FYI - The Federal Financial Institutions Examination Council published a press release announcing the issuing of a revised Information Security booklet, which is part of the FFIEC Information Technology Examination Handbook.
www.ffiec.gov/press/pr090916.htm
www.ncua.gov/newsroom/Pages/news-2016-september-financial-regulators-information-security-booklet.aspx

NCUA - Credit Unions Must Prep for New Cyber Risks - Board Action Bulletin - Stabilization Fund's Net Income in Second Quarter Tops $425 Million - The National Credit Union Administration Board held its eighth open meeting of 2016 at the agency's headquarters here today and received a briefing from the Office of Examination and Insurance on the rapidly changing nature of cybersecurity. www.ncua.gov/newsroom/Pages/news-2016-credit-unions-must-prep-new-cyber-risks.aspx

New Incident Management System Will Improve NCUA’s Disaster Response - Read the Latest Issue of “The NCUA Report” Online - Disasters may be infrequent, but they are a fact of life. www.ncua.gov/newsroom/Pages/news-2016-september-new-incident-management-system-improve-disaster-response.aspx

White House appoints first Federal Chief Information Security Officer - Retired Brigadier General Gregory J. Touhill will assume the role after serving in the Department of Homeland Security. http://www.zdnet.com/article/white-house-appoints-first-federal-chief-information-security-officer/

New research shows ransomware victims are paying up - New research is claiming that 74 percent of UK organisations who haven't experienced a ransomware attack remain bullish about the threat, claiming they would never pay up if infected. http://www.scmagazine.com/new-research-shows-ransomware-victims-are-paying-up/article/521277/

Wells Fargo Bank fined $185M, fires 5,300 staffers over fake account scam - Wells Fargo Bank was fined a total of $185 million as punishment for a five-year long scam that saw bank employees using bank customer information to illegally create accounts and email addresses and apply for credit and debit cards all in order to meet assigned sales goals and earn commissions. http://www.scmagazine.com/wells-fargo-bank-fined-185m-fires-5300-staffers-over-fake-account-scam/article/521318/

Oregon credit union sues Noodles & Company over breach - Oregon credit union SELCO Community Credit Union accused Noodles & Company of failing to implement or maintain adequate data security measures for customer information despite highly publicized breaches at large national retailers and restaurant chains, according to court documents filed in a class action lawsuit Tuesday. http://www.scmagazine.com/class-action-lawsuit-filed-against-noodles-company-over-breach/article/521276/

CFTC imposes cybersecurity rules for U.S. commodities, derivatives firms - The Commodity Futures Trading Commission (CFTC) Thursday approved a set of rules that will require frequent testing of information technology at U.S. commodities and derivatives firms, including exchanges and clearinghouses. http://www.scmagazine.com/ctfc-to-require-various-cybersecurity-tests-for-us-commodities-derivatives-it/article/521726/

Pentagon faulted for lack of cyber preparedness, GAO report - Although the National Guard is perhaps the best-equipped unit in the military to assist the government in the event of a cyber emergency, the Department of Defense (DoD) does not have the necessary visibility into the capabilities of those assets, according to a report released earlier this week by the Government Accountability Office (GAO). http://www.scmagazine.com/pentagon-faulted-for-lack-of-cyber-preparedness-gao-report/article/521712/

PCI Council wants upgradeable credit card readers ... next year - Tamper-proofing and shielding against side attacks on the agenda - The Payment Card Industry Security Standards Council (PCI Council) has floated a new standard it hopes will reduce credit card fraud that starts at the point of sale, in part by allowing easier upgrades. http://www.theregister.co.uk/2016/09/12/pci_council_wants_upgradeable_credit_card_readers_to_fight_fraud/
 
U.S. health regulator plans 'thorough' probe of St. Jude case - The U.S. Food and Drug Administration plans a "thorough investigation" of allegations about vulnerabilities in cardiac devices made by St. Jude Medical Inc, the agency's official responsible for cyber security said on Thursday. http://uk.reuters.com/article/us-st-jude-medical-cyber-fda-idUKKCN11E32Y

Seagate staff to sue company over data protection failure - Hard drive manufacturer Seagate may face a lawsuit from its own employees for failing to protect their data. http://www.scmagazine.com/seagate-staff-to-sue-company-over-data-protection-failure/article/522015/

Canadian data sharing deal with EU could be illegal under European Law - A top EU lawyer has concluded that the EU-Canada PNR agreement which oversees the transfer of information on flight records between the two countries goes against the EU Charter Fundamental Human Rights. http://www.scmagazine.com/canadian-data-sharing-deal-with-eu-could-be-illegal-under-european-law/article/521847/

