FYI - Federal Reserve under attack by hacker spies - The Federal Reserve has been under constant attack by hackers since at least 2011, including four attempts it labels as "espionage."
http://money.cnn.com/2016/06/01/technology/federal-reserve-hack/index.html
http://www.computerworld.com/article/3078016/security/fed-reports-50-plus-breaches-from-2011-to-2015-some-instances-of-espionage.html

FYI - House panel worried about cyberattacks on the Federal Reserve - Republicans on the House Technology Committee are investigating the Federal Reserve’s security practices, citing “serious concerns” about the central bank’s ability to protect confidential information. http://thehill.com/policy/cybersecurity/282151-house-panel-worried-about-cyber-attacks-on-the-fed

FYI - US court says cops don't need a warrant for cell location data - The case reverses a decision from last year - which may push the case into the hands of the Supreme Court. Police do not need a warrant to determine a suspect's location based off cell-site information, an appeals court has ruled. http://www.zdnet.com/article/us-court-says-cops-dont-need-a-warrant-for-cellphone-location-data/

FYI - SWIFT may prohibit banks with weak security from using its system - In the wake of a series of cyberheists against banks internationally, SWIFT is considering changes in its process of allowing open access of its messaging service to financial institutions. http://www.scmagazine.com/swift-may-prohibit-banks-with-weak-security-from-using-its-system/article/500861/

FYI - GAO - Management Report: Areas for Improvement in the Federal Reserve Banks' Information Systems Controls. Report: http://www.gao.gov/products/GAO-16-601R 

FYI - 93 percent of phishing emails contained ransomware - As cybercriminals pursue methods that yield the most effective near-term gains, phishing emails and ransomware prove an irresistible cocktail for cybercriminals, as a new report demonstrates. http://www.scmagazine.com/report-93-percent-of-phishing-emails-contained-ransomware/article/500888/

FYI - 80% of retailers take payment card details by phone in unsecure ways - Over a third of people have heard friends, colleagues and even strangers sharing their full credit and debit card details in public while on the phone. http://www.scmagazine.com/80-of-retailers-take-payment-card-details-by-phone-in-unsecure-ways/article/501011/

FYI - Fed directs banks to check for cyberattacks, shore up security after SWIFT hacks - The Federal Reserve Bank issued a notice Tuesday telling banks to assess their cybersecurity postures and search for clues that they'd been victims of cyberattacks by the same group that pulled off an $81 million cyber heist from the Bangladesh Central Bank account at the Fed. http://www.scmagazine.com/regulators-put-financial-institutions-on-the-lookout-for-signs-of-attack-by-swift-hackers/article/501663/

FYI - 75% of UK consumers won't do biz with a company that has been hacked - New research discovered that 73 percent of consumers in the UK admit that it has become normal or expected for businesses to be hacked, yet only half feel they are taking enough responsibility for their customer's information security. The survey evaluated responses from 2,400 people across the UK, Germany and the US. http://www.scmagazine.com/75-of-uk-consumers-wont-do-biz-with-a-company-that-has-been-hacked/article/501683/

FYI - Hackers impersonate CEOs and CFOs most often during phishing attack - All it takes is one of three words and impersonating the correct executive to pull off a successful Business Email Compromise (BEC) attack. http://www.scmagazine.com/hackers-impersonate-ceos-and-cfos-most-often-during-phishing-attack/article/502169/

FYI - Morgan Stanley to pay $1M for failing to protect 730,000 customer accounts - Morgan Stanley agreed to pay a $1 million fine to settle a proceeding launched by the Securities and Exchange Commission's (SEC) that the financial services giant failed to set up adequate precautions of customer data. http://www.scmagazine.com/morgan-stanley-to-pay-1m-for-failing-to-protect-730000-customer-accounts/article/502157/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data of 40,000 Stamford Podiatry Group patients compromised - Connecticut-based Stamford Podiatry Group is notifying patients that medical and personal information was compromised in a recent security incident. http://www.scmagazine.com/data-of-40000-stamford-podiatry-group-patients-compromised/article/500698/

FYI - Ransomware hits 10K Australians - At least 10,000 Australians have been targeted in a ransomware campaign that lures recipients with an email that appears to come from local energy company AGL. http://www.scmagazine.com/ransomware-hits-10k-australians/article/500871/

FYI - Credit Card Breach at CiCi’s Pizza - CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/

FYI - HR vendor Empathia hit by potential breach - Human resources third-party vendor Empathia announced a potential data breach affecting its employee assistance program (EAP). http://www.scmagazine.com/hr-vendor-empathia-hit-by-potential-breach/article/501544/

FYI - NFL's Twitter account hacked, announces commissioner Goodell's death - The NFL confirmed today that its Twitter account was hacked today with a tweet being posted stating that league commissioner Roger Goodell was dead. http://www.scmagazine.com/nfls-twitter-account-hacked-announces-commissioner-goodells-death/article/501560/

FYI - Phishing campaign steals bitcoins from Mt. Gox victims - As if losing money in the Mt. Gox collapse wasn't bad enough, now many of those victims are falling prey once again, this time to phishing scammers. http://www.scmagazine.com/cyren-researchers-see-phishing-campaign-aimed-at-mt-gox-victims/article/501586/

FYI - A 'good neighbor' compromised State Farm customer data - State Farm began alerting customers of a data security incident involving a third-party vendor's misuse of customer personal and financial information. http://www.scmagazine.com/state-farm-security-incident-resulted-in-compromised-customer-data/article/501689/

FYI - University of Calgary pays $15,000 ransom to recover data - Ten days after a malware attack crippled the University of Calgary's computer system school officials reported that it paid a $20,000 CDN, or $15,7492 U.S.,ransom to regain access. http://www.scmagazine.com/university-of-calgary-pays-15000-ransom-to-recover-data/article/501691/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)
 
 In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)
 
 The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.
 
 The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.
 
 PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.1 Step 1: Identifying the Mission- or Business-Critical Function
 
 Protecting the continuity of an organization's mission or business is very difficult if it is not clearly identified. Managers need to understand the organization from a point of view that usually extends beyond the area they control. The definition of an organization's critical mission or business functions is often called a business plan.
 
 Since the development of a business plan will be used to support contingency planning, it is necessary not only to identify critical missions and businesses, but also to set priorities for them. A fully redundant capability for each function is prohibitively expensive for most organizations. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set (and approved by senior management), it could mean the difference in the organization's ability to survive a disaster.
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 After identifying critical missions and business functions, it is necessary to identify the supporting resources, the time frames in which each resource is used (e.g., is the resource needed constantly or only at the end of the month?), and the effect on the mission or business of the unavailability of the resource. In identifying resources, a traditional problem has been that different managers oversee different resources. They may not realize how resources interact to support the organization's mission or business. Many of these resources are not computer resources. Contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer.
 
 The analysis of needed resources should be conducted by those who understand how the function is performed and the dependencies of various resources on other resources and other critical relationships. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions.