FYI - OCC Encourages Banks and Savings Associations To Be Prepared - The Office of the Comptroller of Currency reminds national banks and federal savings associations to maintain effective plans to respond to natural disasters and other emergencies. www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-126.html

FYI - Judge approves class action for banks in Target breach - In the continuing fallout from the breach of Target's point-of-sale (POS) network during the 2013 holiday shopping season, which resulted in the stealing of card numbers and other personal information of more than 100 million customers, a judge in Minnesota ruled on Tuesday "that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data." http://www.scmagazine.com/banks-can-unite-in-class-action-to-sue-target/article/439128/

FYI - Reports of attacks on the Dept. of Energy raise alarms - Attackers successfully infiltrated computer systems at the Department of Energy more than 150 times between 2010 and 2014, according to a review of federal documents by USA Today that were obtained as a result of a Freedom of Information Act request. In all, DoE networks were targeted 1,131 times over the four-year span. http://www.computerworld.com/article/2983029/data-security/reports-of-attacks-on-the-dept-of-energy-raise-alarms.html

FYI - Justice Department Looks to Sharpen Computer Crime Law - Stung by recent court decisions that have gone against them, Justice Department lawyers are making a fresh push to clarify a computer trespass law that critics malign as overly broad. http://abcnews.go.com/Technology/wireStory/justice-dept-pressing-computer-crime-law-33620584

FYI - Transactions at Pentagon lead to credit card fraud, workforce notified - The Pentagon Force Protection Agency has notified the Pentagon workforce that its office received several reports of fraudulent charges on credit cards belonging to Pentagon personnel. http://www.scmagazine.com/transactions-at-pentagon-lead-to-credit-card-fraud-workforce-notified/article/438140/

FYI - 'Information integrity' among top cyber priorities for U.S. gov't, Clapper says - With an introduction that characterized U.S. government data breaches as “eroding confidence in our government's ability to counter the threat,” Representative Devin Nunes, R-Calif., and Intelligence Committee chairman, kicked off his committee's Thursday cybersecurity hearing. http://www.scmagazine.com/intelligence-committee-hosts-cybersecurity-hearing/article/438202/

FYI - Industry group says OMB cybersecurity guidance too lax - Often, vendor advocates speak out against overly specific regulations that put additional requirements on federal contractors. However, when it comes to cybersecurity, the Professional Services Council believes new guidance from the Office of Management and Budget doesn't go far enough. http://www.federaltimes.com/story/government/cybersecurity/2015/09/14/psc-cybersecurity-contract-guidance/72261358/

FYI - Feds drop espionage charges against physics professor - The Justice Department will drop economic espionage charges against a Temple University professor the government claimed was providing secret technology to China, according to multiple reports. http://thehill.com/policy/technology/253485-feds-drop-espionage-charges-against-physics-professor

FYI - Hacking Team looks to hire hacker - Following the compromise of 400 GB-worth of databases and emails, and then the subsequent release of those company details, Hacking Team posted a job listing for a “hacker/developer.” http://www.scmagazine.com/hacking-team-looks-to-expand-team-after-breach/article/438717/

FYI - Court orders FBI to lift National Security Letter gag order for first time - For the first time, a recipient of a National Security Letter (NSL) will be able to discuss the letter's contents after a federal district court ordered the FBI to lift its gag order. http://www.scmagazine.com/nicholas-merrill-can-discuss-nsl/article/438988/

FYI - U.S. Air Force developing airborne hacking platform - The U.S. Air Force (USAF) is looking to expand its traditional electronic countermeasures capability to include the ability to carve into an enemy's computer network from the air. http://www.scmagazine.com/us-air-force-developing-airborne-hacking-platform/article/439019/

FYI - Vodafone faces security warnings over journalist hacking claims - A journalist says she is "appalled, outraged and very upset" amid claims her communications records were accessed by Vodafone staff, with privacy experts warning that this kind of data is "readily compromisable." http://www.cnet.com/au/news/vodafone-faces-security-warnings-over-journalist-hacking-claims/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hack of Health Insurer Excellus May Have Exposed 10M Personal Records - A health insurer in western New York and affiliates said Wednesday that their computers were targeted last month in a cyberattack that may have provided unauthorized access to more than 10 million personal records. http://www.nbcnews.com/tech/security/hack-health-insurer-excellus-may-have-exposed-10m-personal-records-n424481

