FYI - Obsession with regulatory compliance doesn't guarantee good cybersecurity - Companies should spend less time worrying about meeting the minimal requirements for cybersecurity regulation compliance, and instead concentrate on how to protect their most sensitive data and operations. http://www.scmagazine.com/panel-obsession-with-regulatory-compliance-doesnt-guarantee-good-cybersecurity/article/568867/

FYI - OCC’s “Audit Firm Rotation” letter dated October 12, 2016 states "There is no OCC guidance or directive to examiners that would require or promote the termination of a third-party relationship due to the length of the relationship."  You can find the complete letter at http://www.yennik.com/occ_10-12-16_rotation_letter.pdf.

FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

Millennials changing the face of cybersecurity - It's official - there are now more millennials than baby boomers and their influence on information security is starting to have its impact, according to a recent report. http://www.scmagazine.com/millennials-changing-the-face-of-cybersecurity/article/568679/

FCC requires ISPs to get customer opt-in before sharing data - The American Civil Liberties Union (ACLU) Thursday claimed a victory for privacy after the Federal Communications Commission (FCC) voted to require internet service providers to obtain opt-in permission from customers to use or share their personal data. http://www.scmagazine.com/fcc-requires-isps-to-get-customer-opt-in-before-sharing-data/article/568842/

Cyber Command’s teams reach initial operating capability; Clapper says it’s time to separate them from NSA - The time has come to split U.S. Cyber Command from the National Security Agency and assign separate leaders to each organization, the nation’s top intelligence official said Tuesday. http://federalnewsradio.com/defense/2016/10/cyber-commands-teams-reach-initial-operating-capability-clapper-says-time-separate-nsa/

OMB floats new rules of the road for IT modernization - The Obama White House is offering new guidelines on how agencies should go about modernizing legacy IT systems. https://fcw.com/articles/2016/10/27/modernization-policy-draft.aspx

New approaches needed to combat next-gen threats - Conventional approaches have not been successful in mitigating the security risks facing enterprises, speakers told an audience Thursday evening at the Rethink Cyber NYC event. http://www.scmagazine.com/new-approaches-needed-to-combat-next-gen-threats/article/569159/

75% of healthcare industry hit with malware, report - The healthcare vertical is at particular risk from ransomware. This is just one of the findings of the "2016 Healthcare Industry Cybersecurity Report," a just released survey from SecurityScorecard, a security rating and continuous risk monitoring platform. http://www.scmagazine.com/75-of-healthcare-industry-hit-with-malware-report/article/569332/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Student discovers security flaw in Virgin Media recruitment system - A student has discovered a security vulnerability in the software which Virgin Media uses for recruitment and job applications. http://www.scmagazine.com/student-discovers-security-flaw-in-virgin-media-recruitment-system/article/569320/

Appointments on hold as (computer) virus wreaks havoc with NHS trust systems - Major medical issues diverted to neighbouring hospitals - An NHS trust shut down all of its IT systems today and has all but ground to a halt in general after a virus compromised them on Sunday. http://www.theregister.co.uk/2016/10/31/virus_shuts_down_nhs_trust/

Lost thumb drives bedevil U.S. banking agency - The drives contained privacy information and their loss is "a major information security incident" - A U.S. banking regulator says an employee downloaded a large amount of data from its computer system a week before he retired and is now unable to locate the thumb drives he stored it on. http://computerworld.com/article/3136746/security/lost-thumb-drives-bedevil-us-banking-agency.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Risk management challenges
 
 The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:
 
 1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.
 
 2.   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.
 
 3.  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.
 
 4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Firewall Policy (Part 2 of 3)
 
 Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:
 
 ! Spoofing trusted IP addresses;
 ! Denial of service by overloading the firewall with excessive requests or malformed packets;
 ! Sniffing of data that is being transmitted outside the network;
 ! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
 ! Attacks on unpatched vulnerabilities in the firewall hardware or software;
 ! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
 ! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.4.3 Managing Change
 
 Computer systems and the environments in which they operate change continually. In response to various events such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, system managers and users modify the system and incorporate new features, new procedures, and software updates.
 
 The environment in which the system operates also changes. Networking and interconnections tend to increase. A new user group may be added, possibly external groups or anonymous groups. New threats may emerge, such as increases in network intrusions or the spread of personal computer viruses. If the system has a configuration control board or other structure to manage technical system changes, a security specialist can be assigned to the board to make determinations about whether (and if so, how) changes will affect security.
 
 Security should also be considered during system upgrades (and other planned changes) and in determining the impact of unplanned changes. When a change occurs or is planned, a determination is made whether the change is major or minor. A major change, such as reengineering the structure of the system, significantly affects the system. Major changes often involve the purchase of new hardware, software, or services or the development of new software modules.
 
 An organization does not need to have a specific cutoff for major-minor change decisions. A sliding scale between the two can be implemented by using a combination of the following methods:
 
 !  Major change. A major change requires analysis to determine security requirements. The process described above can be used, although the analysis may focus only on the area(s) in which the change has occurred or will occur. If the original analysis and system changes have been documented throughout the life cycle, the analysis will normally be much easier. Since these changes result in significant system acquisitions, development work, or changes in policy, the system should be reaccredited to ensure that the residual risk is still acceptable.
 
 !  Minor change. Many of the changes made to a system do not require the extensive analysis performed for major changes, but do require some analysis. Each change can involve a limited risk assessment that weighs the pros (benefits) and cons (costs) and that can even be performed on-the-fly at meetings. Even if the analysis is conducted informally, decisions should still be appropriately documented. This process recognizes that even "small" decisions should be risk-based.
 
 Security change management helps develop new security requirements.
 
 8.4.4.4 Periodic Reaccreditation
 
 Periodically, it is useful to formally reexamine the security of a system from a wider perspective. The analysis, which leads to reaccredidation, should address such questions as: Is the security still sufficient? Are major changes needed?
 
 The reaccredidation should address high-level security and management concerns as well as the implementation of the security. It is not always necessary to perform a new risk assessment or certification in conjunction with the re-accreditation, but the activities support each other (and both need be performed periodically). The more extensive system changes have been, the more extensive the analyses should be (e.g., a risk assessment or re-certification). A risk assessment is likely to uncover security concerns that result in system changes. After the system has been changed, it may need testing (including certification). Management then reaccredits the system for continued operation if the risk is acceptable.
 
 It is important to consider legal requirements for records retention when disposing of computer systems. For federal systems, system management officials should consult with their agency office responsible for retaining and archiving federal records.