FYI - PCI SSC updates security standards for making of payment cards - The PCI Security Standards Council (PCI SSC) has updated its security requirements to improve the security of data and other components in the making of payment cards. http://www.scmagazine.com/pci-ssc-updates-security-standards-for-making-of-payment-cards/article/409060/

FYI - After July 14, 2015 Microsoft will no longer issue security updates for any version of Windows Server 2003. http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

FYI - Destructive hacking attempts target critical infrastructure in Americas - Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America. http://www.reuters.com/article/2015/04/07/us-cybersecurity-americas-idUSKBN0MY06Z20150407

FYI - AT&T To Pay $25M To Settle Investigation Into Three Data Breaches - The Federal Communications Commission has entered a $25 million settlement with AT&T Services, Inc. to resolve an investigation into consumer privacy violations at AT&T’s call centers in Mexico, Colombia, and the Philippines. http://www.fcc.gov/document/att-pay-25m-settle-investigation-three-data-breaches-0

FYI - FBI Warns That WordPress Faces Terrorist Attack Risk - The Federal Bureau of Investigation issued an alert on April 7 about the potential danger of Islamic State (ISIS) terrorists abusing vulnerabilities in the open-source WordPress blog and content management system software. http://www.eweek.com/blogs/security-watch/fbi-warns-that-wordpress-faces-terrorist-attack-risk.html

FYI - Wall St. Is Told to Tighten Digital Security of Partners - Wall Street’s oversight of cybersecurity measures at outside firms it does business with remains a work in progress, according to a review by New York State’s top financial regulator. http://www.nytimes.com/2015/04/09/business/dealbook/wall-st-is-told-to-tighten-digital-security-of-partners.html?_r=0

FYI - U.S. secretly tracked billions of calls for decades - The U.S. government started keeping secret records of Americans' international telephone calls nearly a decade before the Sept. 11 terrorist attacks, harvesting billions of calls in a program that provided a blueprint for the far broader National Security Agency surveillance that followed. http://www.usatoday.com/story/news/2015/04/07/dea-bulk-telephone-surveillance-operation/70808616/

FYI - 65 percent of online tax filers do so on open access WiFi network - Nearly half of Americans file their taxes online, and of those who do, 65 percent file them on an open access WiFi network, according to new research from Protect Your Bubble, an identity theft protection provider. http://www.scmagazine.com/protect-your-bubble-conducts-identity-fraud-practices-survey/article/408527/

FYI - Ninety percent of companies are vulnerable to cyber attacks, security experts say. The chances of another company suffering the devastating effects of a cyberattack like the one perpetrated on Sony last year are not as remote as we would like to believe, security researchers say. http://www.cnet.com/news/thousands-could-launch-sony-style-cyber-attack-says-ex-hacker/

FYI - GAO - FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen. http://www.gao.gov/products/GAO-15-370

FYI - Hinkley to replace founder Grossman as WhiteHat CEO - WhiteHat has named Craig Hinkley as CEO, replacing company founder, Jeremiah Grossman, who has served as interim CEO since the departure of Stephanie Fohn in 2014. http://www.scmagazine.com/craig-hinkley-takes-helm-as-whitehat-ceo/article/409050/

FYI - Whistleblowers' lawyer claims Ark. police dept. put malware on hard drive - A lawyer representing three whistleblowers – all from a police department in Fort Smith – in a case before an Arkansas circuit court has accused the department of planting malware on an external hard drive he had provided for them to populate with emails and other information he made in a discovery request. http://www.scmagazine.com/hard-drive-from-police-department-contained-four-trojans-attorney-says/article/409320/

FYI - GAO warns FAA of internet-connected systems - The Government Accountability Office (GAO) issued its second report of the year pertaining to the Federal Aviation Administration's (FAA) lacking cyber security protocol and warned the agency that its on-flight Wi-Fi, among other things, could put aircrafts and passengers at-risk. http://www.scmagazine.com/gao-issues-report-on-faa-practices/article/409315/

