www.scmagazine.com/bromium-labs-details-new-ransomware-campaign/article/403511/

FYI - Short, planned outage helps State Dept. banish hackers - Nearly four months after revealing a breach, the U.S. Department of State said on Friday that it was taking down parts of its internet-linked systems in a “short, planned outage” as port of its “ongoing effort to ensure the integrity of [its] unclassified networks against cyber attacks.” http://www.scmagazine.com/state-dept-takes-down-parts-of-network-to-harden-security/article/403608/

FYI - Hacker threatens S. Korean nuclear power plants if ransom not paid - A hacker that claims to have compromised sensitive data belonging to South Korea's power plants has threatened to share the information with other countries if a ransom is not paid. http://www.scmagazine.com/hacker-threatens-s-korean-nuclear-power-plants-if-ransom-not-paid/article/403489/

FYI - Jamie Oliver website once again serving malware to visitors - The website of celebrity chef Jamie Oliver has once again been compromised and is serving malware to visitors or a nearly identical issue identified by Malwarebytes in February has not been completely resolved. http://www.scmagazine.com/jamie-oliver-website-once-again-serving-malware-to-visitors/article/403488/

FYI - University of Chicago data breach exposes employee and student data - A breach impacting the University of Chicago's Biological Sciences Division (BSD) database has exposed the personal information belonging to current and former employees, in addition to students. http://www.scmagazine.com/university-of-chicago-data-breach-exposes-employee-and-student-data/article/403242/

FYI - Malware installed at California burger joint, payment cards at risk - California-based Bistro Burger confirmed that malicious software was installed on the computer systems used to process credit card transactions at its Mission Street location in San Francisco, and that customer payment card data may have been compromised. http://www.scmagazine.com/malware-installed-at-california-burger-joint-payment-cards-at-risk/article/403762/

FYI - State Dept. restores email after cyber attack - The State Department said its external email system was back up Tuesday following a cyber breach. http://thehill.com/policy/cybersecurity/224595-state-department-email-restored

FYI - Short, planned outage helps State Dept. banish hackers - Nearly four months after revealing a breach, the U.S. Department of State said on Friday that it was taking down parts of its internet-linked systems in a “short, planned outage” as port of its “ongoing effort to ensure the integrity of [its] unclassified networks against cyber attacks.” http://www.scmagazine.com/state-dept-takes-down-parts-of-network-to-harden-security/article/403608/

FYI - Premera Blue Cross breached, info on 11 million customers at risk - The personal information of more than 10 million Premera Blue Cross members and applicants may have been compromised, the health insurance company announced on Tuesday, explaining that it was the victim of an attack and that unauthorized access was gained to its IT systems. http://www.scmagazine.com/premera-blue-cross-attack-may-have-exposed-data-on-11m-customers/article/404052/

FYI - State Dept. system still down to exorcise attackers - Looks like the “short, planned outage” of the U.S. Department of State's unclassified network will continue a little longer than intially expected as the agency tries to exorcise once and for all what CNN reported are Russian hackers who've roosted there for several months.  http://www.scmagazine.com/state-dept-system-still-down-to-exorcise-attackers/article/404003/

FYI - More than 150K patients impacted in Advantage Dental breach - Oregon-based Advantage Dental has notified more than 150,000 patients that a computer was infected with malware, and an intruder gained access to a database containing their personal information. http://www.scmagazine.com/more-than-150k-patients-impacted-in-advantage-dental-breach/article/403888/

FYI - Sacred Heart Health System notifies 14K patients of breach - Florida-based Sacred Heart Health System is notifying roughly 14,000 patients that the employee of a third party billing vendor had their username and password compromised, and the email account contained personal information. http://www.scmagazine.com/sacred-heart-health-system-notifies-14k-patients-of-breach/article/404377/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (8 of 12)

Containment

During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.

Establish notification escalation procedures.

If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.

Document details, conversations, and actions.

Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - KEY FACTORS

Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:

Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.

Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.

Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.

Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.

Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
(FYI - This is exactly the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)

Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.1 Initiating the Risk Assessment

HGA has information systems that comprise and are intertwined with several different kinds of assets valuable enough to merit protection. HGA's systems play a key role in transferring U.S. Government funds to individuals in the form of paychecks; hence, financial resources are among the assets associated with HGA's systems. The system components owned and operated by HGA are also assets, as are personnel information, contracting and procurement documents, draft regulations, internal correspondence, and a variety of other day-to-day business documents, memos, and reports. HGA's assets include intangible elements as well, such as reputation of the agency and the confidence of its employees that personal information will be handled properly and that the wages will be paid on time.

A recent change in the directorship of HGA has brought in a new management team. Among the new Chief Information Officer's first actions was appointing a Computer Security Program Manager who immediately initiated a comprehensive risk analysis to assess the soundness of HGA's computer security program in protecting the agency's assets and its compliance with federal directives. This analysis drew upon prior risk assessments, threat studies, and applicable internal control reports. The Computer Security Program Manager also established a timetable for periodic reassessments.

Since the wide-area network and mainframe used by HGA are owned and operated by other organizations, they were not treated in the risk assessment as HGA's assets. And although HGA's personnel, buildings, and facilities are essential assets, the Computer Security Program Manager considered them to be outside the scope of the risk analysis.

After examining HGA's computer system, the risk assessment team identified specific threats to HGA's assets, reviewed HGA's and national safeguards against those threats, identified the vulnerabilities of those policies, and recommended specific actions for mitigating the remaining risks to HGA's computer security. The following sections provide highlights from the risk assessment. The assessment addressed many other issues at the programmatic and system levels. However, this chapter focuses on security issues related to the time and attendance application.