FYI - Global financial firms prepare to step up cyber-security defences - In the next year, 86 percent of financial services firms plan to increase the time and resources they spend on cyber-security. https://www.scmagazine.com/global-financial-firms-prepare-to-step-up-cyber-security-defences/article/648884/

Chinese APT compromised trade association's website to keep tabs on members - A Chinese hacking group is accused of compromising the website of the National Foreign Trade Council in an apparent attempt to spy on the U.S. trade association's members in the days leading up to a key summit between President Donald Trump and Chinese President Xi Jinping. https://www.scmagazine.com/report-chinese-apt-compromised-trade-associations-website-to-keep-tabs-on-members/article/649074/

Competing interests exist between two of the predominant federal agencies tasked with stopping hackers from attacking the U.S., officials say, and that dynamic shapes how and when the government notifies Americans if they’ve been breached. https://www.cyberscoop.com/friction-design-fbi-dhs-disagree-tell-victims-theyve-hacked/

SC Media honors women in security, calls for recommendations - Each year at SC Media, the editorial team along with some of our most trusted advisers consider the tireless, accomplished, well-educated and knowledgeable women practitioners in cybersecurity to profile in our annual Women in Security issue (July-August). https://www.scmagazine.com/sc-media-honors-women-in-security-calls-for-recommendations/article/649384/

Large Teaching Hospitals more prone to breaches - Large teaching hospitals, or hospitals affiliated with medical schools, are more prone to data breaches according to a recent report published JAMA Internal Medicine. https://www.scmagazine.com/hospitals-affiliated-with-education-institutions-linked-to-more-breaches/article/649200/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wordpress hard pressed by malicious javascript and trojans - Researchers spotted a backdoor trojan that uses torrents as a delivery medium and uses distributed brute force attacks to exploit weak WordPress administrator accounts as well as an infection that injects malicious code into .js files. https://www.scmagazine.com/wordpress-hit-with-torrent-attacks-and-malicious-javascript/article/649042/

Scottrade Bank data breach exposes 20,000 customers' personal information - Scottrade Bank publicly confirmed that the personal information of 20,000 customers was inadvertently left open to the public when a third-party vendor uploaded a file to a server without putting the proper security protocols in place. https://www.scmagazine.com/scottrade-bank-data-breach-exposes-20000-customers-personal-information/article/649030/

Hacker sets off emergency sirens in Dallas - A hacker set off all 156 of Dallas's emergency sirens Friday night. "It does appear at this time it was a hack, and it does appear this came from the Dallas area," Sana Syed, the city's managing director of public information, said at a Saturday news conference. https://www.scmagazine.com/hacker-sets-off-emergency-sirens-in-dallas/article/649471/

GameStop investigating point of sale data breach - GameStop is investigating a possible payment card breach on the retailer's GameStop.com online store, according to published reports. https://www.scmagazine.com/gamestop-investigating-point-of-sale-data-breach/article/649383/

SWIFT codes targeted in Union Bank of India cyberattack - Hackers launched an attack against the Union Bank of India that was very similar to the Bangladesh bank heist that resulted in the theft of $81 million last year. https://www.scmagazine.com/union-bank-of-india-cyberattacked-similar-to-bangladesh-heist/article/649857/

Data on 918K seniors exposed on diabetes site - A database containing personal information of 918,000 seniors seeking discounts on diabetes supplies was revealed to be exposing its contents for months freely online. https://www.scmagazine.com/data-on-918k-seniors-exposed-on-diabetes-site/article/649864/

Hackers use college student loans tool to steal $30 million - Up to 100,000 people are exposed to identity theft after thieves exploited an IRS tool meant to help students apply for college loans. https://www.cnet.com/news/hackers-used-college-student-loans-tool-to-steal-30-million/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)
  
  3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:
  
  a)  The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.
  
  b)   Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.
  
  c)   Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.
  
  d)   Performance expectations, under both normal and contingency circumstances, are defined. 
  
  e)  Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies. 
  
  f)   Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.
  
  g)   For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.
  
  h)  The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
  
  Hardening Systems
  
  Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.
  
  When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:
  
  ! Determining the purpose of the system and minimum software and hardware requirements;
  ! Documenting the minimum hardware, software and services to be included on the system;
  ! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
  ! Installing necessary patches;
  ! Installing the most secure and up-to-date versions of applications;
  ! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
  ! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
  ! Enabling logging;
  ! Creating cryptographic hashes of key files;
  ! Archiving the configuration and checksums in secure storage prior to system deployment;
  ! Testing the system to ensure a secure configuration;
  ! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
  ! Changing all default passwords; and
  ! Testing the resulting systems.
  
  After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.2 Audit and Management Reviews
 
 From time to time, it is necessary to review user account management on a system. Within the area of user access issues, such reviews may examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth.
 
 These reviews can be conducted on at least two levels:80 (1) on an application-by-application basis or (2) on a systemwide basis. Both kinds of reviews can be conducted by, among others, in-house systems personnel (a self-audit), the organization's internal audit staff, or external auditors. For example, a good practice is for application managers (and data owners, if different) to review all access levels of all application users every month -- and sign a formal access approval list, which will provide a written record of the approvals. While it may initially appear that such reviews should be conducted by systems personnel, they usually are not fully effective. System personnel can verify that users only have those accesses that their managers have specified. However because access requirements may change over time, it is important to involve the application manager, who is often the only individual in a position to know current access requirements.
 
 Outside audit organizations (e.g., the Inspector General [IG] or the General Accounting Office) may also conduct audits. For example, the IG may direct a more extensive review of permissions. This may involve discussing the need for particular access levels for specific individuals or the number of users with sensitive access. For example, how many employees should really have authorization to the check-printing function? (Auditors will also examine non-computer access by reviewing, for example, who should have physical access to the check printer or blank-check stock.)