FYI - Financial services sector most attacked in 2016 - IBM's X-Force Research Team has found that cybercriminals follow Willie Sutton's old-school, analog advice on why to rob banks because “that is where the money is.”  https://www.scmagazine.com/financial-services-sector-most-attacked-in-2016-ibm/article/653706/

USAF Launches 'Hack the Air Force' - Bug bounty contest expands Defense Department outreach to the global hacker community to find unknown vulnerabilities in DoD networks. http://www.darkreading.com/vulnerabilities---threats/usaf-launches-hack-the-air-force-/d/d-id/1328736

IoT, Automation, Autonomy, and Megacities in 2025 - This paper extrapolates from present trends to describe plausible future crises playing out in multiple global cities within 10 years. https://www.csis.org/analysis/iot-automation-autonomy-and-megacities-2025

Security fears keep UK consumers from adopting new payment methods - A survey conducted by new data global law firm Paul Hastings reveals fears British consumers have when using new payment methods. https://www.scmagazine.com/security-fears-keep-uk-consumers-from-adopting-new-payment-methods/article/653239/

A Holistic Security Architecture May Just Help Avoid Future Liability - Digitization is invading all aspects of business, government and daily living. As a result, we are facing myriad new possibilities and new demands. https://www.scmagazine.com/a-holistic-security-architecture-may-just-help-avoid-future-liability/article/651147/

NSA to end controversial warrantless surveillance practice - The National Security Agency (NSA) has put an end to a part of its warrantless surveillance –the so-called “about” data collection—of non-U.S. persons who are outside the U.S. under Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is due to expire by year's end, the New York Times reported. https://www.scmagazine.com/nsa-to-end-controversial-warrantless-surveillance-practice/article/653729/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Malware shuts down Virginia State Police email - The Virginia State Police network Wednesday was hit with a malware attack which shut down the department's email services. https://www.scmagazine.com/virginia-state-police-email-taken-offline-by-malware/article/653250/

Chipotle may have banished E coli, but now it has a new infection - The last quarter has been a trying one for Mexican fast-food chain Chipotle. People are returning to its restaurants after the great 2015 E coli outbreak, but now customers are being struck by a different kind of virus. http://www.theregister.co.uk/2017/04/26/chipotle_malware_infection/

Massive Google Docs phishing attack targeted credentials, permissions - A fast moving, but widespread phishing attack targeting Google Gmail and Docs users hit yesterday affecting an unknown number of victims with the likely goal of stealing login credentials and millions of additional email addresses that could be used for a future phishing campaign. https://www.scmagazine.com/massive-google-docs-phishing-attack-targeted-credentials-permissions/article/654938/

Gannett phishing attack compromised 18,000 accounts - Gannett Company was hit with a phishing attack that may have compromised the accounts of as many as 18,000 current and former employees. https://www.scmagazine.com/gannett-company-hit-with-phishing-attack/article/654656/

Data breach rattles Sabre: Intrusion into hotel reservations system revealed - Sabre Corporation, a major technology solution provider serving airline and hotel companies, has disclosed a breach of its Hospitality Solutions SynXis Central Reservations system that may have exposed consumers' payment card data and personally identifiable information. https://www.scmagazine.com/data-breach-rattles-sabre-intrusion-into-hotel-reservations-system-revealed/article/654808/

USB drives containing IBM tool found infected with malicious code - IBM issued a support advisory last week warning users that some USB flash drives containing the company's Storwize initialization tool include a file infected with malicious code. https://www.scmagazine.com/usb-drives-containing-ibm-tool-found-infected-with-malicious-code/article/653835/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound Audit Trail Practices for E-Banking Systems
 
 1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.
 
 2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.
 
 3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:
 
 a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.
 
 b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  PERSONNEL SECURITY
  
  AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND AUTHORIZED USE
  
  Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.
  
  JOB DESCRIPTIONS
  
  Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.
  
  TRAINING
  
  Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.2.5 Termination - 10.2.5.2 Unfriendly Termination
 
 Unfriendly termination involves the removal of an employee under involuntary or adverse conditions. This may include termination for cause, RIF, involuntary transfer, resignation for "personality conflicts," and situations with pending grievances. The tension in such terminations may multiply and complicate security issues. Additionally, all of the issues involved in friendly terminations are still present, but addressing them may be considerably more difficult.
 
 The greatest threat from unfriendly terminations is likely to come from those personnel who are capable of changing code or modifying the system or applications. For example, systems personnel are ideally positioned to wreak considerable havoc on systems operations. Without appropriate safeguards, personnel with such access can place logic bombs (e.g., a hidden program to erase a disk) in code that will not even execute until after the employee's departure. Backup copies can be destroyed. There are even examples where code has been "held hostage." But other employees, such as general users, can also cause damage. Errors can be input purposefully, documentation can be misfiled, and other "random" errors can be made. Correcting these situations can be extremely resource intensive.
  
 Given the potential for adverse consequences, security specialists routinely recommend that system access be terminated as quickly as possible in such situations. If employees are to be fired, system access should be removed at the same time (or just before) the employees are notified of their dismissal. When an employee notifies an organization of a resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated. During the "notice" period, it may be necessary to assign the individual to a restricted area and function. This may be particularly true for employees capable of changing programs or modifying the system or applications. In other cases, physical removal from their offices (and, of course, logical removal, when logical access controls exist) may suffice.