FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

PHONE NUMBER CHANGE - Because of the never-ending increasing fees, I am going to stop using my AT&T business landline in January 2020.  If you have not already done so, please change our phone number to my cell phone 806-535-8300.

FYI - DHS official briefs senators on state ransomware threats in classified meeting - The head of the Department of Homeland Security’s cybersecurity division on Wednesday provided senators with a classified briefing on ransomware attacks, the latest indication of the threat the file-locking malware poses to state and local governments. https://www.cyberscoop.com/dhs-senators-classified-ransomware-briefing/

Same story all over again: Microsoft research finds millions of reused passwords - The loud pleas made by the cybersecurity industry, along with the repeated examples of what happens when login credentials are reused, seemingly have fallen on deaf ears as Microsoft found more than 44 million repeated passwords just for its Azure AD and Microsoft Services Accounts. https://www.scmagazine.com/home/security-news/privacy-compliance/same-story-all-over-again-microsoft-research-finds-millions-of-reused-passwords/

Failure to secure IoT networks has far-reaching consequences, and transportation is a bullseye target - In 2017, millions of moviegoers flocked to theaters for the eighth Fast and Furious movie, where they watched a villainous Charlize Theron take control of hundreds of self-driving cars. https://www.scmagazine.com/home/opinion/executive-insight/failure-to-secure-iot-networks-has-far-reaching-consequences-and-transportation-is-a-bullseye-target/

NCSC-NZ Releases Cyber Governance Resource for Leaders - The New Zealand National Cyber Security Centre (NCSC-NZ) has released an article on a new cybersecurity governance resource to support public and private sector leaders in making decisions about their cybersecurity resilience and risk. https://www.us-cert.gov/ncas/current-activity/2019/12/05/ncsc-nz-releases-cyber-governance-resource-leaders

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data center provider CyrusOne hit with REvil ransomware - Data center provider CyrusOne was reportedly hit with a combination ransomware/data breach involving the REvil (aka Sodinokibi) ransomware.
https://www.scmagazine.com/home/security-news/ransomware/data-center-provider-cyrusone-hit-with-revil-ransomware-report/
https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/

Sprint contractor reportedly stored non-Sprint customers’ phone bills on open server - Hundreds of thousands of cell phone bills and other documents belonging to AT&T, Verizon and T-Mobile customers were reportedly exposed after a Sprint contractor left them sitting on an open public server. https://www.scmagazine.com/home/security-news/database-security/sprint-contractor-reportedly-stored-non-sprint-customers-phone-bills-on-open-server/

Yet another school district hit by ransomware, this time in Illinois - Adding to a mounting tally of schools that have fallen victim to ransomware this year, a school district in northern Illinois announced this week that some of its systems too have been infected. https://edscoop.com/sycamore-community-school-district-ransomware/

My kingdom for a decryptor! Ransomware creates ticketing snafu for N.J. Shakespeare theater - The Shakespeare Theatre of New Jersey was forced to cancel a performance of “A Christmas Carol” earlier this week after a ransomware attack disrupted its database and ticketing system, causing a show reservations nightmare. https://www.scmagazine.com/home/security-news/cybercrime/my-kingdom-for-a-decryptor-ransomware-creates-ticketing-snafu-for-n-j-shakespeare-theater/

3,000 affected by Fort Worth water utility data breach - The Fort Worth, Texas Water Department is notifying about 3,000 customers that their payment information may have been exposed during a data breach. https://www.scmagazine.com/home/security-news/data-breach/3000-affected-by-fort-worth-water-utility-data-breach/

Dental practices feel the pain of ransomware attack on IT provider - More than 100 dentist offices have reportedly been affected by a recent Sodinokibi ransomware attack on a Colorado-based company that provides IT services to the oral-care practices. https://www.scmagazine.com/home/security-news/report-dental-practices-feel-the-pain-of-ransomware-attack-on-it-provider/

Pensacola hit with cyberattack hours after shooting at naval base - Less than a day after a Saudi airman shot and killed three members of the U.S. military at the Pensacola Naval Air Station, a cyberattack has forced the Florida city to shut down many of its systems, with the mayor declining to confirm or deny whether a ransom demand accompanied the attack.
https://www.scmagazine.com/home/security-news/pensacola-hit-with-cyberattack-hours-after-shooting-at-naval-base/
https://www.scmagazine.com/home/security-news/pensacola-confirms-ransomware-attack/

BMW and Hyundai hacked by Vietnamese hackers, report claims - Hacks linked to Ocean Lotus (APT32), a group believed to operate with orders from the Vietnamese government. https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/

Over 750,000 applications for US birth certificate copies exposed online - An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments has exposed a massive cache of applications - including their personal information.
https://techcrunch.com/2019/12/09/birth-certificate-applications-exposed/2019/12/09/birth-certificate-applications-exposed/
https://www.scmagazine.com/home/security-news/database-security/unsecured-storage-bucket-exposes-applications-for-birth-certificate-copies/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (12 of 12)
  
  What the Future Holds
  
  In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program. 
  
  An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   ELECTRONIC AND PAPER - BASED MEDIA HANDLING
   
   DISPOSAL
   
   Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.
   
   Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.
   
   TRANSIT
   
   Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:
   
   ! Restrictions on the carriers used and procedures to verify the identity of couriers,
   ! Requirements for appropriate packaging to protect the media from damage,
   ! Use of encryption for transmission of sensitive information,
   ! Security reviews or independent security reports of receiving companies, and
   ! Use of nondisclosure agreements between couriers and third parties.
   
   Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 3 - Roles and Responsibilities
 
 One fundamental issue that arises in discussions of computer security is: "Whose responsibility is it?" Of course, on a basic level the answer is simple: computer security is the responsibility of everyone who can affect the security of a computer system. However, the specific duties and responsibilities of various individuals and organizational entities vary considerably.
 
 This chapter presents a brief overview of roles and responsibilities of the various officials and organizational offices typically involved with computer security. They include the following groups:
 
 1)  senior management,
 
 2)  program/functional managers/application owners,
 
 3)  computer security management,
 
 4)  technology providers,
 
 5)  supporting organizations, and
 
 6)  users.
 
 This chapter is intended to give the reader a basic familiarity with the major organizational elements that play a role in computer security. It does not describe all responsibilities of each in detail, nor will this chapter apply uniformly to all organizations. Organizations, like individuals, have unique characteristics, and no single template can apply to all. Smaller organizations, in particular, are not likely to have separate individuals performing many of the functions described in this chapter. Even at some larger organizations, some of the duties described in this chapter may not be staffed with full-time personnel. What is important is that these functions be handled in a manner appropriate for the organization.  As with the rest of the handbook, this chapter is not intended to be used as an audit guide.
 
 3.1 Senior Management - Senior management has ultimate responsibility for the security of an organization's computer systems.
 
 Ultimately, responsibility for the success of an organization lies with its senior managers. They establish the organization's computer security program and its overall program goals, objectives, and priorities in order to support the mission of the organization. Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and that it is successful. Senior managers are also responsible for setting a good example for their employees by following all applicable security practices.