FYI
- Border-surveillance subcontractor suspended after cyberattack -
Border-surveillance subcontractor Perceptics was suspended by The
U.S. Customs and Border Protection (CBP) after a cyberattack against
the firm revealed sensitive monitoring details.
https://www.scmagazine.com/home/government/border-surveillance-subcontractor-perceptics-was-suspended-after-a-cyberattack-against-the-firm-revealed-sensitive-monitoring-details/
The value of passwordless technology: Learning from the American
prohibition era - Say “password” today and the word will conjure up
visions of a laptop or an application – not secret societies. Still,
passwords have played an important role throughout human history to
distinguish between who could and couldn’t enter a specific area,
club or level of access to information.
https://www.scmagazine.com/home/opinion/executive-insight/the-value-of-passwordless-technology-learning-from-the-american-prohibition-era/
Uber pays out $375K in bug bounties during challenge in London -
Uber laid out $375,000 to bug bounty hunters during a live hacking
event held in London with partner HackerOne.
https://www.scmagazine.com/home/security-news/vulnerabilities/uber-pays-out-375k-in-bug-bounties-during-challenge-in-london/
Database management: The security checklist for every data-driven
deployment - Security threats have become a ubiquitous problem for
American companies, and reports find that damage related to
cybercrime is projected to hit $6 trillion annually by 2021.
According to Accenture, the most expensive component of a cyber
attack is data loss, which represents 43 percent of cybercrime
costs.
https://www.scmagazine.com/home/opinion/executive-insight/database-management-the-security-checklist-for-every-data-driven-deployment/
British Airways hit with record £183 million GDPR fine for last
year’s breach - The Information Commissioner’s Office (ICO) hit
British Airways with a record-breaking £183 million fine for last
year’s data breach that compromised the personal data of half a
million customers.
https://www.scmagazine.com/home/security-news/legal-security-news/ico-hits-british-airways-with-a-record-breaking-183-million-fine-for-last-years-data-breach-that-compromised-the-personal-data-of-half-a-million-customers/
Marriott hit with $124 million fine for 2018 data breach - The U.K.
Information Commissioners Office (ICO) intends to levy a
£99,200,396, or $124 million, fine against Marriott International in
response to the data breach suffered by that company’s Starwood
reservation data base in November 2018.
https://www.scmagazine.com/home/security-news/marriott-hit-with-124-million-fine-for-2018-data-breach/
Coast Guard issues cyber recommendations to shipping industry - The
U.S. Coast Guard issued a marine safety alert recommending the
shipping industry institute basic cybersecurity measures to ensure
the safety of their vessels.
https://www.scmagazine.com/home/security-news/coast-guard-issues-cyber-recommendations-to-shipping-industry/
Record British Airways fine shows how data protection legislation is
beginning to bite - The ICO's proposed £183m fine should act as a
wake-up call for other organisations: make sure your cybersecurity
and data protection policies are GDPR-compliant - or you could be
next.
https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/
Baltimore restores online payment systems for speeding and parking
tickets and property taxes - Baltimore officials said Wednesday that
people can once again pay property tax bills and parking tickets
online, although the city’s water billing system remains unavailable
about eight weeks after a ransomware attack took down the city’s
computer systems.
http://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-online-payments-20190703-story.html
UK's largest police forensics lab paid ransom demand to recover
locked data - Eurofins Scientific has already recovered from the
incident. Didn't say how much it paid hackers.
https://www.zdnet.com/article/uks-largest-police-forensics-lab-paid-ransom-demand-to-recover-locked-data/
U.S. mayors resolve to no longer pay ransomware attackers - The
United States Conference of Mayors issued a resolution at its 87th
annual meeting to stand united against paying ransoms when their
municipality is hit with a ransomware attack.
https://www.scmagazine.com/home/security-news/ransomware/u-s-mayors-resolve-to-no-longer-pay-ransomware-attackers/
Cybercriminals are increasingly targeting the financial services
industry - Universally, consumers and small and large businesses
alike, are increasingly aware of the well-established fact that
cybercrime is on the rise.
https://www.scmagazine.com/home/opinion/executive-insight/cybercriminals-are-increasingly-targeting-the-financial-services-industry/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Florida state worker steals resident’s PII - About 2,000 Florida
residents were potentially victimized by an employee of that state’s
Department of Children and Family Services (DFCS) who accessed and
used their PII to fraudulently make $260,000 in purchases.
