FYI - Beware of keystroke loggers disguised as USB phone chargers, FBI warns- Private industry notification comes 15 months after debut of KeySweeper. The author of the FBI advisory contacted Ars to say the point he wanted to convey is that threat stems not from KeySweeper itself, but from similar types of devices that could easily contain additional functionality. http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguised-as-usb-phone-chargers-fbi-warns/

FYI - Up to a dozen banks are reportedly investigating potential SWIFT breaches - The incidents are part of a larger trend of cybercriminals targeting financial institutions directly instead of customers - http://www.computerworld.com/article/3075450/security/up-to-a-dozen-banks-are-reportedly-investigating-potential-swift-breaches.html

FYI - Workplace security awareness programs lacking in efficacy, says study - Just because a company offers a cybersecurity awareness and training program to its employees doesn't mean it's necessarily doing enough to change workers' dangerous online behaviors, according to a new report. http://www.scmagazine.com/workplace-security-awareness-programs-lacking-in-efficacy-says-study/article/499162/

FYI - CEO sacked after aircraft company grounded by whaling attack - Following a successful whaling attack in January which cost FACC €40 million, the company has sacked both its CFO and CEO. http://www.scmagazine.com/ceo-sacked-after-aircraft-company-grounded-by-whaling-attack/article/499258/

FYI - Feinstein-Burr's bonkers backdoor crypto law is dead in the water - US senators' bill won't make it to the floor of Congress - A proposed piece of US legislation that would have required American tech companies to cripple the encryption in their products is dead in the water. http://www.theregister.co.uk/2016/05/27/backdoor_bill_dead/

FYI - Senate bill tasks FAA to oversee sharing of cyber threat information - The Federal Aviation Administration could find itself with more oversight of the cybersecurity threats facing industry if a senator’s information-sharing bill makes it through committee. http://federalnewsradio.com/legislation/2016/05/senate-bills-tasks-faa-oversee-sharing-cyber-threat-information/

FYI - Don't connect your charging cell to a computer or you may get hacked! - Connecting your mobile device to a computer using a USB cable could make you vulnerable to hackers. http://www.scmagazine.com/dont-connect-your-charging-cell-to-a-computer-or-you-may-get-hacked/article/499558/

FYI - Massive drop in cyberattacks on banks, Lloyds - Lloyds Banking Group, a London-based financial institution, claimed it's seen a substantial reduction in the number of cyberattacks it was hit with this year. http://www.scmagazine.com/massive-drop-in-cyberattacks-on-banks-lloyds/article/499566/

FYI - Appeals court: No warrant needed to access cell location data - A U.S. appeals court overturned a ruling from last year that law enforcement authorities must obtain a warrant to access a suspect's location. http://www.scmagazine.com/appeals-court-no-warrant-needed-to-access-cell-location-data/article/500255/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FOURTH bank hit by SWIFT hackers - A fourth bank, this time in the Philippines, has been attacked by hackers targeting the SWIFT inter-bank transfer system. http://www.theregister.co.uk/2016/05/27/fourth_bank_hit_by_swift_hackers/

FYI - 65M Tumblr accounts for sale after 2013 breach - More than 65 million Tumblr accounts from a 2013 breach were spotted for sale on the dark web. http://www.scmagazine.com/tumblr-accounts-from-2013-breach-for-sale-on-dark-web/article/499562/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)
 
 Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)
 
 Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.
 
 The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster.
 
 To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses.
 
 Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.
 
 This chapter presents the contingency planning process in six steps:
 
 1)  Identifying the mission- or business-critical functions.
 
 2)  Identifying the resources that support the critical functions.
 
 3)  Anticipating potential contingencies or disasters.
 
 4)  Selecting contingency planning strategies.
 
 5)  Implementing the contingency strategies.
 
 6)  Testing and revising the strategy.
 
 Contingency planning directly supports an organization's goal of continued operations. Organizations practice contingency planning because it makes good business sense.