FYI - TSA luggage locks replicated with a 3D printer - A single image of a Transportation Security Administration (TSA) master key published last November by the Washington Post in a story on airport luggage has led to the key being duplicated by a 3D printer potentially endangering travelers bags. http://www.scmagazine.com/tsa-luggage-locks-replicated-with-a-3d-printer/article/438182/

FYI - Customer data possibly compromised in online photo store malware attack - PNI Digital Media, CVS and Costco have issued statements indicating that some customers' personal information may have been compromised following the July malware attack that shut down the online photo print operations at six PNI-run retailers.
http://www.scmagazine.com/pni-digital-media-cvs-and-costco-warn-of-pii-compromise-in-photo-center-attack/article/438472/
http://thehill.com/policy/technology/253485-feds-drop-espionage-charges-against-physics-professor

FYI - Data storage stolen at Lloyds, customer account data lost - A Lloyds Bank data storage device stolen from an RSA data centre two months ago contains customer names, addresses, sort codes and account numbers for Lloyds' Premier Account customers who had Royal Sun Alliance emergency home cover attached to their bank account between 2006 and 2012. http://www.scmagazine.com/data-storage-stolen-at-lloyds-customer-account-data-lost/article/438338/

FYI - Western Sydney students access department computer system - A small group of students from Penrith High School have allegedly used a teacher's login credentials to access a Department of Education computer system that contains students' assessment marks. http://www.zdnet.com/article/western-sydney-students-access-department-computer-system/

FYI - Malware targets credit cards used at Pennsylvania Holiday Inn - Milestone Hospitality Management is notifying an undisclosed number of guests who stayed at the Holiday Inn Harrisburg/Hershey that malware may have compromised their credit card information. http://www.scmagazine.com/malware-targets-credit-cards-used-at-pennsylvania-holiday-inn/article/438597/

FYI - Jihadist cyber-attack on Cabinet was entirely avoidable, say experts - The news that top government ministers may have been hacked by the Cyber-Caliphate has set alarm bells ringing among security experts. http://www.scmagazine.com/jihadist-cyber-attack-on-cabinet-was-entirely-avoidable-say-experts/article/438486/

FYI - UK firms hit as Dridex criminals target 385 million emails - UK government agencies and banks feature prominently on a ‘hitlist' of 385 million email addresses that has been used by Russian-based cyber-criminals to spread the Dridex banking Trojan. http://www.scmagazine.com/uk-firms-hit-as-dridex-criminals-target-385-million-emails/article/438572/

FYI - Charlotte-Mecklenburg Schools breach affects 7,600 job applicants - North Carolina-based Charlotte-Mecklenburg Schools (CMS) is notifying about 7,600 job applicants that a CMS employee disclosed employment application information to an outside contractor prior to obtaining appropriate authorization. http://www.scmagazine.com/charlotte-mecklenburg-schools-breach-affects-7600-job-applicants/article/439255/

FYI - Kardashian websites exposed user data - Social media websites blew up earlier this week when the Kardashian sisters launched their own line of apps and websites to provide fans with exclusive content. http://www.scmagazine.com/open-api-on-kardashian-and-jenner-websites-compromise-info/article/439242/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
 
 Due Diligence in Selecting a Service Provider - Contract Issues
 
 Termination
 
 The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy,
 company closure, and insolvency.
 
 Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution’s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated.
 
 Assignment
 
 The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution’s consent, including changes to subcontractors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Logical Access Controls (Part 1 of 2)
 
 If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 
 
 Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 
 
 Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 
 
 When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We begin the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section I. Introduction & Overview
 Chapter 1
 
 INTRODUCTION
 
1.1 Purpose
 
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
 
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
 
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems are noted in the text. This document provides advice and guidance; no penalties are stipulated.
 
1.2 Intended Audience
 
The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques. Within the federal government, this includes those who have computer security responsibilities for sensitive systems.
 
For the most part, the concepts presented in the handbook are also applicable to the private sector. While there are differences between federal and private-sector computing, especially in terms of priorities and legal constraints, the underlying principles of computer security and the available safeguards -- managerial, operational, and technical -- are the same. The handbook is therefore useful to anyone who needs to learn the basics of computer security or wants a broad overview of the subject. However, it is probably too detailed to be employed as a user awareness guide, and is not intended to be used as an audit guide.