https://www.scmagazine.com/home/security-news/data-breach/florida-state-worker-steals-residents-pii/
Real estate group ALTA warns members of possible data breach - The
American Land Title Association (ALTA) on July 3 informed its
members, comprised of title insurance agents, abstracters and
underwriters, their usernames and passwords may have been acquired
by an unauthorized person.
https://www.scmagazine.com/home/security-news/data-breach/real-estate-group-alta-warns-members-of-possible-data-breach/
ICE, FBI using driver’s license photos, without permission, for
facial recognition searches - Driver’s license photos have been
used, without users’ permission, by agents with the FBI and
Immigration and Customs Enforcement (ICE) for facial recognition
searches.
https://www.scmagazine.com/home/security-news/privacy-compliance/ice-fbi-using-drivers-license-photos-without-permission-for-facial-recognition-searches/
Hackers breach Canonical GitHub account, create repositories, leave
source code untouched - Hackers compromised credentials to break
into a Canonical Ltd. GitHub account July 6 and created
repositories, but apparently did not lift sensitive information or
manipulate any source code.
https://www.scmagazine.com/home/security-news/hackers-breach-canonical-github-account-create-repositories-leave-source-code-untouched/
Thieves steal $500K from users of 7-Eleven Japan’s new payment app -
Convenience chain 7-Eleven Japan has suspended a brand new mobile
cashless payment service after an authorized third party accessed
approximately 900 user accounts and made fraudulent charges totally
55 million yen, or roughly $500,000 dollars.
https://www.scmagazine.com/home/security-news/inconvenience-stores-thieves-steal-500k-from-users-of-7-eleven-japans-new-payment-app/
Cyberattack shuts down La Porte County (Indiana) government - La
Porte County, Ind., was hit with a cyberattack on July 6 that
knocked the county government’s systems offline.
https://www.scmagazine.com/home/security-news/malware/cyberattack-shuts-down-la-porte-county-indiana-government/
Eurofins Scientific forensics firm pays after hit with ransomware -
Eurofins Scientific, the U.K.’s largest provider of forensic
services, paid up after a ransomware attack a month ago.
https://www.scmagazine.com/home/security-news/ransomware/eurofins-scientific-the-uks-largest-provider-of-forensic-services-paid-the-ransom-after-it-was-hit-with-an-attack-a-month-ago/
Automated Magecart campaign infects 962 online stores - A July 4
Magecart card-skimming attack successfully infiltrated 962 online
stores in what researchers are calling the largest 24-hour automated
Magecart campaign to date.
https://www.scmagazine.com/web-services-security-e-commerce-security/automated-magecart-campaign-infects-962-online-stores/
Canonical Investigating Hack of Its GitHub Page - Canonical Ltd., a
British company that offers commercial support and services for the
popular Ubuntu Linux open source operating system, is investigating
the hacking of its GitHub page over the weekend.
http://www.bankinfosecurity.com/canonical-investigating-hack-its-github-page-a-12749
L.A. County Health Services Department contractor breach leaks
patient data - A data breach at a Los Angeles County Department of
Health Services contractor resulted in the compromise of data from
14,591 patients.
https://www.scmagazine.com/home/security-news/data-breach/a-data-breach-at-a-l-a-county-department-of-health-services-contractor-resulted-in-the-compromise-of-data-from-several-thousand-patients/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle
13: Banks should have effective capacity, business continuity and
contingency planning processes to help ensure the availability of
e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking system capacity and future scalability are
analyzed in light of the overall market dynamics for e-commerce and
the projected rate of customer acceptance of e-banking products and
services.
2) E-banking transaction processing capacity estimates are
established, stress tested and periodically reviewed.
3) Appropriate business continuity and contingency plans for
critical e-banking processing and delivery systems are in place and
regularly tested.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION -
REMOTE ACCESS
Many financial institutions use modems, remote - access servers
(RAS), and VPNs to provide remote access into their systems or to
allow remote access out of their systems. Remote access can support
mobile users through wireless, Internet, or dial-in capabilities. In
some cases, modem access is required periodically by vendors to make
emergency program fixes or to support a system.
Remote access to a financial institution's systems provides an
attacker with the opportunity to remotely attack the systems either
individually or in groups. Accordingly, management should establish
policies restricting remote access and be aware of all remote access
devices attached to their systems. These devices should be strictly
controlled. Good controls for remote access include the following
actions:
! Disallow remote access by policy and practice unless a
compelling business justification exists.
! Disable remote access at the operating system level if a
business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by
default, to enable modems only for specific, authorized external
requests, and disable the modem immediately when the requested
purpose is completed.
