Is your web site ADA compliant - Why much of the internet is closed off to blind people - As our everyday world moves increasingly online, the digital landscape presents new challenges for ensuring accessibility for the blind. https://www.bbc.com/news/world-us-canada-49694453 - Please remember we perform web site audits for financial institutions. For more information go to http://www.bankwebsiteaudits.com/.

FYI - Statement before the House Financial Services Committee By Esther George President, Federal Reserve Bank of Kansas City on behalf of The Federal Reserve System before the Task Force on Financial Technology of the Committee on Financial Services U.S. House of Representatives.  www.kansascityfed.org/~/media/files/publicat/speeches/2019/2019-george-washington-09-26.pdf

NIST defines zero trust architecture, releases use cases - The National Institute of Standards and Technology wants feedback on its definition of zero trust security architecture and potential deployments - outlined in a draft special publication released Monday. https://www.fedscoop.com/nist-zero-trust-architecture-definition/

Health Industry Cybersecurity Matrix Launched - America's Healthcare and Public Health Sector Coordinating Council (HSCC) has launched an information-sharing resource aimed at improving the cybersecurity of the healthcare sector. https://www.infosecurity-magazine.com/news/health-industry-cybersecurity/

Union City, Calif., Works to Recover After Cyberattack - City officials are working to address a computer virus that has effectively shut city employees out of their computer systems since early Saturday morning, and the effort to restore normalcy could take several days. https://www.govtech.com/security/Union-City-Calif-Works-to-Recover-After-Cyberattack.html

How Sparks, Nevada, is rethinking security after ransomware - The ransomware epidemic isn’t going anywhere, and state, county and local governments are all in the crosshairs. There have been roughly 100 reported ransomware attacks against public sector institutions in the U.S. since the beginning of the year. https://statescoop.com/how-sparks-nevada-is-rethinking-security-after-ransomware/

Attackers trojanize Windows Narrator tool to spy on Asian tech firms - Threat actors have been targeting Southeast Asian tech companies with an open-source backdoor that helps establish a foothold in infected machines, and a weaponized text-to-speech application that lets attackers gain SYSTEM-level access. https://www.scmagazine.com/home/security-news/attackers-trojanize-windows-narrator-tool-to-spy-on-asian-tech-firms/

Ransomware: To pay or not to pay - The crudely written ransom notes in movies 20-30 years ago may have been replaced by more modern, digital missives – like a texted photo a la Liam Neeson’s “Taken” – but the message remains the same: Pay up or else. https://www.scmagazine.com/home/security-news/ransomware/ransomware-to-pay-or-not-to-pay/

Are you prepared for a ransomware attack? - Literally countless life or death situations were at stake. A large medical provider recently was hit with a ransomware attack request for $3.5 million. https://www.scmagazine.com/home/security-news/ransomware/are-you-prepared-for-a-ransomware-attack/

Baltimore Reportedly Had No Data Backup Process for Many Systems - City lost key data in a ransomware attack earlier this year that's already cost more than $18.2 million in recovery and related expenses. https://www.darkreading.com/attacks-breaches/baltimore-reportedly-had-no-data-backup-process-for-many-systems/d/d-id/1335953

Senate Passes Bill Aimed At Combating Ransomware Attacks - The U.S. Senate has approved new legislation aimed at helping government agencies and private-sector companies combat ransomware attacks. The legislation comes as local governments and schools continue to be hit by sophisticated – and in some cases coordinated – ransomware attacks. https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/

Dunkin’ Donuts Gets Hit with Lawsuit Over 2015 Attack - Dunkin’ Donuts is being sued for violating New York state data breach notification laws. The lawsuit alleges that Dunkin’ parent company, Dunkin’ Brands, failed to disclose a breach in 2015 that affected nearly 20,000 customers who were part of the company’s DD Perks loyalty program. https://threatpost.com/dunkin-donuts-lawsuit/148750/

FDIC Sees Success in Securing DNS - The Federal Deposit Insurance Corporation (FDIC) took quick action to secure Domain Name System (DNS) services on its websites, meeting the deadlines set out in Emergency Directive 19-01, according to an audit conducted by FDIC’s inspector general and released September 24. https://www.meritalk.com/articles/fdic-sees-success-in-securing-dns/

