FYI - Cybersecurity spending varies but best practices still save - It's no secret that calculating an individual's or company's risk is not easy task as the economic benefits of cybersecurity are quite confusing and uncertain, but there are a few yardsticks that can be used to determine how much to spend to obtain a proper security level. https://www.scmagazine.com/industry-pros-share-cyber-budgeting-tips/article/646183/

A survey published Wednesday shows a large majority of Americans can pick the strongest password off a list and know that public WiFi isn’t safe. But only a third knew what HTTPS (the green padlock next to the web address bar) means, and only one in ten could distinguish two-factor authentication from other forms of login security. https://www.cyberscoop.com/cybersecurity-pew-study-2017/

It's happening! It's happening! W3C erects DRM as web standard - World has until April 19 to make its views known on latest draft - The World Wide Web Consortium has formally put forward highly controversial digital rights management as a new web standard. http://www.theregister.co.uk/2017/03/22/w3c_drm_web_standard/

70 percent of mobile devices of top networks vulnerable, study - More than 70 percent of mobile devices on five major U.S. carriers are susceptible to being breached due to unpatched devices being on their network, according to a recent study. https://www.scmagazine.com/majority-of-devices-on-top-networks-vulnerable-study/article/646443/

FBI: Attackers Targeting Anonymous FTP Servers in Healthcare - The FBI warns medical and dental organizations of cybercriminals targeting anonymous FTP servers to steal personal health data. The FBI has issued a warning that threat actors are going after anonymous File Transfer Protocol (FTP) servers associated with medical and dental organizations. http://www.darkreading.com/attacks-breaches/fbi-attackers-targeting-anonymous-ftp-servers-in-healthcare/d/d-id/1328496

Bill Would Compel Firms to Say If CyberSec Expert Sits on Board - Legislation introduced in the Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise. http://www.govinfosecurity.com/bill-would-compel-firms-to-say-if-cybersec-expert-sits-on-board-a-9776

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Breach of DoL jobs database a threat to 10 states, so far - A multi-state database was hacked, potentially revealing names, dates of birth and Social Security numbers of hundreds of thousands of job seekers across 10 states...so far. https://www.scmagazine.com/breach-of-dol-jobs-database-a-threat-to-10-states-so-far/article/646023/

Hack of ABC's Twitter account hails Trump - The Twitter accounts of Good Morning America, GMA Pop News and ABC News were hacked on Thursday with a series of irreverent posts being added, including two praising Donald Trump, according to a report on CNBC. https://www.scmagazine.com/hack-of-abcs-twitter-account-hails-trump/article/646159/

Fake mobile base stations spreading malware in China - 'Swearing Trojan' pushes phishing texts around carriers' controls - Chinese phishing scum are deploying fake mobile base stations to spread malware in text messages that might otherwise get caught by carriers. http://www.theregister.co.uk/2017/03/23/fake_base_stations_spreading_malware_in_china/

UK Police Fed: Officers abusing investigatory powers for personal matters - Police have reportedly been using law enforcement resources to pursue personal matters, according to the Police Federation. https://www.scmagazine.com/uk-police-fed-officers-abusing-investigatory-powers-for-personal-matters/article/646276/

New York data breaches rise by 60% due to hacking and insiders - New York data breaches have reached new heights according to the state's Attorney General Eric Schneiderman. Security breaches skyrocketed by 60 percent in 2016. https://www.scmagazine.com/new-york-data-breaches-rise-by-60-due-to-hacking-and-insiders/article/646524/

Food court: Arby's reportedly faces 8 lawsuits resulting from breach - Customers, banks and credit unions appear to have a beef with Arby's. The fast-food sandwich chain is now facing a total of eight lawsuits stemming from a data breach that was discovered in February and affected around 1,000 locations, the AP reported yesterday. https://www.scmagazine.com/food-court-arbys-reportedly-faces-8-lawsuits-resulting-from-breach/article/646958/

Two Daytona State College breaches affect students and staff - Daytona State College was hit with two data breaches this month that affected both employee and student data. https://www.scmagazine.com/daytona-state-college-hit-with-double-breach-affecting-staff-and-students/article/646957/

Girls crack code in CyberFirst challenge and impress judges - The competition is organised by the National Cyber Security Centre which is looking to encourage more women into the sector, who currently make up only seven percent of its workforce. https://www.scmagazine.com/girls-crack-code-in-cyberfirst-challenge-and-impress-judges/article/647285/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Security Control Practices for E-Banking
  
  1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.
  
  2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.
  
  3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.
  
  4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.
  
  5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:
  
  a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
  b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
  c)  Penetration testing of internal and external networks.
  
  6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Source Code Review and Testing
  
  Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.1.4 Employee Training and Awareness
 
 Even after a candidate has been hired, the staffing process cannot yet be considered complete -- employees still have to be trained to do their job, which includes computer security responsibilities and duties. Such security training can be very cost-effective in promoting security.
 
 Some computer security experts argue that employees must receive initial computer security training before they are granted any access to computer systems. Others argue that this must be a risk-based decision, perhaps granting only restricted access (or, perhaps, only access to their PC) until the required training is completed. Both approaches recognize that adequately trained employees are crucial to the effective functioning of computer systems and applications. Organizations may provide introductory training prior to granting any access with follow-up more extensive training. In addition, although training of new users is critical, it is important to recognize that security training and awareness activities should be ongoing during the time an individual is a system user.
 
 10.2 User Administration
 
 Effective administration of users' computer access is essential to maintaining system security. User account management focuses on identification, authentication, and access authorizations. This is augmented by the process of auditing and otherwise periodically verifying the legitimacy of current accounts and access authorizations. Finally, there are considerations involved in the timely modification or removal of access and associated issues for employees who are reassigned, promoted, or terminated, or who retire.