! Configure modems not to answer inbound calls, if modems are for
outbound use only.
! Use automated callback features so the modems only call one
number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses
a different prefix than internal numbers and does not respond to
incoming calls.
! Log and monitor the date, time, user, user location, duration,
and purpose for all remote access.
! Require a two-factor authentication process for all remote
access (e.g., PIN-based token card with a one-time random password
generator).
! Implement controls consistent with the sensitivity of remote use
(e.g., remote system administration requires strict controls and
oversight including encrypting the authentication and log-in
process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet
access, to provide a consistent authentication process, and to
subject the inbound and outbound network traffic to firewalls.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
(HGA)20.4.2
Protection Against Payroll Fraud and Errors: Time and Attendance
Application (2 of 2)
Protection Against
Payroll Errors
The frequency of data
entry errors is reduced by having Time and Attendance clerks enter
each time sheet into the time and attendance application twice. If
the two copies are identical, both are considered error free, and
the record is accepted for subsequent review and approval by a
supervisor. If the copies are not identical, the discrepancies are
displayed, and for each discrepancy, the clerk determines which copy
is correct. The clerk then incorporates the corrections into one of
the copies, which is then accepted for further processing. If the
clerk makes the same data-entry error twice, then the two copies
will match, and one will be accepted as correct, even though it is
erroneous. To reduce this risk, the time and attendance application
could be configured to require that the two copies be entered by
different clerks.
In addition, each
department has one or more Time and Attendance Supervisors who are
authorized to review these reports for accuracy and to approve them
by running another server program that is part of the time and
attendance application. The data are then subjected to a collection
of "sanity checks" to detect entries whose values are outside
expected ranges. Potential anomalies are displayed to the supervisor
prior to allowing approval; if errors are identified, the data are
returned to a clerk for additional examination and corrections.
When a supervisor
approves the time and attendance data, this application logs into
the interagency mainframe via the WAN and transfers the data to a
payroll database on the mainframe. The mainframe later prints
paychecks or, using a pool of modems that can send data over phone
lines, it may transfer the funds electronically into
employee-designated bank accounts. Withheld taxes and contributions
are also transferred electronically in this manner.
The Director of
Personnel is responsible for ensuring that forms describing
significant payroll-related personnel actions are provided to the
Payroll Office at least one week before the payroll processing date
for the first affected pay period. These actions include hiring,
terminations, transfers, leaves of absences and returns from such,
and pay raises.
The Manager of the
Payroll Office is responsible for establishing and maintaining
controls adequate to ensure that the amounts of pay, leave, and
other benefits reported on pay stubs and recorded in permanent
records and those distributed electronically are accurate and
consistent with time and attendance data and with other information
provided by the Personnel Department. In particular, paychecks must
never be provided to anyone who is not a bona fide, active-status
employee of HGA. Moreover, the pay of any employee who terminates
employment, who transfers, or who goes on leave without pay must be
suspended as of the effective date of such action; that is, extra
paychecks or excess pay must not be dispersed.
Protection Against
Accidental Corruption or Loss of Payroll Data
The same mechanisms
used to protect against fraudulent modification are used to protect
against accidental corruption of time and attendance data -- namely,
the access-control features of the server and mainframe operating
systems.
COG's (Computer
Operations Group) nightly backups of the server's disks protect
against loss of time and attendance data. To a limited extent, HGA
also relies on mainframe administrative personnel to back up time
and attendance data stored on the mainframe, even though HGA has no
direct control over these individuals. As additional protection
against loss of data at the mainframe, HGA retains copies of all
time and attendance data on line on the server for at least one
year, at which time the data are archived and kept for three years.
The server's access controls for the on-line files are automatically
set to read-only access by the time and attendance application at
the time of submission to the mainframe. The integrity of time and
attendance data will be protected by digital signatures as they are
implemented.
The WAN's
communications protocols also protect against loss of data during
transmission from the server to the mainframe (e.g., error
checking). In addition, the mainframe payroll application includes a
program that is automatically run 24 hours before paychecks and pay
stubs are printed. This program produces a report identifying
agencies from whom time and attendance data for the current pay
period were expected but not received. Payroll department staff are
responsible for reviewing the reports and immediately notifying
agencies that need to submit or resubmit time and attendance data.
If time and attendance input or other related information is not
available on a timely basis, pay, leave, and other benefits are
temporarily calculated based on information estimated from prior pay
periods.
|