Cyberattack causes $95 million loss for Demant - The Danish hearing aid manufacturer Demant has quickly piled up a $95 million bill associated with a cyber incident that struck the company in early September. https://www.scmagazine.com/home/security-news/cyberattack-causes-95-million-loss-for-demant/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Magecart card-skimming group targets L7 routers used by high-traffic locales - A prominent Magecart cybercriminal group appears to be testing card-skimming code capable of compromising commercial-grade layer 7 (L7) routers used by airports, casinos, hotels and resorts, researchers are reporting. https://www.scmagazine.com/home/security-news/magecart-card-skimming-group-targets-l7-routers-used-by-high-traffic-locales/

DoorDash data breach hits 4.9 million customers, merchants and drivers - Food delivery service DoorDash confirmed a data breach affecting 4.9 million customers and merchants took place in May and included general PII and partial payment card information. https://www.scmagazine.com/home/security-news/data-breach/door-dash-data-breach-hits-4-9-million-customers-merchants-and-drivers/

Wyoming Hospital's Services Disrupted by Ransomware - Gillette, Wyoming-based Campbell County Memorial Hospital continues to experience service disruptions after a ransomware attack hit Campbell County Health’s computer systems on Friday. https://www.securityweek.com/wyoming-hospitals-services-disrupted-ransomware

'Carpet-bombing' DDoS attack takes down South African ISP for an entire day - Carpet bombing - the DDoS technique that's just perfect for attacking ISPs, cloud services, and data centers. https://www.zdnet.com/article/carpet-bombing-ddos-attack-takes-down-south-african-isp-for-an-entire-day/

The word is out: Zynga was breached - A well-known hacker is taking credit for a data breach at the mobile game maker Zynga, claiming he gained access to 218 million user records. https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/

Attacker breaches Comodo forums by exploiting vBulletin flaw - More than 170,000 users of online forums operated by cybersecurity company Comodo Group reportedly had their data stolen by a malicious actor who exploited a recently disclosed vulnerability in vBulletin’s internet forum software. https://www.scmagazine.com/website-web-server-security/attacker-breaches-comodo-forums-by-exploiting-vbulletin-flaw/

Ransomware attack forces DCH Health Systems to turn away patients - DCH Health Systems is turning away all but the most critical patients from its three hospitals in response to its computer network being rendered unusable by a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-forces-dch-health-systems-to-turn-away-patients/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)
  
  Elements of an Incident Response Program
  
  Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.
  
  Minimum Requirements
  
  The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.
  
  Develop reaction procedures for:
  
  1) assessing security incidents that have occurred;
  2) identifying the customer information and information systems that have been accessed or misused; and
  3)containing and controlling the security incident.
  
  Establish notification procedures for:
  
  1) the institution's primary Federal regulator;
  2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
  3) affected customers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
  
  Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.
  
  SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Security Requirements
  
  Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.
  
  Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.4 Mitigating Threats of Information Disclosure/Brokering

HGA concurred with the risk assessment's conclusions about its exposure to information-brokering risks, and adopted most of the associated recommendations.

The assessment recommended that HGA improve its security awareness training (e.g., via mandatory refresher courses) and that it institute some form of compliance audits. The training should be sure to stress the penalties for noncompliance. It also suggested installing "screen lock" software on PCs that automatically lock a PC after a specified period of idle time in which no keystrokes have been entered; unlocking the screen requires that the user enter a password or reboot the system.

The assessment recommended that HGA modify its information-handling policies so that employees would be required to store some kinds of disclosure-sensitive information only on PC local hard disks (or floppies), but not on the server. This would eliminate or reduce risks of LAN eavesdropping. It was also recommended that an activity log be installed on the server (and regularly reviewed). Moreover, it would avoid unnecessary reliance on the server's access-control features, which are of uncertain assurance. The assessment noted, however, that this strategy conflicts with the desire to store most information on the server's disks so that it is backed up routinely by COG personnel. (This could be offset by assigning responsibility for someone other than the PC owner to make backup copies.) Since the security habits of HGA's PC users have generally been poor, the assessment also recommended use of hard-disk encryption utilities to protect disclosure-sensitive information on unattended PCs from browsing by unauthorized individuals. Also, ways to encrypt information on the server's disks would be studied.

The assessment recommended that HGA conduct a thorough review of the mainframe's safeguards in these respects, and that it regularly review the mainframe audit log, using a query package, with particular attention to records that describe user accesses to HGA's employee master database.