REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Technology is not the only answer when it comes to security - In the midst of these heady times of rapid change and advancement, there is a growing consensus that it is time to take a step back and reassess the bigger picture. http://www.scmagazine.com/technology-is-not-the-only-answer-when-it-comes-to-security/article/342962/

FYI - U.S. Promises Not to Sue Companies for Discussing Hacks - The Justice Department and the Federal Trade Commission issued a formal policy statement Thursday, assuring businesses that they will not face federal lawsuits for sharing information with each other about attacks on their computer systems.
http://www.nextgov.com/cybersecurity/2014/04/us-promises-not-sue-companies-discussing-hacks/82321/
http://www.scmagazine.com/ftc-justice-dept-say-antitrust-laws-shouldnt-block-cyber-threat-disclosure/article/342210/

FYI - Pentagon to triple its security workforce by 2016 - Defense Secretary Chuck Hagel announced Pentagon efforts to strengthen its U.S. Cyber Command in coming years. By 2016, the Fort Meade, Md.-based military command expects to triple its security staff to 6,000 people, he said. http://www.scmagazine.com/pentagon-to-triple-its-security-workforce-by-2016/article/342785/

FYI - Only three of 43 police forces able to tackle cybercrime challenges - Her Majesty's Inspectorate of Constabulary (HMIC) warned in its Strategic Policing Requirement report that despite heavy investment and development strategies set by the government, digital issues continue to baffle police. http://www.v3.co.uk/v3-uk/news/2339161/only-three-of-43-police-forces-able-to-tackle-cybercrime-challenges

FYI - Judge denies Wyndham motion challenging FTC authority - On Monday, a U.S. District Court denied (PDF) Wyndham Worldwide's motion to dismiss FTC claims accusing the hotelier of “unfair” and “deceptive” practices related to its failure to adequately secure consumer data. http://www.scmagazine.com/judge-denies-wyndham-motion-challenging-ftc-authority/article/341862/

FYI - Bank of America target of class-action suit for 2012 breach - Bank of America was hit with a class action suit in California earlier this week charging that the company is liable for identity theft and fraud in the aftermath of a 2012 data breach, according to documents filed in the California Superior Court, County of Los Angeles, and reported on by Law360. http://www.scmagazine.com/bank-of-america-target-of-class-action-suit-for-2012-breach/article/342387/

FYI - Kentucky becomes 47th state to pass data breach notification laws - Gov. Steve Beshear signed a bill on Thursday that means data breaches can no longer go unreported in Kentucky. http://www.scmagazine.com/kentucky-becomes-47th-state-to-pass-data-breach-notification-laws/article/342585/

FYI - Texas man receives 14 more charges for brute-force attack - A Texas man who attempted to access the Hidalgo County server received additional charges this past week. http://www.scmagazine.com/texas-man-receives-14-more-charges-for-brute-force-attack/article/342613/

FYI - U.S. rallied 120 nations in response to 2012 cyberattack on American banks - In the spring of 2012, some of the largest banks in the United States were coming under attack, with hackers commandeering servers around the world to direct a barrage of Internet traffic toward the banks’ Web sites. http://www.washingtonpost.com/world/national-security/us-rallied-multi-nation-response-to-2012-cyberattack-on-american-banks/2014/04/11/7c1fbb12-b45c-11e3-8cb6-284052554d74_story.html

FYI - UK cosmetic surgery group extorted by hacker that stole data on 500K - Individuals that submitted inquiries on the Harley Medical Group (HMG) website may have had their personal information stolen by an attacker that hoped to extort the UK-based cosmetic surgery company for money. http://www.scmagazine.com/uk-cosmetic-surgery-group-extorted-by-hacker-that-stole-data-on-500k/article/342755/

FYI - Data on 55,000 VFW members impacted by attacker seeking military intel - About 55,000 members of the Veterans of Foreign Wars of the United States (VFW) may have had personal information – including Social Security numbers – compromised after an unauthorized party gained access to a VFW web server using a remote access trojan and malicious code. http://www.scmagazine.com/data-on-55000-vfw-members-impacted-by-attacker-seeking-military-intel/article/342690/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Latest UMD 'intrusion' linked to IT worker exposing security issues, account shows - A software engineer revealed that the FBI raided his home after his attempts to expose a security issue impacting the University of Maryland's systems. http://www.scmagazine.com/latest-umd-intrusion-linked-to-it-worker-exposing-security-issues-account-shows/article/342202/

FYI - 80,000 Employees of Federal Contractors Compromised in Cyberattack - Personal information of about 80,000 employees of federal contractors was compromised in a cyberattack last month, including credit card details of as many as 25,000, a business research and software firm. http://www.nextgov.com/cybersecurity/2014/04/80000-employees-federal-contractors-compromised-cyberattack/82222/

FYI - Card skimming device found on NYC subway station machine - A card skimming device and camera were found at a New York City subway station last night after an astute commuter notified Metropolitan Transportation Authority (MTA) officials. http://www.scmagazine.com/card-skimming-device-found-on-nyc-subway-station-machine/article/342361/

FYI - More than 1,400 medical records compromised in Texas breach - Unauthorized access was gained to the Electronic Health Record (EHR) system used by Texas-based Lubbock Cardiology Clinic (LCC), which resulted in the compromise of more than 1,400 medical records. http://www.scmagazine.com/more-than-1400-medical-records-compromised-in-texas-breach/article/342360/

FYI - American Funds urges password change to counter 'Heartbleed' bug - American Funds, the No. 3 U.S. mutual fund family, advised some customers to change user names and passwords on Wednesday as the number of companies and people affected by the notorious "Heartbleed" bug grows. http://www.reuters.com/article/2014/04/16/us-cybersecurity-heartbleed-funds-idUSBREA3F1B520140416

FYI - Heartbleed bug: Check which sites have been patched - We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched. - he Heartbleed bug is serious. Disclosed less than two days ago, the Heartbleed bug has sent sites and services across the Internet into patch mode. http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:

Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.

Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.

Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 

Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 3 of 3)

Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.

Given the importance of firewalls as a means of access control, good practices include:

! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not specifically allowed;
! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control procedures.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]