FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Appeals court rules FTC’s authority extends to cybersecurity - A federal appeals court on Monday ruled the Federal Trade Commission has the authority to bring enforcement actions against companies that fail to take adequate precautions to prevent a cybersecurity breach.
http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-hacked/
http://thehill.com/policy/cybersecurity/251803-appeals-court-ftcs-authority-extends-to-cybersecurity

FYI - Customers aren't smitten with mobile banking - Mobile banking is touted as a convenience, and a majority of banks now offer the service. But it may be a service customers don't want, the St. Louis Business Journal reports. http://www.bizjournals.com/kansascity/blog/morning_call/2015/08/customers-arent-smitten-with-mobile-banking.html

FYI - How one teen's app could stop cyberbullying at its source - A fifteen-year-old thinks ending cyberbullying in teens may be as easy as asking people to stop and rethink before sending a potentially hurtful message. http://www.csmonitor.com/Technology/2015/0820/How-one-teen-s-app-could-stop-cyberbullying-at-its-source

FYI - Ex-State Employee Allegedly Stalked Hundreds of Coeds from Embassy Computer - A 36-year-old now ex-State Department employee allegedly hacked into the emails, and sometimes photos, of potentially more than 250 coeds nationwide, using a government computer while stationed at the U.S. Embassy in London. http://www.nextgov.com/cybersecurity/2015/08/state-employee-allegedly-cyberstalked-hundreds-coeds-embassy-computer/119280/

FYI - Mobile Device Security Ignored by Federal Workers - Almost a quarter (24 percent) of federal employees send work documents to personal email accounts, and half use their personal devices for work email.
http://www.eweek.com/small-business/mobile-device-security-ignored-by-federal-workers.html
http://www.zdnet.com/article/securing-the-internet-lets-encrypt/

FYI - Alabama group indicted for IRS scam involving ID theft - An Alabama man, along with several partners, have been indicted [PDF] on aggravated identity theft, as well as other tax-related charges, for their alleged actions in using stolen personal identification to prepare and file false income tax returns, according to a statement from the Department of Justice. http://www.scmagazine.com/alabama-group-indicted-for-filing-fraudulent-tax-returns-collecting-refunds/article/434617/

FYI - Rutgers to spend several million dollars to strengthen cybersecurity - Rutgers University has hired three cybersecurity firms to firm up the school's cyber defenses after a series of distributed denial-of-service (DDoS) attacks in the 2014/2015 school year. http://www.scmagazine.com/rutgers-to-spend-between-2-million-and-3-million-on-cybersecurity/article/434489/

FYI - Pace University awarded $2.5M from NSF to train cybersecurity students - Pace University's Seidenberg School of Computer Science and Information Systems said Monday it had received a $2.5 million grant from the National Science Foundation (NSF). The award will support three to four cybersecurity students annually. http://www.scmagazine.com/nsf-gives-pace-25m-for-cybersecurity-students-research-and-outreach/article/434354/

FYI - SEC will not fine Target in aftermath of 2013 breach - The Securities and Exchange Commission (SEC) will not penalize Target Corp. for a cyberattack two years ago, according to the StarTribune. http://www.scmagazine.com/sec-will-not-fine-target-in-aftermath-of-2013-breach/article/435017/

FYI - License plate reader data could be potential hacking target - The Oakland Police Department (OPD) said it will only hold data gathered with its Automatic License Plate Reader (ALPR) devices for six months, which could prove beneficial to the privacy of the vehicle owners who came across the device's path. http://www.scmagazine.com/license-plate-reader-data-could-be-potential-hacking-target/article/435029/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - University of Rhode Island announces breach involving email, Facebook accounts - The University of Rhode Island (URI) learned of a breach involving the inappropriate collection and possible use of information related to some URI email accounts, as well as personal email and Facebook accounts. http://www.scmagazine.com/university-of-rhode-island-announces-breach-involving-email-facebook-accounts/article/434174/

FYI - Royal Saudi Airforce website hit by Iranian pro-Yemen-rebel group - Further hacktivist fall-out from Saudi Arabia and Iran's military intervention in Yemen is reported by HackRead with the latest victim being the Royal Saudi Airforce website. http://www.scmagazine.com/royal-saudi-airforce-website-hit-by-iranian-pro-yemen-rebel-group/article/434326/

FYI - Totally Promotional attack compromises payment cards, other data - Totally Promotional, an Ohio-based internet seller of imprinted promotional products, is notifying an undisclosed number of customers that attackers forced their way into its systems and gained access to some customer payment card data and other information. http://www.scmagazine.com/totally-promotional-attack-compromises-payment-cards-other-data/article/434514/

FYI - Thomson data breach exposes hundreds of customer details - A data protection breach at travel company Thomson has exposed personal details of many passengers. The home addresses, telephone numbers and flight dates were revealed for nearly 500 travelers in the UK. http://www.scmagazine.com/thomson-data-breach-exposes-hundreds-of-customer-details/article/434797/

FYI - Dropbox phishing scam uses compromised Wordpress site - Dropbox users may be the target of a new phishing scam that utilizes a compromised Wordpress site, according to a post Tuesday by Johannes B. Ullrich on the SANS Internet Storm Center InfoSec Community Forums. http://www.scmagazine.com/dropbox-phishing-scam-revealed/article/435007/

FYI - Thomson data breach exposes hundreds of customer details - A data protection breach at travel company Thomson has exposed personal details of many passengers. The home addresses, telephone numbers and flight dates were revealed for nearly 500 travelers in the UK. http://www.scmagazine.com/thomson-data-breach-exposes-hundreds-of-customer-details/article/434797/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
 
 Due Diligence in Selecting a Service Provider - Contract Issues
 
Business Resumption and Contingency Plans
 
The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.
 
Sub-contracting and Multiple Service Provider Relationships
 
Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.
 
Cost
 
The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 SECURITY MEASURES
 
 Firewalls  - Description, Configuration, and Placement 
 
 A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise. 
 
 The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.
 
 Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.4 Mitigating Threats of Information Disclosure/Brokering

HGA concurred with the risk assessment's conclusions about its exposure to information-brokering risks, and adopted most of the associated recommendations.

The assessment recommended that HGA improve its security awareness training (e.g., via mandatory refresher courses) and that it institute some form of compliance audits. The training should be sure to stress the penalties for noncompliance. It also suggested installing "screen lock" software on PCs that automatically lock a PC after a specified period of idle time in which no keystrokes have been entered; unlocking the screen requires that the user enter a password or reboot the system.

The assessment recommended that HGA modify its information-handling policies so that employees would be required to store some kinds of disclosure-sensitive information only on PC local hard disks (or floppies), but not on the server. This would eliminate or reduce risks of LAN eavesdropping. It was also recommended that an activity log be installed on the server (and regularly reviewed). Moreover, it would avoid unnecessary reliance on the server's access-control features, which are of uncertain assurance. The assessment noted, however, that this strategy conflicts with the desire to store most information on the server's disks so that it is backed up routinely by COG personnel. (This could be offset by assigning responsibility for someone other than the PC owner to make backup copies.) Since the security habits of HGA's PC users have generally been poor, the assessment also recommended use of hard-disk encryption utilities to protect disclosure-sensitive information on unattended PCs from browsing by unauthorized individuals. Also, ways to encrypt information on the server's disks would be studied.

The assessment recommended that HGA conduct a thorough review of the mainframe's safeguards in these respects, and that it regularly review the mainframe audit log, using a query package, with particular attention to records that describe user accesses to HGA's employee master database.