FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

FYI - Identity access management – An auditor’s view - This article addresses the key concern that organizations of all size must contend with, i.e. lack of effective Identity and Access Management (IAM) processes. https://www.scmagazine.com/home/opinion/executive-insight/identity-access-management-an-auditors-view/

Cox Communications hit with $1 billion verdict over music piracy - A jury in Virginia awarded some of the largest names in the music recording industry a whopping $1 billion in damages from Cox Communications, finding that the ISP did not act sufficiently to curb music piracy on its platform. https://arstechnica.com/tech-policy/2019/12/cox-communications-hit-with-1-billion-verdict-over-music-piracy/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Maze Ransomware Releases Files Stolen from City of Pensacola - The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack. https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/

Canadian Company Pays Hackers to Retrieve Data of 15 Million Customers - LifeLab says no information was publicly exposed - Canadian laboratory testing firm LifeLabs revealed that it paid hackers to return information stolen after a data breach and exposing some 15 million customers. https://news.softpedia.com/news/canadian-company-pays-hackers-to-retrieve-data-of-15-million-customers-528649.shtml

Names, Social Security numbers exposed in Moss Adams breach - The accounting, consulting and wealth management firm Moss Adams has posted a cybersecurity incident notice centered on an employee email account that was accessed by an unauthorized person compromising PII. https://www.scmagazine.com/home/security-news/data-breach/names-social-security-numbers-exposed-in-moss-adams-breach/

Ransomware shuts down The Heritage Company - The telemarketing firm The Heritage Company has become the latest ransomware victim to shut down, at least temporarily, its operations even after making a ransom payment to its attackers. https://www.scmagazine.com/home/security-news/ransomware/ransomware-shuts-down-the-heritage-company/

Wyze Labs data breach exposes 2.4 million, includes PHI - Security camera and smart device maker Wyze Labs has confirmed a data breach that left exposed a database containing information on reportedly 2.4 million of its users. https://www.scmagazine.com/home/security-news/data-breach/wyze-labs-data-breach-exposes-2-4-million-includes-phi/

School software vendor Active Network suffers data breach - Acitve Network’s Blue Bear Software platform reported that unauthorized activity in its network earlier this year resulted in customer PII being exposed. https://www.scmagazine.com/home/security-news/data-breach/school-software-vendor-active-network-suffers-data-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)
   
   PROCEDURES TO ADDRESS SPOOFING - Information Gathering
   
   After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.
   
   *  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
   *  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
   *  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
   *  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
   *  The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SERVICE PROVIDER OVERSIGHT
   
   Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:
   
   ! Exercise appropriate due diligence in selecting service providers,
   ! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
   ! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.
   
   Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.
   
   Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
   ! Service provider references and experience,
   ! Security expertise of TSP personnel,
   ! Background checks on TSP personnel,
   ! Contract assurances regarding security responsibilities and controls,
   ! Nondisclosure agreements covering the institution's systems and data,
   ! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
   ! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 3.5 Supporting Functions
 
 The security responsibilities of managers, technology providers and security officers are supported by functions normally assigned to others. Some of the more important of these are described below.
 
 Audit. Auditors are responsible for examining systems to see whether the system is meeting stated security requirements, including system and organization policies, and whether security controls are appropriate. Informal audits can be performed by those operating the system under review or, if impartiality is important, by outside auditors.
 
 Physical Security. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances.
 
 Disaster Recovery/Contingency Planning Staff. Some organizations have a separate disaster recovery/contingency planning staff. In this case, they are normally responsible for contingency planning for the organization as a whole, and normally work with program and functional mangers/application owners, the computer security staff, and others to obtain additional contingency planning support, as needed.
 
 Quality Assurance. Many organizations have established a quality assurance program to improve the products and services they provide to their customers. The quality officer should have a working knowledge of computer security and how it can be used to improve the quality of the program, for example, by improving the integrity of computer-based information, the availability of services, and the confidentiality of customer information, as appropriate.
 
 Procurement. The procurement office is responsible for ensuring that organizational procurements have been reviewed by appropriate officials. The procurement office cannot be responsible for ensuring that goods and services meet computer security expectations, because it lacks the technical expertise. Nevertheless, this office should be knowledgeable about computer security standards and should bring them to the attention of those requesting such technology.
 
 Training Office. An organization has to decide whether the primary responsibility for training users, operators, and managers in computer security rests with the training office or the computer security program office. In either case, the two organizations should work together to develop an effective training program.
 
 Personnel. The personnel office is normally the first point of contact in helping managers determine if a security background investigation is necessary for a particular position. The personnel and security offices normally work closely on issues involving background investigations. The personnel office may also be responsible for providing security-related exit procedures when employees leave an organization.
 
 Risk Management/Planning Staff. Some organizations have a full-time staff devoted to studying all types of risks to which the organization may be exposed. This function should include computer security-related risks, although this office normally focuses on "macro" issues. Specific risk analyses for specific computer systems is normally not performed by this office.
 
 Physical Plant. This office is responsible for ensuring the provision of such services as electrical power and environmental controls, necessary for the safe and secure operation of an organization's systems. Often they are augmented by separate medical, fire, hazardous waste, or life safety personnel.
 
 3.6 Users
 
 Users also have responsibilities for computer security. Two kinds of users, and their associated responsibilities, are described below.
 
 Users of Information. Individuals who use information provided by the computer can be considered the "consumers" of the applications. Sometimes they directly interact with the system (e.g., to generate a report on screen) -- in which case they are also users of the system (as discussed below). Other times, they may only read computer-prepared reports or only be briefed on such material. Some users of information may be very far removed from the computer system. Users of information are responsible for letting the functional mangers/application owners (or their representatives) know what their needs are for the protection of information, especially for its integrity and availability.
 
 Users of Systems. Individuals who directly use computer systems (typically via a keyboard) are responsible for following security procedures, for reporting security problems, and for attending required computer security and functional training.