FYI - Clarksons' breach again shows need to eliminate passwords - The global shipping firm Clarksons reported that it has suffered a cybersecurity breach which it, and outside security firms, believe was caused when a lone user account was hacked, again bringing to the forefront the need to move past the legacy username and password for logging in to a critical system. https://www.scmagazine.com/clarksons-breach-again-shows-need-to-eliminate-passwords/article/710717/

A postmortem of the Grey's Anatomy ransomware episode: Accurate or Hollywood hyperbole? - Medical drama Grey's Anatomy has killed off a lot of characters in its 14-year run. But in the Nov. 16 mid-season finale, titled “Out of Nowhere,” Grey-Sloan Memorial Hospital itself was on life support after its network became infected with ransomware, causing machines all over the facility to malfunction. https://www.scmagazine.com/a-postmortem-of-the-greys-anatomy-ransomware-episode-accurate-or-hollywood-hyperbole/article/710166/

Senate bill introduced that would require jail time for data breach cover ups - Three U.S. Senators have introduced a bill that would require jail time for corporate executives who do not notify consumers of a breach within 30 days. https://www.scmagazine.com/senate-bill-introduced-that-would-require-jail-time-for-data-breach-cover-ups/article/711319/

Morrisons Supermarket held liable after employee leaks data - U.K. Supermarket chain Morrison's was found liable, in a first of its kind data leak class action suit, for the actions of a former employee who stole the data on thousands of his coworkers and posted it online. https://www.scmagazine.com/supermarket-found-liable-for-employee-data-leak/article/711292/

Former NSA employee pleads guilty for stealing classified data, related to Kaspersky incident - A former NSA employee pleaded guilty to taking classified national defense information that was later stolen by Russian spies. https://www.scmagazine.com/former-nsa-employee-faces-10-years-for-stealing-sensitive-data/article/711719/

UK cybersecurity leader calls for government to drop Kaspersky Labs' software - The UK's top cybersecurity agency has joined the U.S. government in recommending that Kaspersky Labs' products should not be used. https://www.scmagazine.com/uk-cybersecurity-leader-calls-for-government-to-drop-kaspersky-labs-software/article/711480/

Uber Security Managers Resign in Wake of Hack, Surveillance Allegations - Uber Technologies Inc.’s security team is crumbling after a scandalous two weeks that included the surprise disclosure of a year-old data breach and a damaging letter from a former employee detailing clandestine operations. https://www.wsj.com/articles/uber-security-managers-resign-in-wake-of-hack-surveillance-allegations-1512181541

Governor McAuliffe Announces Virginia Students Awarded $140,000 in Cyber Security Scholarships - Governor Terry McAuliffe today announced that Virginia students have been awarded a total of $140,000 in cyber security scholarships as a result of their participation in the SANS Institute CyberStart online cyber security skills aptitude pilot program. http://governor.virginia.gov/newsroom/newsarticle?articleId=21852

Retailers still in need of data breach response plan - Between the holiday shopping season now being in full swing and the growing number of retailers hit with data breaches Tripwire was surprised that a recent survey it conducted found a large percentage of retailers still had no data breach response plan in place. https://www.scmagazine.com/retailers-still-in-need-of-data-breach-response-plan/article/712413/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - National Credit Federation unsecured AWS S3 bucket leaks credit, personal data - In what has become a familiar and troubling refrain, an unsecured Amazon Web Services S3 storage bucket that allows public access, reportedly has leaked sensitive information, including credit card numbers, credit reports from the three major reporting agencies, bank account numbers and Social Security numbers. https://www.scmagazine.com/national-credit-federation-unsecured-aws-s3-bucket-leaks-credit-personal-data/article/710743/

Stanford University server exposes data of 10,000 staffers - The University of Stanford announced that it has left sensitive student and staff data exposed on three separate occasions over the last year. https://www.scmagazine.com/stanford-servers-on-three-separate-occasions-exposed-student-and-staff-data/article/711336/

Data breach at PayPal's TIO Networks unit affects 1.6 million customers - PayPal Holdings on Friday acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the personally identifiable information of roughly 1.6 million customers. https://www.scmagazine.com/data-breach-at-paypals-tio-networks-unit-affects-16-million-customers/article/711484/

Data on 31 million users leaked by smartphone keyboard app - After the developer of virtual keyboard app Ai.Type left a 577GB Mongo-hosted database unsecured, personal data on more than 31 million customers was exposed to anyone who has an internet connection. https://www.scmagazine.com/data-on-31-million-users-leaked-by-smartphone-keyboard-app/article/712137/

Data breach at PayPal's TIO Networks unit affects 1.6 million customers - PayPal Holdings on Friday - A Michigan man who hacked into his local prison's computing system to gain early release for a friend is facing his own time inside after getting caught. http://www.theregister.co.uk/2017/12/04/prison_hacker_pleads_guilty/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.

Controls

Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  
  Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.
  
  Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.
  
  Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.
  
  Risk Mitigation Components -- Wireless Internal Networks
  
  A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.
  
  For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.
  
  Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.
  
  The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.6.5 Administer the Program
 
 There are several important considerations for administering the CSAT program.
 
 Visibility. The visibility of a CSAT program plays a key role in its success. Efforts to achieve high visibility should begin during the early stages of CSAT program development. However, care should be give not to promise what cannot be delivered.
 
 Training Methods. The methods used in the CSAT program should be consistent with the material presented and tailored to the audience's needs. Some training and awareness methods and techniques are listed above (in the Techniques sections). Computer security awareness and training can be added to existing courses and presentations or taught separately. On-the-job training should also be considered.
 
 Training Topics. There are more topics in computer security than can be taught in any one course. Topics should be selected based on the audience's requirements.
 
 Training Materials. In general, higher-quality training materials are more favorably received and are more expensive. Costs, however, can be minimized since training materials can often be obtained from other organizations. The cost of modifying materials is normally less than developing training materials from scratch.
 
 Training Presentation. Consideration should be given to the frequency of training (e.g., annually or as needed), the length of training presentations (e.g., twenty minutes for general presentations, one hour for updates or one week for an off-site class), and the style of training presentation (e.g., formal presentation, informal discussion, computer-based training, humorous).
 
 The Federal Information Systems Security Educators' Association and NIST Computer Security Program Managers' Forum provide two means for federal government computer security program managers and training officers to share training ideas and materials.