FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - U.S., Canada issue ransomware alert - With a new ransomware incidents popping up almost on a daily basis, the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), have issued an official ransomware alert. http://www.scmagazine.com/us-canada-issue-ransomware-alert/article/487738/

FYI - Ransomware epidemic could become historic crime spree, warns alert - A new cybersecurity alert warns that the exponential growth of ransomware as a cybercriminal tool may be turning this malware epidemic into the “largest crime wave in modern history.” http://www.scmagazine.com/ransomware-epidemic-could-become-historic-crime-spree-warns-alert/article/486820/

FYI - Over 300 incidents of ransomware on federal networks since June - There have been 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security. https://fcw.com/articles/2016/03/30/ransomware-carper-hsgac.aspx

FYI - US Marine Corps launches hacker support unit - Team will conduct OCO, CNE and ISR to stop SNAFUs on MCEN and ODIN - The United States Marine Corps has launched a hacking support unit. http://www.theregister.co.uk/2016/03/31/us_marines_launches_hacker_support_unit/

FYI - Will the Panama Papers change legal firms' cyber practices? - Following the massive 2.6 terabyte leak from the Panamanian corporate service provider and legal firm Mossack Fonseca, a sentiment emerges among security professionals assessing the wreckage at the secretive company. http://www.scmagazine.com/will-the-panama-papers-change-legal-firms-cyber-practices/article/487488/

FYI - Survey finds 'accountability gap' among execs dealing with cybersecurity - The cybersecurity “accountability gap” is growing as 40 percent of executives admitted they didn't feel responsible for the impact of a cyberattack and a lack of understanding concerning cybersecurity could be a contributing factor. http://www.scmagazine.com/accountability-gap-widens-as-execs-dont-feel-responsible-for-cyberattacks/article/487477/

FYI - Hack the Pentagon: First US government bug bounty programme opens for business - If you're not afraid of the Pentagon running a criminal background check on you, the department has some cash to fork out on security bugs in its public websites. http://www.zdnet.com/article/hack-the-pentagon-first-us-government-bug-bounty-programme-opens-for-business/

FYI - Cyber insurance rates fall with lull in major hacks - A lull in high-profile data breaches prompted insurers to cut cyber insurance rates for high-risk businesses such as retailers and healthcare companies during the first three months of this year, according to insurance industry brokers. http://www.reuters.com/article/us-cyber-insurance-idUSKCN0WW1X4

FYI - Hack-for-hire services booming, new report - Hackers are offering their services to break into corporate email for anyone paying $500. http://www.scmagazine.com/hack-for-hire-services-booming-new-report/article/488093/

FYI - GAO - Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance.
Report: http://www.gao.gov/products/GAO-16-325
Highlights: http://www.gao.gov/assets/680/676396.pdf

FYI - 14% of doctors keep patient data on cell phones, don't use password - As the healthcare industry reacts to a streak of ransomware attacks against hospitals, a new report sheds light on a looming but poorly-publicized threat: doctor's mobile communications practices. http://www.scmagazine.com/report-14-of-doctors-keep-patient-data-on-cell-phones-dont-use-password/article/488139/

FYI - Cybersecurity being overlooked by American universities - CloudPassage released a report today slamming the U.S. university system for failing to give cybersecurity a higher profile in its computer science and engineering programs. http://www.scmagazine.com/cybersecurity-being-overlooked-by-american-universities-report/article/488233/

FYI - Reports find high security risks among policies for third-party vendors - Two recent reports highlight the security and privacy threats posed by third-party vendors. The reports examine company's procedures for handling third-party vendor permissions and the ability of companies to track these vendors' activities. http://www.scmagazine.com/reports-find-high-security-risks-among-policies-for-third-party-vendors/article/488382/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - MedStar Health partially restores services after ransomware attack - The organization was reportedly hit with the Samsam ransomware family - MedStar Health said Wednesday it is restoring computer systems following a cyberattack that reportedly involved file-encrypting malware. http://www.computerworld.com/article/3050018/security/medstar-health-partially-restores-services-after-ransomware-attack.html

FYI - Another Canadian hospital hit with ransomware attack, spreads TeslaCrypt - Malwarebytes researchers spotted ransomware attack against another Canadian hospital. http://www.scmagazine.com/attackers-targeted-another-canadian-medical-facility-targeted/article/487154/

FYI - Email server hack behind Panamanian law firm leaks - An email server hack is thought to be behind the leaking of top-secret documents from Panamanian law firm, Mossack Fonseca. http://www.scmagazine.com/email-server-hack-behind-panamanian-law-firm-leaks/article/487256/

