FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Nearly all Americans support and want retaliation for cyberattacks - The vast majority of Americans are calling for retaliation in the wake of cyberattacks that compromise sensitive government data. http://www.scmagazine.com/vormetric-survey-polls-americans-on-cyberattack-government-reactions/article/429049/

FYI - Car Hacking Shifts Into High Gear - Researchers now have proven you can hack a car remotely, and at Black Hat USA will share most -- but not all -- of the details on how they did it. If a car's brakes suddenly fail and send it careening uncontrollably into a ditch, how do you know whether it was a mechanical failure or the work of a malicious hacker? http://www.darkreading.com/attacks-breaches/car-hacking-shifts-into-high-gear/d/d-id/1321445

FYI - On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/

FYI - All smartwatches are vulnerable to attack, finds study - The report is seen as a good indicator of the current security posture of smartwatch devices given the similarity of issues raised, such as insufficient authentication, weak encryption and other privacy concerns. http://www.scmagazine.com/all-smartwatches-are-vulnerable-to-attack-finds-study/article/428321/

FYI - Security experts and regular users vastly different in preferred safety practices - Even with an excess of advice on online best security practices, experts in the field and regular users implement different strategies to cope with cyber threats, and not all adequately keep devices protected. http://www.scmagazine.com/google-conducts-online-safety-practices-survey/article/428493/

FYI - Power Grid Is America’s Biggest Weakness, New Security Report Confirms - Power grid down disaster scenarios are not just fodder for movie plots - they pose a pressing concerns for government and security experts as well. http://www.inquisitr.com/2279678/power-grid-is-americas-biggest-weakness-new-report-conforms/

FYI - Pakistan bans BlackBerry Enterprise Server - Telcos told to switch off BES-as-a-service in December - Pakistan has reportedly ordered the nation's carriers to cease offering services that route email through BlackBerry Enterprise Server (BES), a product that among other things encrypts email. http://www.theregister.co.uk/2015/07/27/pakistan_bans_blackberry_enterprise_server/

FYI - NYU conference encourages women to pursue cybersecurity - Cybersecurity's the “it” tech field of the moment, there's no doubt about that, with multiple major breaches in just the past couple years and a newfound emphasis on security in both the private and public sectors. http://www.scmagazine.com/nyu-hosts-women-in-cybersecurity-event/article/429614/

FYI - Privacy advocacy group sends 6.1 million faxes to Senate to protest CISA - Privacy advocacy group Fight For the Future's campaign “Operation: #FaxBigBrother” has thus far generated 6.1 million faxes sent to members of the Senate to protest the Cybersecurity Information Sharing Act (CISA). http://www.scmagazine.com/privacy-advocacy-group-sends-61-million-faxes-to-senate-to-protest-cisa/article/429616/

FYI - GAO - Facial Recognition Technology: Commercial Uses, Privacy Issues, and Applicable Federal Law - http://www.gao.gov/products/GAO-15-621

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - US Census Bureau IT systems hacked, data leaked by Anonymous - Another OPM scandal, this is not - Anonymous hackers have swiped databases from servers used by the US Census Bureau, and dumped their contents online. The bureau, as you might imagine, collects information on the American population every 10 years – although the leaked data does not include citizens' census records. http://www.theregister.co.uk/2015/07/23/us_census_bureau_hacked/

FYI - NYMag.com hit with DDoS attack from man who hates NYC - NYMag.com was hit with a distributed-denial-of-service (DDoS) attack that lasted about 12 hours and was executed by a man with a vendetta against all things New York, according to Quartz. http://www.scmagazine.com/new-york-magazines-website-was-hit-with-a-ddos-attack-from-a-man-with-a-vendetta-against-nyc/article/428787/

FYI - Planned Parenthood investigates breach amid claims its systems were accessed - Planned Parenthood is investigating possible unauthorized access to its systems following reports that attackers released website databases on Sunday night that included employee names and email addresses. http://www.scmagazine.com/planned-parenthood-investigates-breach-amid-claims-its-systems-were-accessed/article/428759/

FYI - Breach affects 3,000 clients enrolled in Georgia state program - Approximately 3,000 clients of the Community Care Services Program in Georgia are being notified that the Division of Aging Services inadvertently emailed their personal data to a contracted provider that was not authorized to view the information. http://www.scmagazine.com/breach-affects-3000-clients-enrolled-in-georgia-state-program/article/428766/

