FYI - OCC’s “Audit Firm Rotation” letter dated October 12, 2016 states "There is no OCC guidance or directive to examiners that would require or promote the termination of a third-party relationship due to the length of the relationship."  You can find the complete letter at http://www.yennik.com/occ_10-12-16_rotation_letter.pdf.

FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

U.S. bank regulators propose enhanced cybersecurity risk management plan - Three U.S. financial regulatory agencies on Wednesday submitted their first draft of a joint proposal to impose enhanced cybersecurity risk management standards on major banking institutions and their suppliers. http://www.scmagazine.com/us-bank-regulators-propose-enhanced-cybersecurity-risk-management-plan/article/567221/

What Skilled Cybersecurity Pros Want - For seasoned cybersecurity professionals, motivation for sticking with their current jobs doesn't mean big management promotions or higher salaries, a new Center for Strategic and International Studies (CSIS) report finds. http://www.darkreading.com/vulnerabilities---threats/kevin-durant-effect--what-skilled-cybersecurity-pros-want-/d/d-id/1327215

Healthcare data breaches increase, but fewer records compromised - The healthcare industry saw 37 data breaches take place in September with about 250,000 patient records being compromised, but this was a major decrease from the 8.8 million records breached in August. http://www.scmagazine.com/healthcare-data-breaches-increase-but-fewer-records-compromised/article/567208/

Local authorities say data breaches are 'accidents waiting to happen' - Local authorities hold sensitive and private information about all of us that we wouldn't want getting into the hands of the wrong people. http://www.scmagazine.com/local-authorities-say-data-breaches-are-accidents-waiting-to-happen/article/567029/

Only 39% of companies have a formal BYOD policy - More and more workers today are bringing their personal devices such as laptops, mobile phones and tablets to the office to use for work. While this practice leads to greater productivity, it can pose a security risk. http://www.scmagazine.com/only-39-of-companies-have-a-formal-byod-policy/article/567665/

Interior CDM effort 'immature,' says watchdog report - More than a year after it projected having Continuous Diagnostics and Mitigation Phase 1 protections in place, the Interior Department still has work to do on its cybersecurity efforts, according to a partially redacted report released by the agency's inspector general on Oct. 17. https://fcw.com/articles/2016/10/19/cdm-interior-immature.aspx

Mobile hacking firm Cellebrite's firmware made available to public by reseller - Israeli mobile forensics firm Cellebrite, which works closely with law enforcement, security and military agencies to bypass security measures on locked phones, could have some of their methods exposed after a reseller partner reportedly made the company's firmware and software publicly available to download. http://www.scmagazine.com/report-mobile-hacking-firm-cellebrites-firmware-made-available-to-public-by-reseller/article/568356/

72% of UK internet users prefer to use mobile data over public Wi-Fi - Security fears and complicated sign-up forms are hindering internet users in the UK from using public Wi-Fi. http://www.scmagazine.com/72-of-uk-internet-users-prefer-to-use-mobile-data-over-public-wi-fi/article/568328/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 3.2M payment cards affected in massive Indian POS breach - One of the biggest breaches in India has compromised as many as 3.2 million payment cards as banks scramble to replace cards and request users to change security codes. http://www.scmagazine.com/millions-affected-in-one-of-biggest-financial-breaches-to-hit-india/article/567203/

Prosecutors say contractor stole 50TB of NSA data - The government is preparing to charge the suspect under the Espionage Act. An NSA contractor siphoned off dozens of hard drives' worth of data from government computers over two decades, prosecutors will allege on Friday. http://www.zdnet.com/article/contractor-allegedly-steals-50-terabytes-of-nsa-data/

St. Jude Faces New Safety Charges From Muddy Waters Capital - St. Jude Medical Inc. is facing new allegations from short-seller Muddy Waters LLC that its pacemakers and defibrillators, life-saving devices used by thousands of people worldwide, can be easily hacked and turned against the patients relying on them. http://www.bloomberg.com/news/articles/2016-10-19/st-jude-faces-new-safety-charges-from-muddy-waters-capital

