FYI - Sonic hit with class action suit over POS data breach - Two Sonic Drive-In customers are taking legal action against Sonic for allowing their payment card data to possibly have been compromised when the fast-food chain's POS system was hacked and are demanding the company pay for credit monitoring services for those affected. https://www.scmagazine.com/sonic-hit-with-class-action-suit-over-pos-data-breach/article/696518/

Kaspersky US government ban - what are the reasons behind the decision? - What is the basis for the ban on Kaspersky products being used by US government authorities? Is it retaliation for Russia's foreign software ban, fear of potential government pressure, intelligence on actual threats - or prejudice? https://www.scmagazine.com/kaspersky-us-government-ban--what-are-the-reasons-behind-the-decision/article/696313/

New Jersey email admin charged with accessing former company's account - A New Jersey man was arrested for placing and using a hidden sub-user account in his former company's email system, allowing him to enter and remove emails without authorization. https://www.scmagazine.com/new-jersey-email-admin-charged-with-accessing-former-companys-account/article/696626/

Equifax twice missed finding Apache Struts vulnerability allowing breach to happen - Former Equifax CEO and Chairman Richard Smith sat before a house committee today where he was taken to task for his actions during the period when his company exposed the personal information of 145.5 million people. https://www.scmagazine.com/equifax-twice-missed-finding-apache-struts-vulnerability-allowing-breach-to-happen/article/697693/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Deloitte Breach Affected All Company Email, Admin Accounts - Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. http://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/

Whole Foods Market, the American grocery giant recently purchased by Amazon, announced on Thursday it’s investigating the unauthorized access of payment card information via some of the company’s point-of-sale systems. https://www.cyberscoop.com/whole-foods-breach-point-of-sale-systems/

Point-of-sale data breach bad for Whole Foods' health - Amazon's new acquisition, Whole Foods Market, disclosed on Thursday that its has suffered a point-of-sale data breach that compromised the payment card information of customers who used its taprooms and full table-service restaurants. https://www.scmagazine.com/point-of-sale-data-breach-bad-for-whole-foods-health/article/696792/

Yahoo says all 3 billion accounts compromised in breach - A 2013 breach of Yahoo!'s network affected all three billion of the company's accounts, Verizon Communications, which acquired Yahoo post-breach for $4.48 billion, said Tuesday. https://www.scmagazine.com/yahoo-says-all-3-billion-accounts-compromised-in-breach/article/697818/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)
  
  Responding to E-Mail and Internet-Related Fraudulent Schemes
  Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:
  
  !  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
  !  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
  !  Increasing suspicious activity monitoring and employing additional identity verification controls;
  !  Offering customers assistance when fraud is detected in connection with customer accounts;
  !  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
  !  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.
  
  Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
  To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:
  
  !  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
  !  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
  !  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
  !  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
  !  Monitoring for fraudulent Web sites using variations of the financial institution's name;
  !  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
  !  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
 (FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
 
 Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.
 
 Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.
 
 Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.
 
 Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
 
 12.5 Cost Considerations
 
 There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on users' perceptions of its worth and whether they use it, it is very important that the capability be able to meet users' requirements. Two important funding issues are:
 
 Personnel. An incident handling capability plan might call for at least one manager and one or more technical staff members (or their equivalent) to accomplish program objectives. Depending on the scope of the effort, however, full-time staff members may not be required. In some situations, some staff may be needed part-time or on an on-call basis. Staff may be performing incident handling duties as an adjunct responsibility to their normal assignments.
 
 Education and Training. Incident handling staff will need to keep current with computer system and security developments. Budget allowances need to be made, therefore, for attending conferences, security seminars, and other continuing-education events. If an organization is located in more than one geographic areas, funds will probably be needed for travel to other sites for handling incidents.