FYI - New data security rules instituted for US payment processing system - New data security rules governing how money changes hands in the US have gone into effect today, forcing major digital money processors to render deposit account information unreadable in electronic storage.
https://www.nacha.org/rules/supplementing-data-security-requirements-phase-1
https://www.zdnet.com/article/new-data-security-rules-instituted-for-us-payment-processing-system/

Ransomware: To pay or not to pay - As ransomware attacks continue to plague organizations at an increasing and alarming rate, business leaders are faced with an impossible challenge. https://www.scmagazine.com/perspectives/ransomware-to-pay-or-not-to-pay-2/

Health care organizations struggle to balance breach notification requirements with customer expectations - Navigating a breach response, managing the public relations crisis that often results, and eradicating hackers from the network takes a careful balance of requirements and a capable incident response team. https://www.scmagazine.com/home/security-news/data-breach/health-care-organizations-struggle-to-balance-breach-notification-requirements-with-customer-expectations/

Research partnership to examine how fraudsters abuse financial tech innovations - Financial tech innovations such as peer-to-peer (P2P) payment apps and digital wallets have introduced convenient new ways to execute financial transactions, but they have also opened up new doors for cybercriminals to take advantage. https://www.scmagazine.com/home/finance/research-partnership-to-examine-how-fraudsters-abuse-financial-tech-innovations/

Feds file new charges against Amazon employee that leveraged server access to hack Capital One - The accused hacker and former Amazon employee who now stands charged of breaking into Capital One accounts and stealing the personal data of some 100 million of the company’s customers. https://www.scmagazine.com/home/security-news/feds-file-new-charges-against-amazon-employee-that-leveraged-server-access-to-hack-capital-one/

New data security rules instituted for US payment processing system - New data security rules governing how money changes hands in the US have gone into effect today, forcing major digital money processors to render deposit account information unreadable in electronic storage.
https://www.nacha.org/rules/supplementing-data-security-requirements-phase-1
https://www.zdnet.com/article/new-data-security-rules-instituted-for-us-payment-processing-system/

Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack - ISA's Ransomware Readiness Assessment allows organisations to test how well their networks can protect against and recover from ransomware attacks - and provides advice on improvements. https://www.zdnet.com/article/ransomware-this-new-free-tool-lets-you-test-if-your-cybersecurity-is-strong-enough-to-stop-an-attack/

1 in 4 employees say they still have access to accounts from past jobs, survey finds - Nearly half of professionals also admit to sharing passwords and more than a third say they write them on paper, according to Beyond Identity. https://www.techrepublic.com/article/1-in-4-employees-say-they-still-have-access-to-accounts-from-past-jobs-survey-finds/

Cybersecurity companies are selling like hotcakes in post-pandemic investment market - For many industries, the pandemic was a time of economic uncertainty, great technological change and reflection about where they and their services fit into a post-COVID reality. https://www.scmagazine.com/home/security-news/corporate-news/investment/cybersecurity-companies-are-selling-like-hotcakes-in-post-pandemic-investment-market/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dominion National reaches $2M settlement over nine-year data breach - Insurance giant Dominion National reached a $2 million settlement with the 2.9 million patients affected by its nine-year data breach, first reported in 2019. https://www.scmagazine.com/home/health-care/dominion-national-reaches-2m-settlement-over-nine-year-data-breach/

As Kaseya works to bring SaaS servers online, experts laud precautionary measures as ‘opposite of complacency’ - Kaseya began the technical work for deployment of the company’s servers that support the software-as-a-service VSA product, configuring an additional layer of security to the SaaS infrastructure. https://www.scmagazine.com/home/security-news/as-kaseya-works-to-bring-servers-online-experts-laud-precautionary-measures-taken-as-opposite-of-complacency

Phishing attack targets DocuSign and SharePoint users - Researchers reported on Friday that cybercriminals are mimicking legitimate correspondence to actively target popular cloud applications DocuSign and SharePoint in phishing attacks designed to steal user log-in credentials. https://www.scmagazine.com/home/security-news/phishing-attack-targets-docusign-and-sharepoint-users/

NewsBlur restores service in 10 hours after ransomware attack - Turns out the recent story about the personal news reader NewsBlur being down for several hours last week following a data exposure has a happy ending: the owner retained an original copy of the database that was compromised and restored the service in 10 hours. https://www.scmagazine.com/home/security-news/ransomware/newsblur-hit-by-ransomware-because-of-docker-glitch-but-restores-service-in-10-hours/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   INTRUSION DETECTION SYSTEMS
   
   Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.
   
   Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
   
   Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.
   
   Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.
   
   Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
   
   IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
   
   FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.
   
   An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.
   
   ACCESS RIGHTS ADMINISTRATION (1 of 5)
   
   Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:
   
   1)  Assign users and system resources only the access required to perform their required functions,
   
   2)  Update access rights based on personnel or system changes,
   
   3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and
   
   4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
  
  15.3 Failure of Supporting Utilities
   
  Systems and the people who operate them need to have a reasonably well-controlled operating environment. Consequently, failures of heating and air-conditioning systems will usually cause a service interruption and may damage hardware. These utilities are composed of many elements, each of which must function properly.
  
  For example, the typical air-conditioning system consists of (1) air handlers that cool and humidify room air, (2) circulating pumps that send chilled water to the air handlers, (3) chillers that extract heat from the water, and (4) cooling towers that discharge the heat to the outside air. Each of these elements has a mean-time-between-failures (MTBF) and a mean-time-to-repair (MTTR). Using the MTBF and MTTR values for each of the elements of a system, one can estimate the occurrence rate of system failures and the range of resulting service interruptions.
  
  This same line of reasoning applies to electric power distribution, heating plants, water, sewage, and other utilities required for system operation or staff comfort. By identifying the failure modes of each utility and estimating the MTBF and MTTR, necessary failure threat parameters can be developed to calculate the resulting risk. The risk of utility failure can be reduced by substituting units with lower MTBF values. MTTR can be reduced by stocking spare parts on site and training maintenance personnel. And the outages resulting from a given MTBF can be reduced by installing redundant units under the assumption that failures are distributed randomly in time. Each of these strategies can be evaluated by comparing the reduction in risk with the cost to achieve it.
  
  15.4 Structural Collapse
  
  A building may be subjected to a load greater than it can support. Most commonly this is a result of an earthquake, a snow load on the roof beyond design criteria, an explosion that displaces or cuts structural members, or a fire that weakens structural members. Even if the structure is not completely demolished, the authorities may decide to ban its further use, sometimes even banning entry to remove materials. This threat applies primarily to high-rise buildings and those with large interior spaces without supporting columns.