FYI - Please make sure you have changed our phone number to 806-535-8300.  At the end of the year I will be disconnecting all the landlines.

Managing your cloud in the face of the California Consumer Privacy Act - The California Consumer Privacy Act of 2018 (CCPA) was approved by the California State Governor on June 28, 2018, and goes into effect on January 1, 2020. https://www.scmagazine.com/home/opinion/executive-insight/managing-your-cloud-in-the-face-of-the-california-consumer-privacy-act/

Baltimore�s IT chief during the ransomware attack, goes on leave - Baltimore�s embattled chief digital officer, IT director and highest paid city employee has gone on indefinite leave, four sources tell The Brew. https://baltimorebrew.com/2019/09/10/frank-johnson-baltimores-it-chief-during-the-ransomware-attack-goes-on-leave/

Pen test gone awry? Coalfire staffers arrested for burglary - Two Coalfire employees were arrested at the Dallas County, Iowa court house earlier this week as they conducted what they called an assessment on the building�s security. https://www.scmagazine.com/home/security-news/vulnerabilities/pen-test-gone-awry-coalfire-staffers-arrested-for-burglary/

Authorities arrest 281 alleged BEC scammers in �Operation reWired� campaign - Law enforcement officials at home and abroad have arrested 281 individuals over a span of four months, in a massive crackdown on various business email compromise scams, the Justice Department announced yesterday. https://www.scmagazine.com/home/security-news/authorities-arrest-281-alleged-bec-scammers-in-operation-rewired-campaign/

Web scraping doesn�t violate anti-hacking law, appeals court rules - Scraping a public website without the approval of the website's owner isn't a violation of the Computer Fraud and Abuse Act, an appeals court ruled on Monday. https://arstechnica.com/tech-policy/2019/09/web-scraping-doesnt-violate-anti-hacking-law-appeals-court-rules/

Chicago brokerage to pay $1.5 million for cyber attack lapses: U.S. CFTC - The U.S. Commodities Futures Trading Commission (CFTC) said on Friday that a Chicago-based futures brokerage will pay a total of $1.5 million for letting cyber criminals breach the firm�s email systems and withdraw $1 million from a customer�s account. https://www.reuters.com/article/us-usa-cftc-cyber/chicago-brokerage-to-pay-1-5-million-for-cyber-attack-lapses-u-s-cftc-idUSKCN1VY25X

Gamification: A winning strategy for cybersecurity training - Block a hacker and win a gift certificate for a nice dinner out on the town? Absolutely! That�s just one example of how companies are bolstering their electronic defenses by using gamification to engage employees around cybersecurity training. https://www.scmagazine.com/home/opinion/executive-insight/gamification-a-winning-strategy-for-cybersecurity-training/

CFPB probes fake credit card accounts at Bank of America - The Consumer Financial Protection Bureau (CFPB) has been probing of Bank of America (BoA) for allegedly opening customer credit card accounts with authorization a la Wells Fargo. https://www.scmagazine.com/home/security-news/cfpb-probes-fake-credit-card-accounts-at-bank-of-america/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Misconfigured database exposes 198M records on prospective auto buyers - Dealer Leads, LLC, a digital marketing company for car dealerships, was discovered last month to have exposed an Elastic database that contained 198 million records on prospective automotive buyers. https://www.scmagazine.com/home/security-news/misconfigured-database-exposes-198m-records-on-prospective-auto-buyers/

Exposed server leaks PII on all 16.6 million Ecuador citizens - If another leaky Elasticsearch server may seem a little anticlimactic, considering how frequently they occur, the latest find by security researchers might have more of a �wow� factor since it exposed information on nearly all of Ecuador�s 16.6 million citizens, 6.7 million of them children. https://www.scmagazine.com/home/security-news/exposed-server-leaks-pii-on-all-16-6-million-ecuador-citizens/

Wolcott Public Schools go offline once again following a possible second ransomware attack - Wolcott police are investigating a cyber attack that has left teachers and students without access to the district�s computer systems, including internet and email, for the second time this year. http://www.courant.com/news/connecticut/hc-news-wolcott-schools-hacked-computer-systems-20190911-abpqgqwhdzc45p4k36d22k6wce-story.html

Baltimore acknowledges for first time that data was destroyed in ransomware attack - Baltimore�s auditor said Wednesday that the city�s information technology department lost performance data when hackers locked city files in May � the first disclosure of data being destroyed in the attack. http://www.baltimoresun.com/politics/bs-md-ci-data-lost-20190911-i6feniyk5nd3pereznpdxwsf7a-story.html

Millions of medical records exposed online - HIPAA be damned � medical records, including images and data, on more than five million patients in the U.S. and millions of others worldwide lie unprotected online in full view of anyone with the wherewithal to look and a web browser. https://www.scmagazine.com/home/security-news/privacy-compliance/millions-of-medical-records-exposed-online/

WeWork's weak Wi-Fi security leaves sensitive documents exposed - Documents sent on WeWork's unsecured network included financial records, bank account credentials. https://www.cnet.com/news/weworks-weak-wi-fi-security-leaves-sensitive-documents-exposed/

Medical records for 24.3 million left exposed - Just one day after a report revealed that medical images and health data for millions of patients in the U.S. and abroad sit unprotected on the internet, another probe found accessible medical data online for 24.3 million patients in 52 countries. https://www.scmagazine.com/home/security-news/medical-records-for-24-3-million-left-exposed/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)
  
  Incident Response Programs:  Don't Get Caught Without One
  
  Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.
  
  Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.
  
  To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  MALICIOUS CODE
  
  Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.
  
  Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.
  
  Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.1 Mitigating Payroll Fraud Vulnerabilities

To remove the vulnerabilities related to payroll fraud, the risk assessment team recommended the use of stronger authentication mechanisms based on smart tokens to generate one-time passwords that cannot be used by an interloper for subsequent sessions. Such mechanisms would make it very difficult for outsiders (e.g., from the Internet) who penetrate systems on the WAN to use them to attack the mainframe. The authors noted, however, that the mainframe serves many different agencies, and HGA has no authority over the way the mainframe is configured and operated. Thus, the costs and procedural difficulties of implementing such controls would be substantial. The assessment team also recommended improving the server's administrative procedures and the speed with which security-related bug fixes distributed by the vendor are installed on the server.

After input from COG security specialists and application owners, HGA's managers accepted most of the risk assessment team's recommendations. They decided that since the residual risks from the falsification of time sheets were acceptably low, no changes in procedures were necessary. However, they judged the risks of payroll fraud due to the interceptability of LAN server passwords to be unacceptably high, and thus directed COG to investigate the costs and procedures associated with using one-time passwords for Time and Attendance Clerks and supervisor sessions on the server. Other users performing less sensitive tasks on the LAN would continue to use password-based authentication.

While the immaturity of the LAN server's access controls was judged a significant source of risk, COG was only able to identify one other PC LAN product that would be significantly better in this respect. Unfortunately, this product was considerably less friendly to users and application developers, and incompatible with other applications used by HGA. The negative impact of changing PC LAN products was judged too high for the potential incremental gain in security benefits. Consequently, HGA decided to accept the risks accompanying use of the current product, but directed COG to improve its monitoring of the server's access control configuration and its responsiveness to vendor security reports and bug fixes.

HGA concurred that risks of fraud due to unauthorized modification of time and attendance data at or in transit to the mainframe should not be accepted unless no practical solutions could be identified. After discussions with the mainframe's owning agency, HGA concluded that the owning agency was unlikely to adopt the advanced authentication techniques advocated in the risk assessment. COG, however, proposed an alternative approach that did not require a major resource commitment on the part of the mainframe owner.

The alternative approach would employ digital signatures based on public key cryptographic techniques to detect unauthorized modification of time and attendance data. The data would be digitally signed by the supervisor using a private key prior to transmission to the mainframe. When the payroll application program was run on the mainframe, it would use the corresponding public key to validate the correspondence between the time and attendance data and the signature. Any modification of the data during transmission over the WAN or while in temporary storage at the mainframe would result in a mismatch between the signature and the data. If the payroll application detected a mismatch, it would reject the data; HGA personnel would then be notified and asked to review, sign, and send the data again. If the data and signature matched, the payroll application would process the time and attendance data normally.

HGA's decision to use advanced authentication for time and attendance Clerks and Supervisors can be combined with digital signatures by using smart tokens. Smart tokens are programmable devices, so they can be loaded with private keys and instructions for computing digital signatures without burdening the user. When supervisors approve a batch of time and attendance data, the time and attendance application on the server would instruct the supervisor to insert their token in the token reader/writer device attached to the supervisors' PC. The application would then send a special "hash" (summary) of the time and attendance data to the token via the PC. The token would generate a digital signature using its embedded secret key, and then transfer the signature back to the server, again via the PC. The time and attendance application running on the server would append the signature to the data before sending the data to the mainframe and, ultimately, the payroll application.

Although this approach did not address the broader problems posed by the mainframe's I&A vulnerabilities, it does provide a reliable means of detecting time and attendance data tampering. In addition, it protects against bogus time and attendance submissions from systems connected to the WAN because individuals who lack a time and attendance supervisor's smart token will be unable to generate valid signatures. (Note, however, that the use of digital signatures does require increased administration, particularly in the area of key management.) In summary, digital signatures mitigate risks from a number of different kinds of threats.

HGA's management concluded that digitally signing time and attendance data was a practical, cost-effective way of mitigating risks, and directed COG to pursue its implementation. (They also noted that it would be useful as the agency moved to use of digital signatures in other applications.) This is an example of developing and providing a solution in an environment over which no single entity has overall authority.

20.6.2 Mitigating Payroll Error Vulnerabilities

After reviewing the risk assessment, HGA's management concluded that the agency's current safeguards against payroll errors and against accidental corruption and loss of time and attendance data were adequate. However, the managers also concurred with the risk assessment's conclusions about the necessity for establishing incentives for complying (and penalties for not complying) with these safeguards. They thus tasked the Director of Personnel to ensure greater compliance with paperwork-handling procedures and to provide quarterly compliance audit reports. They noted that the digital signature mechanism HGA plans to use for fraud protection can also provide protection against payroll errors due to accidental corruption.