FYI - Boards hold CEO most accountable when breaches occur - The resignation of Target's chief executive officer (CEO) and chief information officer (CIO) following the company's data breach in 2014 may mirror board members' attitudes about who is responsible for cyber incidents, according to a survey released last Thursday by Veracode and the New York Stock Exchange.
http://www.scmagazine.com/boards-members-view-ceo-as-more-responsible-for-breaches-than-ciso-and-it-team/article/418020/
http://www.csmonitor.com/World/Passcode/2015/0528/Who-should-take-the-fall-after-a-corporate-hack-It-may-soon-be-the-CEO

FYI - IRS Breach Exposes 100,000 Taxpayers' Tax Returns, Other Data - Online 'Get Transcript' service accessed from February to mid-May. Tax returns of more than 100,000 U.S. taxpayers have been exposed in a breach of the Internal Revenue Service's online "Get Transcript" service, the IRS reported today.
http://www.darkreading.com/attacks-breaches/irs-breach-exposes-100000-taxpayers-tax-returns-other-data/d/d-id/1320566
http://www.wired.com/2015/05/hackers-hit-irs-access-100000-taxpayers-files/

FYI - Insurer tells hospitals: You let hackers in, we're not bailing you out - IT departments better pick up their game – like not leaving anon FTP open to the world - When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers. http://www.theregister.co.uk/2015/05/28/cottage_healthcare_system_sued/

FYI - A Closer Look at Claims of Hacking Commercial Aircraft - When security researcher Chris Roberts was removed from a United fight last month after tweeting a joke about hacking the plane’s inflight entertainment system, the security community was aghast at the FBI’s over-reaction and United’s decision to ban him from a subsequent flight. http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/

FYI - After breach, credit bureaus, Maine AG reach settlement - After a March breach in which 312 envelopes containing confidential credit information about others was sent by Equifax to a woman in Maine, three nationwide credit reporting agencies have agreed to a settlement with the state which requires them to change their business practices, including tightening security and responding more quickly to consumers experiencing identity theft or fraud. http://www.scmagazine.com/after-breach-credit-bureaus-maine-ag-reach-settlement/article/418015/

FYI - Florida teacher suspended without pay for using cell phone jammer in class - A Florida high school teacher was suspended without pay for keeping a signal jammer in his class to prevent students from using their cell phones. http://www.scmagazine.com/dean-liptak-jammed-students-cell-phone-signals/article/418649/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sally Beauty confirms malware on POS systems - After confirming earlier this month that an illegal intrusion into its payment card systems had occurred, Texas-based international beauty supplies retailer Sally Beauty announced on Thursday that malware was deployed on some of its point-of-sale (POS) systems at varying times between March 6 and April 17. http://www.scmagazine.com/malware-deployed-on-sally-beauty-pos-systems/article/417503/

FYI - After email blunder, Woolworths cancels $1M worth of gift cards - Australian supermarket chain Woolworths canceled and re-issued more than $1.3 million (AU) worth of e-gift cards, following an email blunder that revealed the details of thousands of customers and exposed codes for nearly 8,000 shopping vouchers. http://www.scmagazine.com/after-email-blunder-woolworths-cancels-1m-worth-of-gift-cards/article/418022/

FYI - Japan's national pension fund breach affects 1.25M - A recent attack on Japan's national pension system compromised the information - including names, pension identification numbers, addresses and birth dates - of more than 1.25 million people, according to a report in the Wall Street Journal. http://www.scmagazine.com/japan-pension-funds-experiences-second-incident-in-less-than-eight-years/article/417985/

FYI - Data at risk following theft of Heartland Payment Systems computers - Heartland Payment Systems is notifying an undisclosed number of individuals that password protected computers possibly containing their personal information were among the items stolen from a Heartland office in California. http://www.scmagazine.com/data-at-risk-following-theft-of-heartland-payment-systems-computers/article/417962/

FYI - Airbus confirms software brought down A400M transport plane - Badly-configured software, that is, not badly-written software - Airbus has confirmed the crash that stalled its A400M program was caused by engine control software. http://www.theregister.co.uk/2015/05/31/airbus_software_config_brought_down_a400m/

FYI - Card skimming at Virginia Credit Union ATMs - Virginia Credit Union is notifying members that card skimming occurred at several of its ATMs and roughly 2,000 debit cards have been determined to be vulnerable to potential fraud. http://www.scmagazine.com/card-skimming-at-virginia-credit-union-atms/article/418364/

FYI - Unity Recovery Group client data improperly disclosed - Florida-based Unity Recovery Group is notifying clients and/or potential clients that their personal information was improperly disclosed to one or more recovery and/or rehabilitation service providers that are unaffiliated with Unity. http://www.scmagazine.com/unity-recovery-group-client-data-improperly-disclosed/article/418541/

