FYI - ADA - Plaintiffs’ Law Firm Again Targeting Community Banks - A Pittsburgh law firm has recently trained its sights again on community banks in the area of ADA web site compliance. See Hunton & Williams client alert at http://www.yennik.com/ADA_law-firm-targeting-community-banks.pdf

FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

Tesco Bank: 20,000 customers lose money - Tesco Bank has halted online payments for current account customers after money was taken from 20,000 accounts. http://www.bbc.com/news/business-37891742

Tesco Bank resumes service, lost £2.5 million, 9000 customers affected - The banking arm of supermarket-chain Tesco has now resumed normal service after shutting down the service for several days to protect itself from further losses. https://www.scmagazine.com/tesco-bank-resumes-service-lost-25-million-9000-customers-affected/article/571742/

NIST releases email security draft guidelines - The U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) released a draft guide that examines methods of making email more secure. https://www.scmagazine.com/nist-releases-email-security-draft-guidelines/article/570757/

Monitoring What Leaves Your Network is Just as Important as Monitoring What Comes In - YouTube is filled with videos of criminals who manage to break into a bank or jewelry store, but then find themselves locked inside and when it comes to cyber intruders sometimes stopping one from escaping from your system can be just as beneficial as stopping him at the gate. https://www.scmagazine.com/monitoring-what-leaves-your-network-is-just-as-important-as-monitoring-what-comes-in/article/568825/

The average company experiences two to three cyber-attacks per month - Most security executives have confidence in protecting their businesses from cyber-attacks despite experiencing about two to three effective attacks per month at the average company. https://www.scmagazine.com/the-average-company-experiences-two-to-three-cyber-attacks-per-month/article/570434/

Drone-hacking cybersecurity boot camp launched in UK - Budding cyberspies will learn how to hack into drones and crack codes at a new cybersecurity boot camp backed by the government. http://www.bbc.com/news/technology-37848549

China passes controversial law to counter cyberterror - China today passed a controversial cybersecurity law that the nation says will counter growing threats such as hacking and terrorism. https://www.scmagazine.com/cybersecurity-pros-split-on-recent-chinese-cybersecurity-law/article/571283/

Britain Invests Billions in Cybersecurity in Face of Russian Threat - Britain says it will spend more than $2 billion on cybersecurity and recruit 1,000 more intelligence officers as the country’s intelligence services warn of increasingly aggressive espionage tactics by Moscow, a charge the Kremlin denies. http://www.voanews.com/a/britain-spends-billions-on-cybersecurity-russian-threat/3580433.html

What's the fundamental problem with cybersecurity? Relying on the Internet - A former senior counsel at the National Security Agency, discusses the history of cybersecurity, the problems in healthcare, and where organizations can look for help. http://www.healthcareitnews.com/news/whats-fundamental-problem-cybersecurity-relying-internet

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Phoenix man arrested for hacking university emails - Man arrested by the Federal Bureau of Investigation and charged one count of fraud in connection with computers, which carries a maximum sentence of five years in prison, for attempting to access about 2,000 email accounts maintained by two New York City-area universities. https://www.scmagazine.com/cybercrime-blotter-phoenix-man-arrested-for-hacking-university-emails/article/570787/

Laptop stolen from home of Welk Resorts employee, breach letters go out - A notice of a possible data breach was sent on Nov. 4 to employees of Welk Resorts, which operates five vacation ownership properties in California, Missouri and Baja, Mexico. https://www.scmagazine.com/laptop-stolen-from-home-of-welk-resorts-employee-breach-letters-go-out/article/571096/

Tesco Bank freezes debit transactions after unauthorized withdrawals from 20K accounts - U.K.-based Tesco Bank is temporarily preventing customers from conducting online debit transactions after discovering suspicious financial activity on 40,000 financial accounts over the weekend. https://www.scmagazine.com/tesco-bank-freezes-debit-transactions-after-unauthorized-withdrawals-from-20k-accounts/article/571295/

Breaches of Madison County? Indiana officials stymied by ransomware - Public officials in Madison County, Indiana are reportedly unable to access the county server following a ransomware attack that targeted their files and demanded payment for their safe return. https://www.scmagazine.com/breaches-of-madison-county-indiana-officials-stymied-by-ransomware/article/571116/

Breaches of Madison County? Indiana officials stymied by ransomware - Public officials in Madison County, Indiana are reportedly unable to access the county server following a ransomware attack that targeted their files and demanded payment for their safe return. https://www.scmagazine.com/breaches-of-madison-county-indiana-officials-stymied-by-ransomware/article/571116/

Laptop stolen from home of Welk Resorts employee, breach letters go out - A notice of a possible data breach was sent on Nov. 4 to employees of Welk Resorts, which operates five vacation ownership properties in California, Missouri and Baja, Mexico. https://www.scmagazine.com/laptop-stolen-from-home-of-welk-resorts-employee-breach-letters-go-out/article/571096/

30K affected in Texas Hospital breach - Denton, Texas-based Integrity Transitional Hospital, a facility that receives laboratory specimens from companies that work with various healthcare providers, and then submits these specimens to laboratories for testing, announced a breach that may have compromised patient data. https://www.scmagazine.com/30k-affected-in-texas-hospital-breach/article/571585/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Risk management principles (Part 1 of 2)
 
 Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.
 
 To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.
 
 These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.
 
 The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Firewall Policy (Part 3 of 3)
 
 Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.
 
 Given the importance of firewalls as a means of access control, good practices include:
 
 ! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
 ! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
 ! Using a ruleset that disallows all traffic that is not specifically allowed;
 ! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
 ! Using proxy connections for outbound HTTP connections;
 ! Filtering malicious code;
 ! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
 ! Logging activity, with daily administrator review;
 ! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
 ! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
 ! Limiting administrative access to few individuals; and
 ! Making changes only through well - administered change control procedures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.5 Disposal
 
 The disposal phase of the computer system life cycle involves the disposition of information, hardware, and software. Information may be moved to another system, archived, discarded, or destroyed. When archiving information, consider the method for retrieving the information in the future. The technology used to create the records may not be readily available in the future.
 
 Hardware and software can be sold, given away, or discarded. There is rarely a need to destroy hardware, except for some storage media containing confidential information that cannot be sanitized without destruction. The disposition of software needs to be in keeping with its license or other agreements with the developer, if applicable. Some licenses are site-specific or contain other agreements that prevent the software from being transferred.
 Measures may also have to be taken for the future use of data that has been encrypted, such as taking appropriate steps to ensure the secure long-term storage of cryptographic keys.
 
 Media Sanitization
 
 Since electronic information is easy to copy and transmit, information that is sensitive to disclosure often needs to be controlled throughout the computer system life cycle so that managers can ensure its proper disposition. The removal of information from a storage medium (such as a hard disk or tape) is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by keyboard attack) and purging (rendering information unrecoverable against laboratory attack). There are three general methods of purging media: overwriting, degaussing (for magnetic media only), and destruction.