Mirai botnets linked to massive DDoS attacks on Dyn DNS, Flashpoint says - Mirai botnets like the ones recently used in distributed denial of service (DDoS) attacks on a French internet service provider and a well-known security researcher were at least partly responsible for the waves of DDoS attacks against Dyn DNS that took down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other websites Friday. http://www.scmagazine.com/mirai-botnets-linked-to-massive-ddos-attacks-on-dyn-dns-flashpoint-says/article/567607/

DDoS attack Friday hits Twitter, Reddit, Spotify and others - The East Coast was under siege on Friday morning from a large-scale distributed denial of service (DDoS) attack that brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. The initial attack was followed later in the day by at least two more waves of attack. http://www.scmagazine.com/ddos-attack-friday-hits-twitter-reddit-spotify-and-others/article/567482/

Hacker 'drags and drops' 43.4 million Weebly user accounts in mega breach - Web hosting service Weebly has confirmed a major data breach, following a LeakedSource.com report stating that 43.4 million accounts were stolen from the company's main database in February 2016. This number would effectively comprise Weebly's entire 40 million-plus customer base. http://www.scmagazine.com/hacker-drags-and-drops-434-million-weebly-user-accounts-in-mega-breach/article/567527/

U.S. vigilante hacker takes over Russian Foreign Ministry site - A self-described patriotic American vigilante hacker named Jester reportedly took over the Russian Ministry of Foreign Affairs website on Friday in retaliation for alleged Russian cyberattacks on the United States. http://www.scmagazine.com/us-vigilante-hacker-takes-over-russian-foreign-ministry-site/article/567664/

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage - A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
http://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
https://www.cnet.com/how-to/ddos-iot-connected-devices-easily-hacked-internet-outage-webcam-dvr/

Silver Creek Fitness & Physical Therapy patient info compromised - Silver Creek Fitness & Physical Therapy of California suffered a data breach through a third-part contractor that exposed their clients personally identifiable information to include Social Security and Medicare numbers. http://www.scmagazine.com/silver-creek-fitness-physical-therapy-patient-info-compromised/article/568003/

Unencrypted pager messaging exposes critical infrastructure data - Workers at industrial complexes, some operating critical infrastructure, are endangering confidential data, and perhaps the public's physical safety, by using unencrypted pager messaging on the job. http://www.scmagazine.com/unencrypted-pager-messaging-exposes-critical-infrastructure-data/article/568527/

Baystate Health hit with phishing attack, patient records vulnerable - Baystate Health, of Springfield, Mass., reported that several employees last week responded to a phishing email compromising patient information. http://www.scmagazine.com/baystate-health-hit-with-phishing-attack-patient-records-vulnerable/article/568347/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Introduction 
 
 Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers. 
 
 Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges. 
 
 Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.
 
 The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.4 Operation and Maintenance
 
 Many security activities take place during the operational phase of a system's life. In general these fall into three areas: (1) security operations and administration; (2) operational assurance; and (3) periodic re-analysis of the security.
 
 8.4.4.1 Security Operations and Administration
 
 Operation of a system involves many security activities discussed throughout this handbook. Performing backups, holding training classes, managing cryptographic keys, keeping up with user administration and access privileges, and updating security software are some examples. 
 
 8.4.4.2 Operational Assurance
 
 Security is never perfect when a system is implemented. In addition, system users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare over time, and procedures become outdated. Thinking risk is minimal, users may tend to bypass security measures and procedures.
 
 During the operational phase of a system life cycle, major and minor changes will occur. Operational assurance is one way of becoming aware of these changes whether they are new vulnerabilities (or old vulnerabilities that have not been corrected), system changes, or environmental changes. Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively.
 
 To maintain operational assurance, organizations use two basic methods: system audits and monitoring. These terms are used loosely within the computer security community and often overlap. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more "real-time" an activity is, the more it falls into the category of monitoring.
 
 Operational assurance examines whether a system is operated according to its current security requirements. This includes both the actions of people who operate or use the system and the functioning of technical controls.