FYI - 'MEDJACK' tactic allows cyber criminals to enter healthcare networks undetected - This year has already been marked by data breaches at multiple major healthcare organizations, including CareFirst BlueCross BlueShield and Anthem. http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/

FYI - Hotel Beacon payment card processing systems compromised - Hotel Beacon in New York City is notifying an undisclosed number of individuals that the security of its payment card processing systems was compromised by a third-party intruder. http://www.scmagazine.com/hotel-beacon-payment-card-processing-systems-compromised/article/418546/

FYI - U.S. Office of Personnel Management suffers major breach - The Associated Press reported on Thursday that the White House administration and other government entities are investigating a massive data breach at the U.S. Office of Personnel Management (OPM). http://www.scmagazine.com/up-to-four-million-personnel-affected-in-data-breach/article/418818/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)
 
 Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
 Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.
 
 In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.
 
 Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
 Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:
 
 !  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
 !  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
 !  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
 
 Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices
 
 Evolution and Obsolescence
 
 As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.
 
 Controlling the Impact of Obsolescence
 
 Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:
 
 1)  What is the upgrade path to the next class of network?
 2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
 3)  How does the vendor distribute security information and patches?
 
 The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.
 
 The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.2 Protection Against Payroll Fraud and Errors: Time and Attendance Application (2 of 2)

Protection Against Payroll Errors

The frequency of data entry errors is reduced by having Time and Attendance clerks enter each time sheet into the time and attendance application twice. If the two copies are identical, both are considered error free, and the record is accepted for subsequent review and approval by a supervisor. If the copies are not identical, the discrepancies are displayed, and for each discrepancy, the clerk determines which copy is correct. The clerk then incorporates the corrections into one of the copies, which is then accepted for further processing. If the clerk makes the same data-entry error twice, then the two copies will match, and one will be accepted as correct, even though it is erroneous. To reduce this risk, the time and attendance application could be configured to require that the two copies be entered by different clerks.

In addition, each department has one or more Time and Attendance Supervisors who are authorized to review these reports for accuracy and to approve them by running another server program that is part of the time and attendance application. The data are then subjected to a collection of "sanity checks" to detect entries whose values are outside expected ranges. Potential anomalies are displayed to the supervisor prior to allowing approval; if errors are identified, the data are returned to a clerk for additional examination and corrections.

When a supervisor approves the time and attendance data, this application logs into the interagency mainframe via the WAN and transfers the data to a payroll database on the mainframe. The mainframe later prints paychecks or, using a pool of modems that can send data over phone lines, it may transfer the funds electronically into employee-designated bank accounts. Withheld taxes and contributions are also transferred electronically in this manner.

The Director of Personnel is responsible for ensuring that forms describing significant payroll-related personnel actions are provided to the Payroll Office at least one week before the payroll processing date for the first affected pay period. These actions include hiring, terminations, transfers, leaves of absences and returns from such, and pay raises.

The Manager of the Payroll Office is responsible for establishing and maintaining controls adequate to ensure that the amounts of pay, leave, and other benefits reported on pay stubs and recorded in permanent records and those distributed electronically are accurate and consistent with time and attendance data and with other information provided by the Personnel Department. In particular, paychecks must never be provided to anyone who is not a bona fide, active-status employee of HGA. Moreover, the pay of any employee who terminates employment, who transfers, or who goes on leave without pay must be suspended as of the effective date of such action; that is, extra paychecks or excess pay must not be dispersed.

Protection Against Accidental Corruption or Loss of Payroll Data

The same mechanisms used to protect against fraudulent modification are used to protect against accidental corruption of time and attendance data -- namely, the access-control features of the server and mainframe operating systems.

COG's (Computer Operations Group) nightly backups of the server's disks protect against loss of time and attendance data. To a limited extent, HGA also relies on mainframe administrative personnel to back up time and attendance data stored on the mainframe, even though HGA has no direct control over these individuals. As additional protection against loss of data at the mainframe, HGA retains copies of all time and attendance data on line on the server for at least one year, at which time the data are archived and kept for three years. The server's access controls for the on-line files are automatically set to read-only access by the time and attendance application at the time of submission to the mainframe. The integrity of time and attendance data will be protected by digital signatures as they are implemented.

The WAN's communications protocols also protect against loss of data during transmission from the server to the mainframe (e.g., error checking). In addition, the mainframe payroll application includes a program that is automatically run 24 hours before paychecks and pay stubs are printed. This program produces a report identifying agencies from whom time and attendance data for the current pay period were expected but not received. Payroll department staff are responsible for reviewing the reports and immediately notifying agencies that need to submit or resubmit time and attendance data. If time and attendance input or other related information is not available on a timely basis, pay, leave, and other benefits are temporarily calculated based on information estimated from prior pay periods.