FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Quarter of respondents would pay ransom to protect stolen data, survey says - Nearly a quarter (24.6 percent) of company executives and IT leaders would be willing to pay hackers a ransom to prevent them from leaking critically sensitive stolen data, a global survey of more than 200 execs and IT managers found. http://www.scmagazine.com/quarter-of-respondents-would-pay-ransom-to-protect-stolen-data-survey-says/article/465241/

FYI - ICO questions 12-month data retention plans under Snoopers' Charter draft - Information commissioner Christopher Graham has voiced concerns about the government’s intention to force internet firms to store customer data for 12 months, claiming that no clear justification has been made for this time period. http://www.v3.co.uk/v3-uk/news/2440887/ico-questions-12-month-data-retention-plans-under-snoopers-charter-draft

FYI - Microsoft to axe support for older Internet Explorer next week - Don't say we didn't warn ya ... because we did - In less than one week, Microsoft will end support for several versions of its Internet Explorer web browser. http://www.theregister.co.uk/2016/01/06/ie_versions_retiring_soon/

FYI - Cybergang targets Japanese banks with Rovnix Trojan - Researchers at IBM X-Force spotted the cybergang that controls the Rovnix Trojan launching an aggressive campaign against 14 major Japanese Banks. http://www.scmagazine.com/cybergang-targets-japanese-banks-in-aggressive-infection-campaign/article/464066/

FYI - St. Louis Cards official pleads guilty to hacking Astros site - The former director of baseball development for the St. Louis Cardinals, pleaded guilty Friday to charges of accessing computers belonging to the Houston Astros without authorization, according to a release on Friday from the Department of Justice. http://www.scmagazine.com/st-louis-cards-official-pleads-guilty-to-hacking-astros-site/article/464356/

FYI - Payment card data attacks worry over half of UK and US businesses - Well over half (60 percent) of US and 52 percent of UK enterprises feel that an attack on payment card data is likely or more than likely. http://www.scmagazine.com/payment-card-data-attacks-worry-over-half-of-uk-and-us-businesses/article/464384/

FYI - Thousands of Interior Department laptops vulnerable to cyber attack - Nearly 15,000 laptops used by U.S. Department of the Interior employees don't have proper safeguards to protect sensitive information from being hacked by a cyber criminal because of a management decision to depart from best practices. http://www.deseretnews.com/article/865645041/Inspector-general-Thousands-of-Interior-Department-laptops-vulnerable-to-cyber-attack.html

FYI - Audit: Network of U.S. Nuclear Regulatory Commission not optimized against cyberthreats - An audit of the Security Operations Center (SOC) responsible for securing the U.S. Nuclear Regulatory Commission's (NRC) network infrastructure reveals the SOC's procedures are currently not optimized to meet the rapidly escalating needs of its government client, in light of growing cyberthreats. http://www.scmagazine.com/audit-network-of-us-nuclear-regulatory-commission-not-optimized-against-cyberthreats/article/464944/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ring's smart doorbell can leave your house vulnerable to hacks - The $199 Ring Video Doorbell may be "smarter" than your average buzzer, but a major vulnerability can leave your Wi-Fi network wide open to hackers. Pen Test Partners, a limited liability partnership (LLP) that assesses computer systems, apps and more for potential network security vulnerabilities, took a close look at the Ring Video Doorbell recently and found a serious flaw for hackers to exploit. http://www.cnet.com/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/

FYI - IoT 'ding-donger' reveals WiFi passwords - The Ring WiFi doorbell, an IoT device, not only allows users to view whomever is on their doorstep via the internet from a mobile device when they are not home, but also gives away the homeowners WiFi password. http://www.scmagazine.com/iot-ding-donger-reveals-wifi-passwords/article/465266/

FYI - Linode Resets Passwords as DDoS Attacks Continue - The cloud hosting provider forces users to change passwords after an unauthorized log-in is detected. http://www.eweek.com/security/linode-resets-passwords-as-ddos-attacks-continue.html

FYI - Indiana University Health Arnett Hospital loses USB drive with 29K records - Indiana University Health Arnett Hospital reported the loss of an unencrypted USB drives containing information on 29,000 emergency room patients. http://www.scmagazine.com/indiana-university-health-arnett-hospital-loses-usb-drive-with-29k-records/article/464227/

FYI - Breathalyzer maker hacked in possible extortion case - A company specializing in car breathalyzer technology has seemingly become an extortion target, after a hacker uploaded what appears to be internal documents and source code onto an online hacking forum, according to a report in Motherboard. http://www.scmagazine.com/breathalyzer-maker-hacked-in-possible-extortion-case/article/464401/

FYI - Jeremy Corbyn's Twitter account hacked for a few minutes - In what is being hailed a model of fast response, the Labour Party moved swiftly last night to regain control of the Twitter account of its leader, Jeremy Corbyn, following a hack. http://www.scmagazine.com/jeremy-corbyns-twitter-account-hacked-for-a-few-minutes/article/464654/

FYI - Amex, affiliate reports three breaches to California AG - An American Express Travel Related Services Company and or one of its affiliates reported three data breaches to the California Attorney General (AG) in early January. http://www.scmagazine.com/a-trio-of-breaches-hit-amex-travel-related-services-company/article/464686/

FYI - TaxAct breached: Customer banking and Social Security information compromised - Tax software maker TaxAct is informing some of its customers that an unauthorized third party accessed their TaxAct account in late 2015. http://www.scmagazine.com/taxact-breached-customer-banking-and-social-security-information-compromised/article/464952/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)
 
 Supervisory Action
 
 As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.
 
 Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.
 
 The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.
 
 The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively
 
 1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
 
 2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and
 
 3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.7 Malicious Code
 
 Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Sometimes mistakenly associated only with personal computers, malicious code can attack other platforms.
 
 A 1993 study of viruses found that while the number of known viruses is increasing exponentially, the number of virus incidents is not. The study concluded that viruses are becoming more prevalent, but only "gradually."
 
 The rate of PC-DOS virus incidents in medium to large North American businesses appears to be approximately 1 per 1,000 PCs per quarter; the number of infected machines is perhaps 3 or 4 times this figure if we assume that most such businesses are at least weakly protected against viruses.
 
 Actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant.
 
 Malicious Software: A Few Key Terms
 
 1)  Virus: A code segment that replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses, including variants, overwriting, resident, stealth, and polymorphic.
 
 2)  Trojan Horse: A program that performs a desired task, but that also includes unexpected (and undesirable) functions. Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing), but the deletions are unexpected and definitely undesired!
 
 3)  Worm: A self-replicating program that is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use network services to propagate to other host systems.
 
 4.8 Foreign Government Espionage
 
 In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Some unclassified information that may be of interest includes travel plans of senior officials, civil defense and emergency preparedness, manufacturing technologies, satellite data, personnel and payroll data, and law enforcement, investigative, and security files. Guidance should be sought from the cognizant security office regarding such threats.