FYI - Target expected to pay $20 million to MasterCard for breach - Negotiations over the settlement between Target and MasterCard are expected to come to a close by the end of the week. The retailer is expected to pay the credit card company nearly $20 million to cover the costs incurred from its major data breach in 2013, the Wall Street Journal reports. http://www.scmagazine.com/target-expected-to-reach-settlement-with-mastercard-for-20-million/article/409302/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Banking threat Emotet expands target list, evades two-factor auth - Kaspersky researchers have analyzed the latest updates to banking malware, called Emotet – which has primarily been used to target online banking customers throughout Europe through social engineering. http://www.scmagazine.com/emotet-targets-online-banking-customers-through-social-engineering/article/408508/

FYI - Bitcoin exchange compromised through SendGrid account - The SendGrid email service favored by companies like Uber and Spotify was used by hackers to worm their way into the Coinbase Bitcoin exchange. http://www.scmagazine.com/bitcoin-exchange-compromised-through-sendgrid-account/article/408515/

FYI - Biggby Coffee announces website intrusion, access gained to database - Michigan-based Biggby Coffee announced that an intruder forced their way into its systems and accessed a database containing personal information. http://www.scmagazine.com/biggby-coffee-announces-website-intrusion-access-gained-to-database/article/408510/

FYI - Hacked French network exposed its own passwords during TV interview - Post-it note on wall revealed network's passwords for YouTube, Instagram. While French authorities continued investigating how the TV5Monde network had 11 of its stations' signals interrupted the night before, one of its staffers proved just how likely a basic password theft might have led to the incident. http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

FYI - 8th grader charged with felony hacking for changing teacher's digital wallpaper - A Florida middle school student pulled a 'teenage prank' on his teacher, changing the school PC desktop background image, but the 14-year-old now faces felony hacking charges. http://www.computerworld.com/article/2909321/8th-grader-charged-with-felony-hacking-for-changing-teachers-digital-wallpaper.html

FYI - California-based home care services co. notifies employees of data breach, tax fraud - California-based Homebridge, formerly In-Home Supportive Services (IHSS) Consortium, is notifying an undisclosed number of current and former employees that unauthorized access was gained to human resource records, and that the stolen personal information may have been used to file fraudulent tax return forms. http://www.scmagazine.com/california-based-home-care-services-co-notifies-employees-of-data-breach-tax-fraud/article/409006/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (12 of 12)

What the Future Holds

In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program. 

An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

FFIEC IT SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 

MONITORING AND UPDATING - UPDATING

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.1 Payroll Fraud

As for most large organizations that control financial assets, attempts at fraud and embezzlement are likely to occur. Historically, attempts at payroll fraud have almost always come from within HGA or the other agencies that operate systems on which HGA depends. Although HGA has thwarted many of these attempts, and some have involved relatively small sums of money, it considers preventing financial fraud to be a critical computer security priority, particularly in light of the potential financial losses and the risks of damage to its reputation with Congress, the public, and other federal agencies.

Attempts to defraud HGA have included the following:

20.3.2 Payroll Errors

Of greater likelihood, but of perhaps lesser potential impact on HGA, are errors in the entry of time and attendance data; failure to enter information describing new employees, terminations, and transfers in a timely manner; accidental corruption or loss of time and attendance data; or errors in interagency coordination and processing of personnel transfers.

Errors of these kinds can cause financial difficulties for employees and accounting problems for HGA. If an employee's vacation or sick leave balance became negative erroneously during the last pay period of the year, the employee's last paycheck would be automatically reduced. An individual who transfers between HGA and another agency may risk receiving duplicate paychecks or no paychecks for the pay periods immediately following the transfer. Errors of this sort that occur near the end of the year can lead to errors in W-2 forms and subsequent difficulties with the tax collection agencies.