FYI - Workers like to circumvent corporate cybersecurity policies, study - Researchers found that 95 percent of enterprises surveyed had employees who actively circumventing corporate security protocols. https://www.scmagazine.com/study-finds-most-employees-actively-circumventing-security-protocols/article/651335/

Cultivating a cybersecurity-first corporate culture - After Sept. 11, New York City's Metropolitan Transportation Authority came up with a tagline intended to make citizens aware that each person is on the front line when it comes to defending the metropolis against another terror attack. https://www.scmagazine.com/cultivating-a-cybersecurity-first-corporate-culture/article/650837/

SWIFT on security: Fresh anti-bank-fraud defenses now live - Inter-bank data comms biz SWIFT says it has introduced mechanisms to better protect money transfers from tampering. http://www.theregister.co.uk/2017/04/13/swift_antifraud_payments_service/

Professional hackers from the NSA, U.S. Cyber Command and foreign militaries are launching a barrage of simulated cyberattacks this week as part of a training exercise to help teach students at the service academies for the Navy, Army, Coast Guard, U.S. Merchant Marine and Canadian Royal Military how to better defend sensitive computer networks. https://www.cyberscoop.com/inside-nsas-cdx-high-tech-competition-pitting-cadets-elite-attackers/

What it takes to be a security consultant - The move to security consultant can be rewarding and challenging (in a good way), but be prepared to market and sell yourself and your services. http://www.networkworld.com/article/3190245/careers/what-it-takes-to-be-a-security-consultant.html

Over three quarters of UK public unaware Snooper's Charter was passed - As per the recent Investigatory Powers Act otherwise known as the “Snooper's Charter”, UK intelligence agencies were given the green light to access personal data from browsing histories. https://www.scmagazine.com/over-three-quarters-of-uk-public-unaware-snoopers-charter-was-passed/article/650843/

Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb' - Always ensure the office laptop gets returned - A systems administrator is being sued by his ex-employer, which has accused the IT bod of planting a ticking time-bomb on company's servers to wipe crucial data. http://www.theregister.co.uk/2017/04/14/sysadmin_crash_former_employers_oracle_db/

GAO - Financial Technology: Information on Subsectors and Regulatory Oversight.
Report: http://www.gao.gov/products/GAO-17-361 
Highlights: http://www.gao.gov/assets/690/684186.pdf 

New York men plead guilty to ATM theft scheme using skimmers and hidden cameras - What Happened? Three New York-area men have separately pleaded guilty in federal court to one count of conspiracy to commit bank fraud, in relation to the theft of at least $428,581 in funds from various New Jersey banking locations. https://www.scmagazine.com/new-york-men-plead-guilty-to-atm-theft-scheme-using-skimmers-and-hidden-cameras/article/651614/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacked Dallas sirens get extra encryption to fend off future attacks - The hack may have been a simple ‘replay attack’ of siren activation test signal. http://computerworld.com/article/3189079/security/hacked-dallas-sirens-get-extra-encryption-to-fend-off-future-attacks.html

1.5 million records lost in March health care industry data breaches - A sharp spike in the number of health care data breaches was recorded in March with 39 incidents taking place compromising more than 1.5 million patient record. https://www.scmagazine.com/15-million-records-lost-in-march-health-care-industry-data-breaches/article/650567/

FDA warns Abbott on cybersecurity woes with St. Jude heart devices - The Federal Drug Administration (FDA) Thursday warned Abbott Laboratories of cybersecurity and other issues relating to heart devices made by St. Jude Medical, which Abbott acquired earlier this year. https://www.scmagazine.com/fda-warns-abbott-on-cybersecurity-woes-with-st-jude-heart-devices/article/650733/

U.K. Foreign Office targeted by Callisto Group hackers - Attackers targeted the U.K.'s Foreign Office with a spear-phishing campaign believed to have begun in April 2016. https://www.scmagazine.com/uk-foreign-office-targeted-by-callisto-group-hackers/article/650435/

W-2 data breach at Westminster College - A breach of employee information in January at Westminster College in Missouri did not affect student academic records or financial aid information, officials stated this past Saturday, according to a report in the Columbia Daily Tribune. https://www.scmagazine.com/w-2-data-breach-at-westminster-college/article/650860/

Hacker served Shoney's POS malware for three months - Best American Hospitality Corp. reported that 37 of the Shoney's restaurants it manages and operates were hit with point-of-sale (POS) malware starting in late December and lasting through early March. https://www.scmagazine.com/hacker-served-shoneys-pos-malware-for-three-months/article/650998/

Update to RingGo app leaves thousands of UK drivers' data exposed - An update to car parking payment app "RingGo" has led to the exposure of the personal details of thousands of UK drivers. https://www.scmagazine.com/update-to-ringgo-app-leaves-thousands-of-uk-drivers-data-exposed/article/651024/

2015 Neiman Marcus data breach more damaging than first reported - Neiman Marcus is not having a good month as far as public relations are concerned. https://www.scmagazine.com/2015-neiman-marcus-data-breach-more-damaging-than-first-reported/article/651140/

Details on 1.7M Snapchat users allegedly posted in India - Snapchat CEO Evan Spiegel might want to tone down his comments while discussing the target demographic for his app. https://www.scmagazine.com/details-on-17m-snapchat-users-allegedly-posted-in-india/article/651130/

Australian businesses hit with email scam - An elaborate email scam is unfolding in Australia that is infecting computers with malware, according to a post on the MailGuard blog. https://www.scmagazine.com/australian-businesses-hit-with-email-scam/article/651629/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)
  
  4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
  
  a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.
  
  5. Banks should develop appropriate contingency plans for outsourced e-banking activities.
  
  a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.
  
  b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.
  
  c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.
  
  6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.
  
  a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
 SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
  
 System Patches
  
 Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.
  
  Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:
  
  ! Obtain the patch from a known, trusted source;
  ! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
  ! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
  ! Back up production systems prior to applying the patch;
  ! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
  ! Test the resulting system for known vulnerabilities;
  ! Update the master configurations used to build new systems;
  ! Create and document an audit trail of all changes; and
  ! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.3 Detecting Unauthorized/Illegal Activities
 
 Several mechanisms are used besides auditing81 and analysis of audit trails to detect unauthorized and illegal acts. For example, fraudulent activities may require the regular physical presence of the perpetrator(s). In such cases, the fraud may be detected during the employee's absence. Mandatory vacations for critical systems and applications personnel can help detect such activity (however, this is not a guarantee, for example, if problems are saved for the employees to handle upon their return). It is useful to avoid creating an excessive dependence upon any single individual, since the system will have to function during periods of absence. Particularly within the government, periodic rescreening of personnel is used to identify possible indications of illegal activity (e.g., living a lifestyle in excess of known income level).
 
 10.2.4 Temporary Assignments and In-house Transfers
 
 One significant aspect of managing a system involves keeping user access authorizations up to date. Access authorizations are typically changed under two types of circumstances: (1) change in job role, either temporarily (e.g., while covering for an employee on sick leave) or permanently (e.g., after an in-house transfer) and (2) termination discussed in the following section.
 
 Users often are required to perform duties outside their normal scope during the absence of others. This requires additional access authorizations. Although necessary, such extra access authorizations should be granted sparingly and monitored carefully, consistent with the need to maintain separation of duties for internal control purposes. Also, they should be removed promptly when no longer required.
 
 Permanent changes are usually necessary when employees change positions within an organization. In this case, the process of granting account authorizations (described in Section 10.2.1) will occur again. At this time, however, is it also important that access authorizations of the prior position be removed. Many instances of "authorization creep" have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege.