FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - White House Details Draft Contractor Data Breach Rules - Agencies could have a template for data breach contract clauses as early as this fall, according to a detailed draft policy. http://www.nextgov.com/cybersecurity/2015/08/white-house-details-draft-contractor-data-breach-rules/119039/

FYI - VW Has Spent Two Years Trying to Hide a Big Security Flaw - Got a VW, Fiat, Audi, Ferrari, Porsche or Maserati? Then you might want to check the model. http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw

FYI - Chip Card ATM ‘Shimmer’ Found in Mexico - Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards. http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/

FYI - FAA: software upgrade, not ERAM, likely caused flight cancellations, delays - A software upgrade to Federal Aviation Administration (FAA) radar operations in Virginia, not the long-delayed and much-anticipated En Route Automation Modernization (ERAM) system, likely caused the problems that compelled the agency to issue a flight restriction in the busy corridor and forcing airlines to cancel hundreds of flights. http://www.scmagazine.com/faa-issued-flight-restriction-airlines-ground-flights-after-software-upgrade-wreaks-havoc/article/432984/

FYI - Hackers might have stolen IRS data on more than 300,000 households - More taxpayers than originally thought had personal information stolen in a hack that used a surprisingly simple method. http://www.cnet.com/news/hackers-might-have-stolen-irs-data-on-more-than-300000-households/ 

FYI - Cyber threats could put lives at risk, Q2 2015 report explores - Trend Micro's Q2 2015 threat report hit on several issues in the security space, including those that pose an actual physical threat to the public, a string of powerful attacks on government entities and an increase in attacks by lone wolf operators. http://www.scmagazine.com/cyber-threats-could-put-lives-at-risk-q2-2015-report-explores/article/433412/

FYI - China arrests 15,000 during cybercrime sweep - The Chinese Ministry of Public Security (MPS) arrested 15,000 people for cybercrimes as part of a long-term operation dubbed “Cleaning the Internet,” Reuters reported. http://www.scmagazine.com/china-arrests-15000-during-cybercrime-sweep/article/433257/

FYI - Hackers post Ashley Madison's customer details online - Last month the website Ashley Madison was hacked, and now the names, addresses, phone numbers, encrypted passwords and credit card transaction details of around 32 million of its 37 million registered customers appear to have been posted on the dark web. http://www.scmagazine.com/hackers-post-ashley-madisons-customer-details-online/article/433630/

FYI - Target settles with Visa following 2013 breach - Following a data breach of Target's computer systems during the 2013 holiday shopping season that affected 40 million card accounts and the personally identifiable information (PII) of as many as 70 million people, the Minneapolis-based mass retailer agreed on Tuesday to a settlement with card issuer Visa. http://www.scmagazine.com/target-settles-with-visa-following-2013-breach/article/433516/

FYI - Outsourcing IT security continues to grow, study finds - Spending on the outsourcing of IT functions is rising at a rate that is in step with IT operational budgets as a whole, according to a new report, "IT Outsourcing Statistics 2015/16," from IT research firm. http://www.scmagazine.com/outsourcing-it-security-continues-to-grow-study-finds/article/433657/

FYI - Contractor that vetted Snowden settles with government for $30M - The investigative services provider and government contractor that vetted Edward Snowden agreed to a $30 million settlement with the U.S. government on Wednesday. http://www.scmagazine.com/usis-settles-with-us-government/article/433883/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - University of Virginia announces breach, says attack came from China - The University of Virginia announced Friday that attackers originating from China illegally accessed portions of its information technology systems, but that no personal information appears to have been affected. http://www.scmagazine.com/uva-attack-came-from-china-targeted-email-accounts-of-two-staffers/article/433157/

FYI - Illinois Department of Corrections data breach hits more than 1,000 employees - The Illinois Department of Corrections (IDOC) is notifying more than 1,000 employees that their personal information was included in a response to a civilian Freedom of Information Act (FOIA) request. http://www.scmagazine.com/illinois-department-of-corrections-data-breach-hits-more-than-1000-employees/article/433133/

FYI - Tremco staffer loses laptop, contained data on thousands of employees - Ohio-based manufacturer Tremco is notifying approximately 3,700 employees that a human resources employee left a company-issued laptop containing personal information on an airplane, and that the laptop has not yet been recovered. http://www.scmagazine.com/tremco-staffer-loses-laptop-contained-data-on-thousands-of-employees/article/433391/

FYI - Credit card data possibly compromised for 93K Web.com customers - Web.com, which provides solutions to help small businesses succeed online, is notifying approximately 93,000 customers that their personal information – including some credit card data – may have been compromised in a breach. http://www.scmagazine.com/credit-card-data-possibly-compromised-for-93k-webcom-customers/article/433632/

FYI - Colorado's OIT notifies 3,000 residents of data breach - Colorado's Office of Information Technology (OIT) is notifying more than 3,000 residents that a technical error resulted in letters containing their personal information being mailed to the wrong address. http://www.scmagazine.com/colorados-oit-notifies-3000-residents-of-data-breach/article/433888/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Audit

The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit
disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing Standards 70 “Reports of Processing of Transactions by Service Organizations,” known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider’s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.)

For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider’s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis given the number of institutions that may contract with the service provider and the importance of the test results to the institution.

Reports

Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 SECURITY MEASURES
 
 System Architecture and Design 
 
 Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems. 
 
 Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks.  Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.3 Mitigating Vulnerabilities Related to the Continuity of Operations

The assessment recommended that COG institute a program of periodic internal training and awareness sessions for COG personnel having contingency plan responsibilities. The assessment urged that COG undertake a rehearsal during the next three months in which selected parts of the plan would be exercised. The rehearsal should include attempting to initiate some aspect of processing activities at one of the designated alternative sites. HGA's management agreed that additional contingency plan training was needed for COG personnel and committed itself to its first plan rehearsal within three months.

After a short investigation, HGA divisions owning applications that depend on the WAN concluded that WAN outages, although inconvenient, would not have a major impact on HGA. This is because the few time-sensitive applications that required WAN-based communication with the mainframe were originally designed to work with magnetic tape instead of the WAN, and could still operate in that mode; hence courier-delivered magnetic tapes could be used as an alternative input medium in case of a WAN outage. The divisions responsible for contingency planning for these applications agreed to incorporate into their contingency plans both descriptions of these procedures and other improvements.

With respect to mainframe outages, HGA determined that it could not easily make arrangements for a suitable alternative site. HGA also obtained and examined a copy of the mainframe facility's own contingency plan. After detailed study, including review by an outside consultant, HGA concluded that the plan had major deficiencies and posed significant risks because of HGA's reliance on it for payroll and other services. This was brought to the attention of the Director of HGA, who, in a formal memorandum to the head of the mainframe's owning agency, called for (1) a high-level interagency review of the plan by all agencies that rely on the mainframe, and (2) corrective action to remedy any deficiencies found.

HGA's management agreed to improve adherence to its virus-prevention procedures. It agreed (from the point of view of the entire agency) that information stored on PC hard disks is frequently lost. It estimated, however, that the labor hours lost as a result would amount to less than a person year--which HGA management does not consider to be unacceptable. After reviewing options for reducing this risk, HGA concluded that it would be cheaper to accept the associated loss than to commit significant resources in an attempt to avoid it. COG volunteered, however, to set up an automated program on the LAN server that e-mails backup reminders to all PC users once each quarter. In addition, COG agreed to provide regular backup services for about 5 percent of HGA's PCs; these will be chosen by HGA's management based on the information stored on their hard disks.