FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

SWIFT warns of more 'sophisticated' attacks, readies anti-fraud tool - Haven't hardened? You're still gunna get hacked, says CISO - The chief information security officer for global money transfer network SWIFT says banks are still under attack from fraudsters hoping to cash in on identified security gaps to steal millions of dollars. http://www.theregister.co.uk/2016/09/22/swift_warns_of_more_sophisticated_attacks_readies_antifraud_tool/

US cities promise to crack down on police surveillance tech - Growing demand for greater oversight of how snoopware is obtained by cops - A handful of US cities are banding together in an effort to change the way police acquire and use surveillance technology. http://www.theregister.co.uk/2016/09/21/us_cities_push_police_surveillance_overhaul/

Cybercriminals already able to hack ATM biometric readers - A report indicates that using biometric data as a replacement for a password or PIN at an ATM is not only already in the process of being hacked by cybercriminals, but the potential downside of a person having their biometrics stolen is much more severe than losing a username or password. http://www.scmagazine.com/cybercriminals-already-able-to-hack-atm-biometric-readers/article/524694/

GAO - Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight.
Report: http://www.gao.gov/products/GAO-16-771 
Highlights: http://www.gao.gov/assets/680/679261.pdf

Uber prevents fraud and protects driver accounts with selfies - Uber will now require drivers to take selfies to prevent fraud and protect their accounts from compromise. http://www.scmagazine.com/uber-prevents-fraud-and-protects-driver-accounts-with-selfies/article/525102/

Cybersecurity can't be centralized - There are few federal officials more central to cybersecurity than Andy Ozment, the Department of Homeland Security's assistant secretary for cybersecurity and communications. Yet Ozment is adamant that cybersecurity responsibilities cannot be consolidated at his agency or any other. https://fcw.com/articles/2016/09/20/ozment-cyber-central.aspx

Cyber Bill Would Let Agency Heads Be Fired If There’s a Data Breach - A new bill would let agency heads be demoted, fired or punished if a data breach occurs under their purview. http://www.nextgov.com/cybersecurity/2016/09/cyber-bill-would-let-agency-heads-be-fired-if-theres-data-breach/131735/

RTCA airline recs aim to strengthen aviation cybersecurity - A technical committee that provides guidance to the Federal Aviation Administration has reportedly developed drafting recommendations for strengthening the aviation industry's cybersecurity posture. http://www.scmagazine.com/rtca-airline-recs-aim-to-strengthen-aviation-cybersecurity/article/524973/

185M incidents bypassed perimeter defenses - Two recent industry reports warned of the dangers of over-reliance on perimeter security as an enterprise defense method. http://www.scmagazine.com/185m-incidents-bypassed-perimeter-defenses--report/article/525094/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users - But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum. The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor. http://www.darkreading.com/attacks-breaches/yahoo-reveals-nation-state-borne-data-breach-affecting-a-half-billion-users/d/d-id/1326984

Massive web attack hits security blogger - One of the biggest web attacks ever seen has been aimed at a security blogger after he exposed hackers who carry out such attacks for cash. http://www.bbc.com/news/technology-37439513

Email of White House staffer hacked, purported scan of First Lady's passport leaked - The White House has announced a cyber-security breach, as a purported photocopy of Michelle Obama's passport appears online. http://www.scmagazine.com/email-of-white-house-staffer-hacked-purported-scan-of-first-ladys-passport-leaked/article/524560/

Discover Financial Services reports three data breaches to California AG - For the second time this year, Discover Financial Services reported a set of data breaches on the same day to the California Attorney General's Office. http://www.scmagazine.com/discover-reports-second-set-of-breaches-this-year/article/524838/

OVH suffers massive 1.1Tbps DDoS attack - Hosting company OVH has been subject to the biggest attack DDoS known to date, with peaks of over 1 Tb per second of traffic. http://www.scmagazine.com/ovh-suffers-massive-11tbps-ddos-attack/article/525101/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Executive Summary

Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits. 

The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking. 

Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Packet Filter Firewalls
 
 Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.
 
 Weaknesses associated with packet filtering firewalls include the following:
 
 ! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.
 
 ! Logging functionality is limited to the same information used to make access control decisions.
 
 ! Most do not support advanced user authentication schemes.
 
 ! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.
 
 ! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.
 
 Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.
 
 Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.2.2 Incorporating Security Requirements Into Specifications
 
 Determining security features, assurances, and operational practices can yield significant security information and often voluminous requirements. This information needs to be validated, updated, and organized into the detailed security protection requirements and specifications used by systems designers or purchasers. Specifications can take on quite different forms, depending on the methodology used for to develop the system, or whether the system, or parts of the system, are being purchased off the shelf.
 
 As specifications are developed, it may be necessary to update initial risk assessments. A safeguard recommended by the risk assessment could be incompatible with other requirements or a control may be difficult to implement. For example, a security requirement that prohibits dial-in access could prevent employees from checking their e-mail while away from the office.
 
 Besides the technical and operational controls of a system, assurance also should be addressed. The degree to which assurance (that the security features and practices can and do work correctly and effectively) is needed should be determined early. Once the desired level of assurance is determined, it is necessary to figure out how the system will be tested or reviewed to determine whether the specifications have been satisfied (to obtain the desired assurance). This applies to both system developments and acquisitions. For example, if rigorous assurance is needed, the ability to test the system or to provide another form of initial and ongoing assurance needs to be designed into the system or otherwise provided for.
 
 Developing testing specifications early can be critical to being able to cost-effectively test security features.