FYI - Data on 5,300 Healthfirst members caught up in fraud scheme - New York-based Healthfirst is notifying about 5,300 current and former members that their personal information may have been compromised in a criminal fraud scheme. http://www.scmagazine.com/data-on-5300-healthfirst-members-caught-up-in-fraud-scheme/article/429020/

FYI - Hundreds of Massachusetts General Hospital patients notified of data incident - Massachusetts General Hospital (MGH) is notifying 648 patients that an employee inadvertently sent an email containing their personal information to the wrong email address. http://www.scmagazine.com/hundreds-of-massachusetts-general-hospital-patients-notified-of-data-incident/article/429281/

FYI - United reportedly hacked by same group that breached Anthem, OPM - previously unannounced breach at United Airlines could be the work of Chinese hackers who allegedly pilfered information from insurance company Anthem and the Office of Personnel Management (OPM), and are aiming at amassing data on millions of American government officials and private citizens. http://www.scmagazine.com/united-investigating-attack-allegedly-executed-by-china-backed-hackers/article/429301/

FYI - GM quickly issues fix for OnStar hack, but service still vulnerable - Just last week Chrysler recalled 1.4 million vehicles after hackers revealed a software bug. Now, a new hack exposes a vulnerability in GM vehicles equipped with OnStar. GM issued a quick fix, however, hacker Samy Kamkar has confirmed the problem still exists. http://www.cnet.com/news/ownstar-onstar-hack/

FYI - TV5Monde in chaos as data breach costs roll into the millions - French broadcaster TV5Monde is still without Internet and other key IT functions three months after a nation-state hacker took control of its TV channels and hijacked social media accounts. Meanwhile, the data breach costs are mounting up. http://www.scmagazine.com/tv5monde-in-chaos-as-data-breach-costs-roll-into-the-millions/article/429390/

FYI - Planned Parenthood websites downed in DDoS attack - Planned Parenthood websites have gone down and are, according to the main page, undergoing maintenance. http://www.scmagazine.com/planned-parenthood-websites-downed-in-ddos-attack/article/429563/

FYI - Four McLean Hospital backup data tapes go missing, thousands affected - Massachusetts-based McLean Hospital is notifying about 12,600 individuals that their personal information was on four unencrypted backup data tapes – related to the Harvard Brain Tissue Resource Center (HBTRC) – that have gone missing. http://www.scmagazine.com/four-mclean-hospital-backup-data-tapes-go-missing-thousands-affected/article/429420/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

• Determine adequacy of the service provider’s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
• Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
• Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

• Analyze the service provider’s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has been in business and the service provider’s market share for a given service and how it has fluctuated.
• Consider the significance of the institution’s proposed contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s level of investment in technology consistent with supporting the institution’s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 SECURITY MEASURES
 
 Symmetric and Asymmetric Key Systems 
 
 There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 
 
 In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.
 
 Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.4 Vulnerabilities Related to Information Disclosure/Brokerage

HGA takes a conservative approach toward protecting information about its employees. Since information brokerage is more likely to be a threat to large collections of data, HGA risk assessment focused primarily, but not exclusively, on protecting the mainframe.

The risk assessment concluded that significant, avoidable information brokering vulnerabilities were present--particularly due to HGA's lack of compliance with its own policies and procedures. Time and attendance documents were typically not stored securely after hours, and few PCs containing time and attendance information were routinely locked. Worse yet, few were routinely powered down, and many were left logged into the LAN server overnight. These practices make it easy for an HGA employee wandering the halls after hours to browse or copy time and attendance information on another employee's desk, PC hard disk, or LAN server directories.

The risk assessment pointed out that information sent to or retrieved from the server is subject to eavesdropping by other PCs on the LAN. The LAN hardware transmits information by broadcasting it to all connection points on the LAN cable. Moreover, information sent to or retrieved from the server is transmitted in the clear--that is, without encryption. Given the widespread availability of LAN "sniffer" programs, LAN eavesdropping is trivial for a prospective information broker and, hence, is likely to occur.

Last, the assessment noted that HGA's employee master database is stored on the mainframe, where it might be a target for information brokering by employees of the agency that owns the mainframe. It might also be a target for information brokering, fraudulent modification, or other illicit acts by any outsider who penetrates the mainframe via another host on the WAN.