FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Most Windows security flaws mitigated by 'removing admin rights' - Almost nine-out-of-ten vulnerabilities targeting Windows last year could have been prevented by removing accounts with administrative rights. http://www.zdnet.com/article/most-windows-flaws-mitigated-by-removing-admin-rights-says-report/

FYI - Glitch In Time - Last week, a software glitch caused the GPS system to broadcast incorrect time signals. This post looks at the impact, and how organisations that depend on precise time can protect themselves. http://www.airtrafficmanagement.net/2016/02/glitch-in-time/

FYI - Energy sector execs see successful cyberattack as likely - A cyber attack on an organization in the energy, utility, oil and gas sectors is fully capable of causing harm to the physical plant, according to a Tripwire survey of IT professionals working in these fields. http://www.scmagazine.com/energy-sector-execs-see-successful-cyberattack-as-likely/article/471693/

FYI - Hacker threatens to expose info on DHS, FBI employees - Just two days before Director of National Intelligence James Clapper was to appear before the Senate Select Committee on Intelligence and offer an assessment of worldwide threats, a hacker threatened to release information on 20,000 FBI employees and 9,000 who work for the Department of Homeland Security (DHS). http://www.scmagazine.com/hacker-threatens-to-expose-info-on-dhs-fbi-employees/article/471974/

FYI - Need to call the FBI? Hacker offers you 20,000 numbers - The names, titles and contact information of thousands of FBI and Department of Homeland Security employees are allegedly dumped online. http://www.cnet.com/news/need-to-call-the-fbi-hacker-offers-you-20000-numbers/

FYI - Obama asks Congress for $19 billion to stop hacks - The White House has submitted a massive budget proposal that shows just how serious the president is about cybersecurity. http://www.cnet.com/news/obama-asks-congress-for-19-billion-to-stop-hacks/

FYI - Phishing scams a major cause of bank breaches - Malicious attachments and links, ShellShock and Denial of Service (DOS) attacks were the top three cyber threats facing the financial sector, which suffered having 20 million records breached last year, according to a new study released by IBM. http://www.scmagazine.com/ibm-phishing-scams-a-major-cause-of-bank-breaches/article/473617/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Student SSNs exposed in University of Central Florida breach - The University of Central Florida today publicly acknowledged a data breach in which the Social Security (SSN) numbers of 63,000 current and former students were illegally accessed. http://www.scmagazine.com/student-ssns-exposed-in-university-of-central-florida-breach/article/471439/

FYI - Mysterious spike in WordPress hacks silently delivers ransomware to visitors - It's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-hacks-silently-delivers-ransomware-to-visitors/

FYI - Panther Creek senior arrested for hacking school, changing grades - Authorities arrested a Panther Creek High senior who is accused of hacking into a computer system last fall and changing students' grades between Oct. 6-22, 2015. http://www.scmagazine.com/panther-creek-senior-arrested-for-hacking-school-changing-grades/article/471697/

FYI - Rip-off artists use Southwest Airlines in Facebook scam - Facebook users' news feeds are lighting up with a new scam, this one centered on Southwest Airlines supposedly giving away hundreds of free tickets and $5,000 in cash. http://www.scmagazine.com/rip-off-artists-use-southwest-airlines-in-facebook-scam/article/473057/

FYI - Wendy's finds malware at some locations - Wendy's found malware on the systems at some of its restaurants that have been under investigation after some customers reported unusual activity on their payment cards used at several of the fast-food retailers' locations. http://www.scmagazine.com/wendys-update-malware-found-suit-filed/article/473309/

FYI - Employees mishandle data, violate HIPAA in Washington State Medicaid breach - The Washington State Health Care Authority (HCA) announced yesterday that employees at two state agencies committed a HIPAA violation by improperly exchanging private data pertaining to its Apple Health Medicaid clients. http://www.scmagazine.com/employees-mishandle-data-violate-hipaa-in-washington-state-medicaid-breach/article/473185/

FYI - Phishing scam nets PII from 730 Brightview employees - The Rockville, Md.-based landscape services firm Brightview, formerly called The Brickman Group, said an employee fell for a phishing scam and sent the personal information of about 700 workers to an unknown party. http://www.scmagazine.com/phishing-scam-nets-pii-from-730-brightview-employees/article/473589/

FYI - Alumni, deceased students among 1,100 affected in Montana school breach - A data breach last December that affected approximately 1,100 students and led to the resignation of a high school assistant principal exposed the information of nearly 200 alumni and at least two deceased students. http://www.scmagazine.com/nearly-200-alumni-among-those-affected-by-montana-high-school-breach/article/473457/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)
 
 The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
 
 Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.
 
 Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
 
 Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INFORMATION SECURITY RISK ASSESSMENT
 
 ANALYZE INFORMATION (2 of 2)
 
 Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.
 
 Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.
 
 The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.
 
 The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.
 
 Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

5.1 Program Policy

A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. This high-level policy defines the purpose of the program and its scope within the organization; assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization); and addresses compliance issues.

Program policy sets organizational strategic directions for security and assigns resources for its implementation.

5.1.1 Basic Components of Program Policy

Components of program policy should address:

Purpose. Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.

Scope. Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope.

Responsibilities. Once the computer security program is established, its management is normally assigned to either a newly-created or existing office.

Program policy establishes the security program and assigns program management and supporting responsibilities

The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing or IRM organizations. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability.

At the program level, responsibilities should be specifically assigned to those organizational elements and officials responsible for the implementation and continuity of the computer security policy.

Compliance. Program policy typically will address two compliance issues:

1)  General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office (e.g., the Inspector General) is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.

2)  The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary action(s).

Those developing compliance policy should remember that violations of policy can be unintentional on the part of employees. For example, nonconformance can often be due to a lack of knowledge or training.