FYI - Banks fail to innovate, blaming info security fears, report - Senior executives at retail banks are motivated to begin offerings available, but are held back by cyber security concerns, according to a new study. http://www.scmagazine.com/banks-fail-to-innovate-blaming-info-security-fears-report/article/498656/

FYI - SEC warns cybersecurity is biggest threat to financial system - The chair of the US Securities and Exchange Commission (SEC), Mary Jo White, has warned that the biggest risk the financial system faces is cybersecurity. http://www.theregister.co.uk/2016/05/18/sec_warns_cybersecurity_biggest_threat_to_financial_system/

FYI - Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems - DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. https://www.federalregister.gov/articles/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

FYI - Computer science teachers need cybersecurity education says CSTA industry group - The Computer Science Teachers Association (CTSA) is working on a cybersecurity certification program for computer science educators, so they can better teach students - http://www.techrepublic.com/article/cs-teachers-ramping-up-cybersecurity-education/

FYI - Russian students come out on top at international programming finals - A trio of students from St Petersburg State University in Russia have been dubbed world champions in the 40th annual ACM International Collegiate Programming Contest (ICPC) finals. http://www.scmagazine.com/russian-students-come-out-on-top-at-international-programming-finals/article/497963/

FYI - After trio of hacks, SWIFT addresses information sharing concerns - On the heels of published reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) has issued a statement to its customers stating that the financial messaging system is taking steps to create more information sharing practices among its customers. http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-sharing-concerns/article/497988/

FYI - Japan to Create Cyber-Defense Government Agency to Protect SCADA Infrastructures - Japanese officials are considering creating a new government agency that will be tasked with protecting critical infrastructure against cyber-attacks. http://news.softpedia.com/news/japan-to-create-cyber-defense-government-agency-to-protect-scada-infrastructures-504293.shtml

FYI - Information Technology: Federal Agencies Need to Address Aging Legacy Systems.  GAO-16-468, May 25
Report: http://www.gao.gov/products/GAO-16-468 
Highlights: http://www.gao.gov/assets/680/677435.pdf

FYI - US GAO finds nukes are controlled by computer from 1970's - The United States Government Accountability Office has released a report showing the dire state of the US Government's IT infrastructure. http://www.scmagazine.com/us-gao-finds-nukes-are-controlled-by-computer-from-1970s/article/498965/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Spoofing scam goes for the steal, scores Milwaukee Bucks' W-2 forms - Basketball fans have heard of the “Hack-a-Shaq” strategy. But yesterday, the NBA's Milwaukee Bucks franchise publicly acknowledged that the entire team was hacked - by a cybercriminal, that is. http://www.scmagazine.com/spoofing-scam-goes-for-the-steal-scores-milwaukee-bucks-w-2-forms/article/497799/

FYI - Japan ATM scam using fraudulent cards nets $12.7m - Cash worth 1.4bn yen ($13m; £8.8m) has been taken from cash machines in Japan using credit cards created with data stolen from a South African bank. http://www.bbc.com/news/world-asia-36357182

FYI - Hackers steal $2M in Bitcoin and other digital currency - Cybercriminals made off with the equivalent of $2 million in Bitcoin and Ethere, a Bitcoin rival, from the Hong Kong-based digital exchange and trading platform Gatecoin. http://www.scmagazine.com/gatecoin-breach-results-in-the-loss-of-2m-in-bitcoin-and-ethere/article/498532/

FYI - Malware detected on network of Swiss defense contractor - Researchers at Switzerland's CERT (Computer Emergency Readiness Team) found malware on the network of Ruag, a Switzerland-based defense contractor which supplies the nation's military. http://www.scmagazine.com/malware-detected-on-network-of-swiss-defense-contractor/article/498537/

FYI - Russian bank app changes password when users attempt removal - Researchers discovered a Russian fake banking application that can evade detection by changing a device's password if the victim tries to remove the app. http://www.scmagazine.com/russian-bank-app-changes-password-when-users-attempt-removal/article/499139/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products
 
 Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION - Token Systems (2 of 2)
 
 Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.
 
 Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 6.6 Central and System-Level Program Interactions
 
 A system-level program that is not integrated into the organizational program may have difficulty influencing significant areas affecting security. The system-level computer security program implements the policies, guidance, and regulations of the central computer security program. The system-level office also learns from the information disseminated by the central program and uses the experience and expertise of the entire organization. The system-level computer security program further distributes information to systems management as appropriate.
 
 Communications, however, should not be just one way. System-level computer security programs inform the central office about their needs, problems, incidents, and solutions. Analyzing this information allows the central computer security program to represent the various systems to the organization's management and to external agencies and advocate programs and policies beneficial to the security of all the systems.
 
 6.7 Interdependencies
 
 The general purpose of the computer security program, to improve security, causes it to overlap with other organizational operations as well as the other security controls discussed in the handbook. The central or system computer security program will address most controls at the policy, procedural, or operational level.
 
 Policy. Policy is issued to establish the computer security program. The central computer security program(s) normally produces policy (and supporting procedures and guidelines) concerning general and organizational security issues and often issue-specific policy. However, the system-level computer security program normally produces policy for that system. Chapter 5 provides additional guidance.
 
 Life Cycle Management. The process of securing a system over its life cycle is the role of the system-level computer security program. Chapter 8 addresses these issues.
 
 Independent Audit. The independent audit function should complement a central computer security program's compliance functions.
 
 6.8 Cost Considerations
 
 This chapter discussed how an organization wide computer security program can manage security resources, including financial resources, more  effectively. The cost considerations for a system-level computer security program are more closely aligned with the overall cost savings in having security.
 
 The most significant direct cost of a computer security program is personnel. In addition, many programs make frequent and effective use of consultants and contractors. A program also needs funds for training and for travel, oversight, information collection and dissemination, and meetings with personnel at other levels of computer security management.