FYI - US military data reportedly left on unsecured Amazon server - Defense contractor Booz Allen Hamilton is linked to an account that contained login credentials for other data repositories. https://www.cnet.com/news/us-military-data-reportedly-left-on-unsecured-amazon-server/

Innovation versus cybersecurity: Survival hangs in the balance - Reaction was swift and vociferous last year when note-taking app Evernote announced a revised privacy policy that allowed employees to read users' content in order to test and support new machine-learning and automation capabilities. https://www.scmagazine.com/innovation-versus-cybersecurity-survival-hangs-in-the-balance/article/665348/

Carnegie Mellon releases ransomware best practices - Carnegie Mellon's Software Engineering Institute released a set of Best Practices for ransomware prevention and response. https://www.scmagazine.com/ransomware-best-practices-for-mitigation-and-prevention/article/665957/

China's controversial cybersecurity law goes into effect - China's new cybersecurity law went into effect on June 1, subjecting companies to stringent data privacy and protection guidelines, even as key questions linger around how it will be enforced, how easily businesses will be able to comply, and how much compliance will cost. https://www.scmagazine.com/chinas-controversial-cybersecurity-law-goes-into-effect/article/666109/ 

Supreme Court will take up first cellphone data location case - The Supreme Court will hear its first case on cell phone location data involving the government got months of phone location records of a robbery suspect from cellphone companies without a warrant showing probable cause. https://www.scmagazine.com/supreme-court-will-take-up-first-cellphone-data-location-case/article/666477/

Federal task force: Here's how to fix healthcare cybersecurity - A federal task force released its long-awaited cybersecurity recommendations report Friday evening. http://thehill.com/policy/cybersecurity/336394-federal-healthcare-cybersecurity-task-force-releases-report

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - OneLogin breached, passwords possibly compromised - The password management firm OneLogin reported an unauthorized person gained access to its U.S. data base possibly compromising all the stored records and bringing to the forefront the fact that such login credential repositories are prime targets for hackers. https://www.scmagazine.com/onelogin-breached-passwords-possibly-compromised/article/665822/

OneLogin hacker swiped AWS keys, can decrypt stolen data - OneLogin is reporting its recent data breach was made possible when a hacker obtained access to a set of Amazon Web Service keys through a third-party vendor. https://www.scmagazine.com/onelogin-hacker-swiped-aws-keys-can-decrypt-stolen-data/article/666112/

Hackers post plastic surgery clinic's patient files after blackmail campaign - Hackers on Tuesday publicly posted more than 25,000 files and private images stolen from a Lithuanian plastic surgery clinic, including nude and "before-and-after" photos, after attempting to financially extort the medical facility and its clients, according to multiple reports. https://www.scmagazine.com/botched-security-hackers-post-plastic-surgery-clinics-patient-files-after-blackmail-campaign/article/665341/

Kmart hit with second POS breach in three years - Kmart experienced a point of sale data breach that has affected an undisclosed number of stores and customers, its second breach in three years. https://www.scmagazine.com/kmart-announced-a-pos-breach/article/665827/

Data incident at Stephenville Medical & Surgical Clinic in Texas - When an administrator at Stephenville Medical & Surgical Clinic, in Stephenville, Texas, received a request for a blank medical record release form on May 19, the unnamed employee in the Medical Records Department sent instead a spreadsheet containing data on former patients, according to an article in the Stephenville Empire-Tribune. https://www.scmagazine.com/data-incident-at-stephenville-medical-surgical-clinic-in-texas/article/665817/

Phishing scam compromises data on 25,000 individuals at University of Alaska - A phishing scam in December 2016 resulted in a data breach at the University of Alaska, affecting around 25,000 students, staff and faculty members, according to a report on Wednesday by local Anchorage NBC affiliate KTUU. https://www.scmagazine.com/phishing-scam-compromises-data-on-25000-individuals-at-university-of-alaska/article/665470/

NSA contractor Reality Winner accused of leaking NSA documents on election hack - A National Security Agency contractor has been accused of leaking classified information pertaining to possible Russian interference in the 2016 election and transmitting it to a news organization. https://www.scmagazine.com/leaked-docs-allege-russia-hacked-us-voting-software-prior-to-2016-election/article/666471/

Subaru WRX STI hacked, eight vulnerabilities spotted - Independent researcher Aaron Guzman spotted eight software vulnerabilities in 2017 Subaru WRX STI which could allow unauthorized users to unlock doors, honk horns, gain vehicle location history and other issues stemming from the car's Starlink account. https://www.scmagazine.com/researcher-hacks-subaru-wrx-sti-starlink/article/666460/

Up to 'old' tricks: Hackers compromise Stanford University 'Biology of Aging" website for months - A Stanford University website was reportedly compromised for four months without detection, allowing hackers to abuse it to host malicious web shells, phishing kits and defacement images. https://www.scmagazine.com/up-to-old-tricks-hackers-compromise-stanford-university-biology-of-aging-website-for-months/article/666128/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)
 
 Elements of an Incident Response Program
 
 Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.
 
 Minimum Requirements
 
 The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.
 
 Develop reaction procedures for:
 
 1) assessing security incidents that have occurred;
 2) identifying the customer information and information systems that have been accessed or misused; and
 3)containing and controlling the security incident.
 
 Establish notification procedures for:
 
 1) the institution's primary Federal regulator;
 2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
 3) affected customers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SERVICE PROVIDER OVERSIGHT
  
  Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:
  
  ! Exercise appropriate due diligence in selecting service providers,
  ! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
  ! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.
  
  Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.
  
  Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
  ! Service provider references and experience,
  ! Security expertise of TSP personnel,
  ! Background checks on TSP personnel,
  ! Contract assurances regarding security responsibilities and controls,
  ! Nondisclosure agreements covering the institution's systems and data,
  ! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
  ! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.1 Step 1: Identifying the Mission- or Business-Critical Function
 
 Protecting the continuity of an organization's mission or business is very difficult if it is not clearly identified. Managers need to understand the organization from a point of view that usually extends beyond the area they control. The definition of an organization's critical mission or business functions is often called a business plan.
 
 Since the development of a business plan will be used to support contingency planning, it is necessary not only to identify critical missions and businesses, but also to set priorities for them. A fully redundant capability for each function is prohibitively expensive for most organizations. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set (and approved by senior management), it could mean the difference in the organization's ability to survive a disaster.
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 After identifying critical missions and business functions, it is necessary to identify the supporting resources, the time frames in which each resource is used (e.g., is the resource needed constantly or only at the end of the month?), and the effect on the mission or business of the unavailability of the resource. In identifying resources, a traditional problem has been that different managers oversee different resources. They may not realize how resources interact to support the organization's mission or business. Many of these resources are not computer resources. Contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer.
 
 The analysis of needed resources should be conducted by those who understand how the function is performed and the dependencies of various resources on other resources and other critical relationships. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions.