REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Don't forget to follow me on LinkedIn at https://www.linkedin.com/in/yennik where I post a weekly question on IT security/audit.

FYI - IT security shifts from prevention to resiliency - The discussion on cybersecurity has shifted as CIOs and CTOs come to the realization that no system is immune to attacks and breaches. The conversation is now about “cyber resiliency.” http://www.federaltimes.com/article/20140922/CYBER/309220008/IT-security-shifts-from-prevention-resiliency

FYI - GAO - Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced. http://www.gao.gov/products/GAO-14-758

FYI - Breached HealthCare.gov Server Still Had Default Password - A HealthCare.gov test server still had a default password when it was hacked in July, a Department of Homeland Security official told Congress Thursday. http://www.nextgov.com/health/2014/09/breached-healthcaregov-server-still-had-default-password/94490/?oref=ng-channelrivers

FYI - Beazley: employee errors root of most data breaches, but malware incidents cost more - Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014, and found that the majority of the incidents were caused by unintended disclosures, via email or fax for instance, or by physical loss of paper records. http://www.scmagazine.com/beazley-employee-errors-root-of-most-data-breaches-but-malware-incidents-cost-more/article/372679/

FYI - Mobile device security sacrificed for productivity, study says - Productivity is driving the use of mobile devices in the workplace, and a recent poll of IT and IT security pros found that one-third of employees use the devices exclusively for work – a figure expected to rise to 47 percent in the next year. http://www.scmagazine.com/mobile-device-security-sacrificed-for-productivity-study-says/article/372962/

FYI - Intrustion prevention systems made a comeback in 2013 - The intrusion prevention system (IPS) market that some security professionals deemed to be on the verge of extinction a few years ago has bounced back, growing 4.2 percent, or $1.35 billion, over the past year, according to a new study. http://www.scmagazine.com/report-intrustion-prevention-systems-made-a-comeback-in-2013/article/372967/

FYI - U.S. grid safe from large-scale attack, experts say - The specter of a large-scale, destructive attack on the U.S. power grid is at the center of much strategic thinking about cybersecurity. http://www.politico.com/story/2014/09/power-grid-safety-110815.html

FYI - GAO - Cloud Computing: Additional Opportunities and Savings Need to Be Pursued. http://www.gao.gov/products/GAO-14-753

FYI - Microsoft launches new bug bounty program - Microsoft launched its new Online Services Bug Bounty program earlier this week with the first project involving Office 365. http://www.scmagazine.com/microsofts-office-365-participates-in-new-bug-bounty-program/article/373587/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - China hacked US Army transport orgs TWENTY TIMES in ONE YEAR - FBI et al knew of nine hacks - but didn't tell TRANSCOM - Sophisticated Beijing-backed hackers raided civilian organisations responsible for the movements of US troops and equipment 20 times in one year of which only two were detected by the responsible agency, an audit report has found. http://www.theregister.co.uk/2014/09/18/china_hacked_us_army_twenty_times_in_one_year/

FYI - eBay addresses XSS issue affecting auction page visitors - A BBC report has revealed that an auction page on eBay.co.uk left visitors vulnerable to cross-site scripting (XSS) attacks. In an aim to take advantage of the security issue, scammers placed malicious Javascript code in the product listing page, so that users would be redirected to a phishing site, BBC said. http://www.scmagazine.com/ebay-addresses-xss-issue-affecting-auction-page-visitors/article/372422/

FYI - Hackers had access to Goodwill hosting provider for 18 months - C&K Systems, which provided payment technology to Goodwill, said two other businesses were also affected - Hackers evaded security systems for a year-and-a-half at a hosting center that processed payment cards for Goodwill Industries, using the same type of malware that struck Target and other major retailers to steal card data, according to the charity's software vendor. http://www.computerworld.com/article/2684180/hackers-had-access-to-goodwill-hosting-provider-for-18-months.html

FYI - China hacked US Army transport orgs TWENTY TIMES in ONE YEAR - FBI et al knew of nine hacks - but didn't tell TRANSCOM - Sophisticated Beijing-backed hackers raided civilian organisations responsible for the movements of US troops and equipment 20 times in one year of which only two were detected by the responsible agency, an audit report has found. http://www.theregister.co.uk/2014/09/18/china_hacked_us_army_twenty_times_in_one_year/

FYI - Chinese hackers breach 50 U.S. gov't contractors' systems in one year - Over the course of almost a year, Chinese hackers were able to target, attack and successfully penetrate government contractors' systems to steal sensitive information and, in one case, access systems onboard an American commercial ship. http://www.scmagazine.com/chinese-hackers-breach-50-us-govt-contractors-systems-in-one-year/article/372673/

FYI - Home Depot ignored staff warnings of security fail laundry list - Home Depot is facing claims it ignored security warnings from staff, who say prior to its loss of 56 million credit cards, it failed to update anti virus since 2007, did not consistently monitor its network for signs of attack, and failed to properly audit its eventually-hacked payment terminals. http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_security_fail_laundry_list/

FYI - Home Depot’s former security architect had history of techno-sabotage - Now serving four-year federal sentence, Ricky Joe Mitchell spread viruses as teen. When Home Depot suffered a breach of transaction data that exposed as many as 52 million credit card transactions earlier this year, the company reportedly suffered from lax computer and network security measures for years. http://arstechnica.com/security/2014/09/home-depots-former-security-architect-had-history-of-techno-sabotage/

FYI - Home Depot ignored security employees' vulnerability warnings - Home Depot's security team knew of vulnerabilities in the retailer's systems years before its massive breach and issued multiple warnings to no avail, according to a recent report by The New York Times that sourced anonymous former Home Depot cybersecurity employees. http://www.scmagazine.com/home-depot-ignored-security-employees-vulnerability-warnings/article/372910/

FYI - Cyber attack on Japan Airlines impacts up to 750,000 - A phishing attack may have resulted in the theft of personal information belonging to customers of Japan Airlines's frequent flier club. http://www.scmagazine.com/japan-airlines-experiences-data-breach/article/373722/

FYI - Jimmy Johns confirms breach; 216 stores impacted - Jimmy John's confirmed a data breach this week and disclosed that approximately 216 stores were affected. http://www.scmagazine.com/jimmy-johnss-pos-systems-compromised/article/373688/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 2: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.
 
 Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.
 
 To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that: 
 
 1)  E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
 2)  All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
 3)  Financial transaction data are protected from alteration and any alteration is detectable.
 
Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI).  A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
 
System Patches
 
Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.
 
 Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:
 
 ! Obtain the patch from a known, trusted source;
 ! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
 ! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
 ! Back up production systems prior to applying the patch;
 ! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
 ! Test the resulting system for known vulnerabilities;
 ! Update the master configurations used to build new systems;
 ! Create and document an audit trail of all changes; and
 ! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Examination Procedures (Part 3 of 3)
 
 E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
 
 F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
 Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
 
 G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
 
 H. Formulate conclusions.
 
 1)  Summarize all findings.
 
 2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
 
 3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.
 
 4)  Discuss findings with management and obtain a commitment for corrective action.