FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack - BitPay was spearphished, the CFO's credentials were stolen, and the company was scammed out of $1.8 million in bitcoins, but its cyber insurance company refused to pay. http://www.networkworld.com/article/2984989/security/cyber-insurance-rejects-claim-after-bitpay-lost-1-8-million-in-phishing-attack.html

FYI - Forcing suspects to reveal phone passwords is unconstitutional, court says - Demanding "personal thought processes" amounts to compelled self incrimination. The Fifth Amendment right against compelled self-incrimination would be breached if two insider trading suspects were forced to turn over the passcodes of their locked mobile phones to the Securities and Exchange Commission, a federal judge ruled Wednesday. http://arstechnica.com/tech-policy/2015/09/forcing-suspects-to-reveal-phone-passwords-is-unconstitutional-court-says/

FYI - New Data Finds Women Still Only 10% Of Security Workforce - But more women hold governance, risk and compliance (GRC) roles than men, new (ISC)2 report finds. The needle has not moved: new data released today by (ISC)2 and Booz Allen Hamilton shows that the percentage of women in cybersecurity worldwide has remained static over the past two years, holding at an anemic 10%. http://www.darkreading.com/operations/new-data-finds-women-still-only-10--of-security-workforce/d/d-id/1322371

FYI - Companies leaving known vulnerabilities unchecked for 120 days - Most major corporations have nobody to blame but themselves when it comes to making themselves open to non-targeted online attacks with the average company leaving known vulnerabilities open for months giving hackers more than enough time to take action. http://www.scmagazine.com/companies-leaving-known-vulnerabilities-unchecked-for-120-days-kenna/article/441746/

FYI - Thousands of medical systems found vulnerable to attack - Thousands of medical systems are vulnerable to cyberattacks, new research demonstrates. http://www.scmagazine.com/derbycon-security-researchers-disclose-vulnearabilities-at-healthcare-institutions/article/441730/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - OPM breach included five times more stolen fingerprints - But good news: "the ability to misuse fingerprint data is limited." http://arstechnica.com/security/2015/09/opm-breach-included-five-times-more-stolen-fingerprints/

FYI - About 2,800 Kentucky high school students notified of breach - Kentucky-based Oldham County Schools is notifying about 2,800 current and former North Oldham High School students that their personal information may have been compromised as part of a breach involving a phishing scheme. http://www.scmagazine.com/about-2800-kentucky-high-school-students-notified-of-breach/article/441410/

FYI - Card Breach at Hilton Hotel Properties - Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims. http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/

FYI - DDoS attack sent 4.5 billion requests using mobile browsers - Researchers at CloudFlare spotted a distributed denial-of-service (DDoS) attack that used mobile device browsers to flood a site with 4.5 billion requests. http://www.scmagazine.com/ddos-attack-used-mobile-devices-to-deliver-45-billion-requests/article/441456/

FYI - Members of NJ health insurer had data accessed, used in fraud scheme - More than a thousand Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) members are being notified that access may have been gained to their personal information, and nearly 60 are being alerted that their data was used to submit false claims. http://www.scmagazine.com/members-of-nj-health-insurer-had-data-accessed-used-in-fraud-scheme/article/441680/

FYI - Data breach hits roughly 15M T-Mobile customers, applicants - A hack of Experian, the company that handles credit checks for the wireless carrier, results in the loss of Social Security numbers, birth dates and names. Hackers stole the personal data of 15 million T-Mobile customers by going after the company that processes the wireless carrier's credit checks.
http://www.cnet.com/news/data-breach-snags-data-from-15m-t-mobile-customers/
http://www.scmagazine.com/news-alert-breach-at-experian-exposes-15-million-t-mobile-customers-pii/article/442681/

FYI - Trump Hotel Collection confirms customer data compromised - The Trump Hotel Collection (THC) confirmed that malware was used to gain unauthorized access to customer payment card data at seven properties. http://www.scmagazine.com/trump-hotel-collection-confirms-seven-properties-were-compromised/article/442582/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet."  Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.
 
 V. Security Flaws and Bugs 
 
 Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued. 
 
 Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org.  Many other resources are freely available on the Internet. 
 
 Active Content Languages 
 
 Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus. 
 
 Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology. 
 
 VI. Viruses 
 
 Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section I. Introduction & Overview
 Chapter 1
 
 INTRODUCTION - 1.4 Important Terminology
 
 To understand the rest of the handbook, the reader must be familiar with the following key terms and definitions as used in this handbook. In the handbook, the terms computers and computer systems are used to refer to the entire spectrum of information technology, including application and support systems. Other key terms include:
 
 Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
 
 Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets: data integrity and system integrity. "Data integrity is a requirement that information and programs are changed only in a specified and authorized manner."6 System integrity is a requirement that a system "performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system." The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.
 
 Availability: A "requirement intended to assure that systems work promptly and service is not denied to authorized users."
 
 Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.
 
 1.5 Legal Foundation for Federal Computer Security Programs
 
 The executive principles discussed in the next chapter explain the need for computer security. In addition, within the federal government, a number of laws and regulations mandate that agencies protect their computers, the information they process, and related technology resources (e.g., telecommunications).9The most important are listed below.
 
 ! The Computer Security Act of 1987 requires agencies to identify sensitive systems, conduct computer security training, and develop computer security plans.
 
 ! The Federal Information Resources Management Regulation (FIRMR) is the primary regulation for the use, management, and acquisition of computer resources in the federal government.
 
 ! OMB Circular A-130 (specifically Appendix III) requires that federal agencies establish security programs containing specified elements.
 
 Note that many more specific requirements, many of which are agency specific, also exist.
 
 Federal managers are responsible for familiarity and compliance with applicable legal requirements. However, laws and regulations do not normally provide detailed instructions for protecting computer-related assets. Instead, they specify requirements -- such as restricting the availability of personal data to authorized users. This handbook aids the reader in developing an effective, overall security approach and in selecting cost-effective controls to meet such requirements.