FYI - DOD continues to buy products it knows have cybersecurity vulnerabilities - The Department of Defense continues to buy millions of dollars in commercial off-the-shelf technology with known cybersecurity vulnerabilities, a watchdog report published last week found. https://www.fedscoop.com/defense-department-known-cyber-vulnerabilities-lenovo-lexmark-gopro/

FYI - How AT&T Insiders Were Bribed to 'Unlock' Millions of Phones - A dramatic saga that began with a civil lawsuit between AT&T and former employees has resulted in a high-profile arrest. https://www.wired.com/story/att-insiders-bribed-unlock-phones/

Destructive malware attacks double as attackers pair ransomware with disk wipers - IBM Security’s X-Force Incident Response and Intelligence Services (IRIS) team reported this week that it witnessed a 200 percent increase in destructive malware attacks over the first half of 2019, compared to the second half of 2018. https://www.scmagazine.com/home/security-news/cybercrime/destructive-malware-attacks-double-as-attackers-pair-ransomware-with-disk-wipers/

State Farm hit with credential stuffing attack, data not compromised - The good hands at State Farm managed to let slip through a credential stuffing attack, but the company does not believe any information was leaked or viewed by the malicious actor. https://www.scmagazine.com/home/security-news/cyberattack/state-farm-hit-with-credential-stuffing-attack-data-not-compromised/

Adapting the classical art of penetration testing to the cubist world of cloud - Many technical practitioners may believe that, at the end of the day, penetration testing is penetration testing. Proper penetration testing, however, is an art that must adapt over time. https://www.scmagazine.com/home/opinion/executive-insight/adapting-the-classical-art-of-penetration-testing-to-the-cubist-world-of-cloud/

Desjardins breach cost $53 million in Q2 - A breach that exposed personally identifiable information (PII) on 2.9 million Desjardins customers cost the Canadian credit union $53 million in Q2. https://www.scmagazine.com/home/security-news/desjardins-breach-cost-53-million-in-q2/

Cyber leaders must take ownership of cyber skills gap - We’ve all heard about the cyber skills gap by now. As cyber adversaries grow more advanced and organizations struggle to manage these evolving threats, cybersecurity jobs are getting harder to fill. https://www.scmagazine.com/home/opinion/executive-insight/cyber-leaders-must-take-ownership-of-cyber-skills-gap/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - iNSYNQ Ransom Attack Began With Phishing Email - A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned. https://krebsonsecurity.com/2019/08/insynq-ransom-attack-began-with-phishing-email/

Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days - Coinbase chief information security officer Philip Martin this week published an incident report covering the recent attack on the cryptocurrency exchange, revealing a phishing campaign of surprising sophistication. https://www.theregister.co.uk/2019/08/09/coinbase_pwned/

700,000 Choice Hotels customer records compromised - Cybercriminals took advantage of an open MongoDB database containing data from Choice Hotels and stole 700,000 customer records and then demanded a $3,800 ransom payment for their return. https://www.scmagazine.com/home/security-news/data-breach/700000-choice-hotels-customer-records-compromised/

BioStar 2 database leaked one million fingerprints, facial recognition data - A breach in a database of biometric security smart lock platform Suprema BioStar 2 exposed more than one million fingerprint records as well as facial recognition information and other sensitive data. https://www.scmagazine.com/home/security-news/biostar-2-database-leaked-one-million-fingerprints-facial-recognition-data/

SEC looking into First American Financial Corp.’s leaky website - First American Financial Corp. is reportedly the subject of a U.S. Securities and Exchange Commission investigation, following the discovery of a website defect that left 885 million documents exposed to the public. https://www.scmagazine.com/home/security-news/data-breach/report-sec-looking-into-first-american-financial-corp-s-leaky-website/

Major breach found in biometrics system used by banks, UK police and defence firms - The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.  https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms?utm_medium=techboard.wed.20190814&utm_source=email&utm_content=&utm_campaign=campaign

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)
   
   4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
   
   a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.
   
   5. Banks should develop appropriate contingency plans for outsourced e-banking activities.
   
   a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.
   
   b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.
   
   c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.
   
   6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.
   
   a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ENCRYPTION
  
  Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.
  
  Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.
  
  Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.
  
  Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.
  
  Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.
  
  Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.
  
  Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.
  
  Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.6 Protection Against Risks from Non-HGA Computer Systems

HGA relies on systems and components that it cannot control directly because they are owned by other organizations. HGA has developed a policy to avoid undue risk in such situations. The policy states that system components controlled and operated by organizations other than HGA may not be used to process, store, or transmit HGA information without obtaining explicit permission from the application owner and the COG Manager. Permission to use such system components may not be granted without written commitment from the controlling organization that HGA's information will be safeguarded commensurate with its value, as designated by HGA. This policy is somewhat mitigated by the fact that HGA has developed an issue-specific policy on the use of the Internet, which allows for its use for e-mail with outside organizations and access to other resources (but not for transmission of HGA's proprietary data).

20.5 Vulnerabilities Reported by the Risk Assessment Team

The risk assessment team found that many of the risks to which HGA is exposed stem from (1) the failure of individuals to comply with established policies and procedures or (2) the use of automated mechanisms whose assurance is questionable because of the ways they have been developed, tested, implemented, used, or maintained. The team also identified specific vulnerabilities in HGA's policies and procedures for protecting against payroll fraud and errors, interruption of operations, disclosure and brokering of confidential information, and unauthorized access to data by outsiders.