FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - FDA Issues More Medical Device Security Guidance - Latest Recommendations Focus on Postmarket Cybersecurity Risks - New proposed cybersecurity guidance from the Food and Drug Administration is an important step in getting medical device manufacturers more focused on the risks posed by their products as they're used in healthcare settings, security experts say. http://www.govinfosecurity.com/fda-issues-more-medical-device-security-guidance-a-8805

FYI - 'Uber of banking' banks on no fees, no branches - BankMobile CEO Jay Sidhu was pleased that I cover personal technology and not banking. http://www.usatoday.com/story/tech/columnist/baig/2016/01/19/uber-banking-banks-no-fees-no-branches/78884858/

FYI - Cyberattacks on critical manufacturing doubled in 2015 - The Department of Homeland Security investigated almost twice as many cyberattacks on the nation’s critical manufacturing sector in fiscal year 2015 as the year before, according to a new government report. http://thehill.com/policy/cybersecurity/266081-dhs-critical-manufacturing-cyberattacks-have-nearly-doubled

FYI - Trustwave failed to spot casino hackers right under its nose – lawsuit - And rival Mandiant sticks the boot in: 'Woefully inadequate' probe cited in court allegations - IT security biz Trustwave is being sued by a Las Vegas casino operator for allegedly bungling a hacking investigation. Trustwave denies any wrongdoing. http://www.theregister.co.uk/2016/01/16/trustwave_sued_by_casino/

FYI - Firm Sues Cyber Insurer Over $480K Loss - A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive. http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

FYI - Nuclear Facilities Around the World Vulnerable to Cyber Attacks - Many countries are leaving themselves wide open to cyber attacks on their nuclear facilities, a watchdog group reports. http://www.nbcnews.com/tech/security/nuclear-facilities-around-world-vulnerable-cyber-attacks-watchdog-n496661

FYI - Network of U.S. Nuclear Regulatory Commission not optimized against cyberthreats - An audit of the Security Operations Center (SOC) responsible for securing the U.S. Nuclear Regulatory Commission's (NRC) network infrastructure reveals the SOC's procedures are currently not optimized to meet the rapidly escalating needs of its government client, in light of growing cyberthreats. http://www.scmagazine.com/audit-network-of-us-nuclear-regulatory-commission-not-optimized-against-cyberthreats/article/464944/

FYI - Power plants, utilities 'just hanging right off the internet's tubes' - US Homeland Security guy fed up with critical stuff accessible on the 'net - Utilities opening their infrastructure to the internet are creating an irresistible honeypot for criminals, says the US government's Industrial Control Systems Cyber Emergency Response Team. http://www.theregister.co.uk/2016/01/13/internet_connected_utilities_insecure/

FYI - Vermont bill would allow police to seize cell phones without warrant - A Vermont legislator who introduced a draft law allowing police officers to seize mobile devices without a warrant told a local news outlet that he hasn't “really thought about” how to limit officers from taking advantage of the warrantless searches that would be allowed under his bill. http://www.scmagazine.com/vermont-bill-would-allow-police-to-seize-cell-phones-without-warrant/article/466073/

FYI - May the brute force be with you: Worst 2015 passwords pay homage to Star Wars - As Obi-Wan Kenobi would say, "These aren't the passwords you're looking for." http://www.scmagazine.com/may-the-brute-force-be-with-you-worst-2015-passwords-pay-homage-to-star-wars/article/466178/

FYI - Ransomware and POS attackers to zero in on small businesses, retailers - Small businesses and retailers should expect cybercriminals to pay extra attention to them in the coming months with ransomware and point of sale attacks becoming even more common. http://www.scmagazine.com/ransomware-and-pos-attackers-to-zero-in-on-small-businesses-retailers/article/466318/

FYI - Princeton PhD candidate develops framework for measuring web privacy - Speaking at the first ever PrivacyCon in Washington DC, a PhD candidate at Princeton University unveiled an open source web measurement platform which he and his colleagues developed to measure the extent of browser tracking on the web. http://www.scmagazine.com/princeton-phd-candidate-develops-framework-for-measuring-web-privacy/article/466186/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hyatt discovers malware at 250 hotels - After reporting in December that it had found malware on the computers operating the company's payment processing systems, Hyatt Hotels Corp. listed 250 hotels that could have exposed information stored on the payment cards, including cardholder names, payment card numbers and internal verification codes and expiration dates. http://www.scmagazine.com/hyatt-discovers-malware-at-250-hotels/article/465560/

FYI - Zombie OS lurches through Royal Melbourne Hospital spreading virus - Windows XP shocker is 'willful negligence', OWASP boffin chimes. The pathology wing of the Royal Melbourne Hospital in the Australian state of Victoria is suffering from an virus infection on its Windows XP PCs. http://www.theregister.co.uk/2016/01/19/melbourne_hospital_pathology_wing_splattered_by_virus/

FYI - Details of 325K Earbits.com users available on public database - MacKeeper discovered 13 million Earbits.com account records that were left exposed on a database server. http://www.scmagazine.com/details-of-325k-earbitscom-users-available-on-public-database/article/466059/

FYI - DDoS attack disrupts Irish National Lottery - The Irish National Lottery website and ticket machines operations have been disrupted by a cyber-attack. http://www.scmagazine.com/ddos-attack-disrupts-irish-national-lottery/article/466607/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)
 
 Consumer Education
 
 The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.
 
 In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.
 
 In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 OVERVIEW
 
 The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.
 
 A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.
 
 Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.
 
 Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.9 Threats to Personal Privacy
 
 The accumulation of vast amounts of electronic information about individuals by governments, credit bureaus, and private companies, combined with the ability of computers to monitor, process, and aggregate large amounts of information about individuals have created a threat to individual privacy. The possibility that all of this information and technology may be able to be linked together has arisen as a specter of the modern information age. This is often referred to as "Big Brother." To guard against such intrusion, Congress has enacted legislation, over the years, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the boundaries of the legitimate uses of personal information collected by the government.
 
 The threat to personal privacy arises from many sources. In several cases federal and state employees have sold personal information to private investigators or other "information brokers." One such case was uncovered in 1992 when the Justice Department announced the arrest of over two dozen individuals engaged in buying and selling information from Social Security Administration (SSA) computer files.42 During the investigation, auditors learned that SSA employees had unrestricted access to over 130 million employment records. Another investigation found that 5 percent of the employees in one region of the IRS had browsed through tax records of friends, relatives, and celebrities. Some of the employees used the information to create fraudulent tax refunds, but many were acting simply out of curiosity.
 
 As more of these cases come to light, many individuals are becoming increasingly concerned about threats to their personal privacy. A July 1993 special report in MacWorld cited polling data taken by Louis Harris and Associates showing that in 1970 only 33 percent of respondents were concerned about personal privacy. By 1990, that number had jumped to 79 percent.
 
 While the magnitude and cost to society of the personal privacy threat are difficult to gauge, it is apparent that information technology is becoming powerful enough to warrant fears of both government and corporate "Big Brothers." Increased awareness of the problem is needed.