Researcher believes major DDoS attacks part of military recon to shut down internet - A security researcher spotted a series of DDoS attacks which may be part of a larger effort to learn how to take down the internet on a national or even global scale. http://www.scmagazine.com/infrastructure-ddos-attacks-could-be-part-of-larger-plan-to-shut-down-internet-on-massive-scale/article/522962/

1 in 50 employees a malicious insider? - A survey recently conducted by Imperva showed that 36 percent of surveyed companies have experienced security incidents involving malicious employees in the past 12 months. http://www.scmagazine.com/1-in-50-employees-a-malicious-insider/article/522954/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UAE medical centre hit, hacker claims good intentions - A medical centre in the UAE has been modestly breached by a hacker who claims to want to teach them a lesson in security. http://www.scmagazine.com/uae-medical-centre-hit-hacker-claims-good-intentions/article/521273/

Fire drill knocks ING bank's data centre offline - A fire extinguisher test in a bank's data centre has gone wrong in an "unprecedented" manner, causing its cash machines, online banking operations and website to go offline. http://www.bbc.com/news/technology-37337868

Linode fends off multiple DDOS attacks - Nowhere near as bad as its ten-day Christmas cracker, but something seems to be afoot - Cloud hosting outfit Linode has again come under significant denial of service (DoS) attack. http://www.theregister.co.uk/2016/09/11/linode_fends_off_multiple_ddos_attacks/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 INTRUSION DETECTION SYSTEMS
 
 Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.
 
 Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
 
 Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.
 
 Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.
 
 Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
 
 IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
 
 FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Routing (Part 2 of 2)
 
 Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.
 
 DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.
 
 Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE

8.4 Security Activities in the Computer System Life Cycle

This section reviews the security activities that arise in each stage of the computer system life cycle.

8.4.1 Initiation

The conceptual and early design process of a system involves the discovery of a need for a new system or enhancements to an existing system; early ideas as to system characteristics and proposed functionality; brainstorming sessions on architectural, performance, or functional system aspects; and environmental, financial, political, or other constraints. At the same time, the basic security aspects of a system should be developed along with the early system design. This can be done through a sensitivity assessment.

8.4.1.1 Conducting a Sensitivity Assessment

A sensitivity assessment looks at the sensitivity of both the information to be processed and the system itself. The assessment should consider legal implications, organization policy (including federal and agency policy if a federal system), and the functional needs of the system. Sensitivity is normally expressed in terms of integrity, availability, and confidentiality. Such factors as the importance of the system to the organization's mission and the consequences of unauthorized modification, unauthorized disclosure, or unavailability of the system or data need to be examined when assessing sensitivity. To address these types of issues, the people who use or own the system or information should participate in the assessment.

A sensitivity assessment should answer the following questions:

1)  What information is handled by the system? 

2)  What kind of potential damage could occur through error, unauthorized disclosure or modification, or unavailability of data or the system? 

3)  What laws or regulations affect security (e.g., the Privacy Act or the Fair Trade Practices Act)? 

4)  To what threats is the system or information particularly vulnerable? 

5)  Are there significant environmental considerations (e.g., hazardous location of system)? 

6)  What are the security-relevant characteristics of the user community (e.g., level of technical sophistication and training or security clearances)? 

7)  What internal security standards, regulations, or guidelines apply to this system?

The sensitivity assessment starts an analysis of security that continues throughout the life cycle. The assessment helps determine if the project needs special security oversight, if further analysis is needed before committing to begin system development (to ensure feasibility at a reasonable cost), or in rare instances, whether the security requirements are so strenuous and costly that system development or acquisition will not be pursued. The sensitivity assessment can be included with the system initiation documentation either a separate document or as a section of another planning document. The development of security features, procedures, and assurances, described in the next section, builds on the sensitivity assessment.

A sensitivity assessment can also be performed during the planning stagers of system upgrades (for either upgrades being procured or developed in house).  In this case, the assessment focuses on the affected areas. If the upgrade significantly affects the original assessment, steps can be taken to analyze the impact on the rest of the system. For example, are new controls needed? Will some controls become necessary?

The definition of sensitive is often misconstrued. Sensitive is synonymous with important or valuable. Some data is sensitive because it must be kept confidential. Much more data, however, is sensitive because its integrity or availability must be assured. The Computer Security Act and OMB Circular A-130 clearly state that information is sensitive if its unauthorized disclosure, modification (i.e., loss of integrity), or unavailability would harm the agency. In general, the more important a system is to the mission of the agency, the more sensitive it is.