FYI - 50 million exposed in Turkish data breach - As many as 50 million Turkish citizens, including the nation's current and former presidents, may have been impacted in a data breach that was revealed to the public today. http://www.scmagazine.com/50-million-exposed-in-turkish-data-breach/article/487474/

FYI - Ghost Squad Hackers hit Trump sites with DDoS attacks - Ghost Squad Hackers, an offshoot of the hacktivist group Anonymous, claim to have taken down two websites belonging to Donald Trump. http://www.scmagazine.com/anonymous-offshoot-claims-to-have-taken-down-trump-sites/article/487429/

FYI - MedStar Health almost back online, but other hospitals hit - MedStar Health is reporting that its clinical and management computer systems are almost fully back online, eight days after the medical organization suffered a cyber attack that forced it to shut down its network. http://www.scmagazine.com/medstar-health-almost-back-online-but-other-hospitals-hit/article/487767/

FYI - Domino's hack: A lifetime of free pizza just one poor security practice away - A poor security practice in the payment authentication process in the Domino's Pizza Android mobile application allowed a U.K. security consultant to order a pizza free of charge. http://www.scmagazine.com/payment-validation-issue-nets-hacker-a-free-pizza/article/487918/

FYI - Personal laptop, possibly containing data on 5M patients, stolen from HHS facility - A personal laptop and hard drives that may contain sensitive data on close to 5 million medical patients, including Social Security numbers, was stolen from a Washington State federal building, prompting calls for the U.S. Department of Health and Human Services to reveal the extent of the damage. http://www.scmagazine.com/personal-laptop-possibly-containing-data-on-5m-patients-stolen-from-hhs-facility/article/487917/

FYI - Mattel duped out of $3M in phishing scam, recovers loot - U.S. toy manufacturer Mattel fell victim in April 2015 to a popular phishing campaign known as the fake CEO or fake president scam, but was able to recover its money. http://www.scmagazine.com/mattel-duped-out-of-3m-in-phishing-scam-recovers-loot/article/487920/

FYI - Australian fashion blogger's Instragram account reportedly hijacked - The Instagram account of Australian fashion blogger Rozalia Russian was hijacked by an American hacker, who extorted $5,000 from her before handing back her credentials.http://www.scmagazine.com/australian-fashion-bloggers-instragram-account-reportedly-hijacked/article/488111/

FYI - NCT breach compromises info on 15,085 new and expectant parents - A breach at the National Childbirth Trust (NCT) in the U.K. compromised the information of 15,085 users. http://www.scmagazine.com/uk-charity-nct-suffers-breach-exposing-data-on-15k-users/article/488406/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices
 
 Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.
 
 Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 Access Rights Administration (3 of 5)
 
 The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.
 
 During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.
 
 Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include
 
 ! Identifying each privilege associated with each system component,
 
 ! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,
 
 ! Finding alternate ways of achieving the business objectives,
 
 ! Assigning privileges to a unique user ID apart from the one used for normal business use,
 
 ! Logging and auditing the use of privileged access,
 
 ! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
 
 ! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 Computers and the information they process are critical to many organizations' ability to perform their mission and business functions. It therefore makes sense that executives view computer security as a management issue and seek to protect their organization's computer resources as they would any other valuable asset. To do this effectively requires developing of a comprehensive management approach.
 
 This chapter presents an organization wide approach to computer security and discusses its important management function. Because organizations differ vastly in size, complexity, management styles, and culture, it is not possible to describe one ideal computer security program. However, this chapter does describe some of the features and issues common to many federal organizations.
 
 6.1 Structure of a Computer Security Program
 
 Many computer security programs that are distributed throughout the organization have different elements performing various functions. While this approach has benefits, the distribution of the computer security function in many organizations is haphazard, usually based upon history (i.e., who was available in the organization to do what when the need arose). Ideally, the distribution of computer security functions should result from a planned and integrated management philosophy.
 
 Managing computer security at multiple levels brings many benefits. Each level contributes to the overall computer security program with different types of expertise, authority, and resources. In general, higher-level officials (such as those at the headquarters or unit levels in the agency described above) better understand the organization as a whole and have more authority. On the other hand, lower-level officials (at the computer facility and applications levels) are more familiar with the specific requirements, both technical and procedural, and problems of the systems and the users. The levels of computer security program management should be complementary; each can help the other be more effective.
 
 Since many organizations have at least two levels of computer security management, this chapter divides computer security program management into two levels: the central level and the system level. (Each organization, though, may have its own unique structure.) The central computer security program can be used to address the overall management of computer security within an organization or a major component of an organization. The system-level computer security program addresses the management of computer security for a particular system.