FYI - First-in-nation state-mandated cybersecurity regulation takes effect March 1 - The nation's first state-mandated cybersecurity regulations regarding banking and financial services companies are scheduled to go into effect in New York state on March 1.
https://www.scmagazine.com/first-in-nation-state-mandated-cybersecurity-regulation-takes-effect-march-1/article/639528/
https://www.scmagazine.com/new-yorks-cybersecurity-requirements-are-coming-are-you-ready/article/639683/

Almost all organizations lack the technology to defend against cyberattacks - A new survey shows that just three percent of IT security professionals believe their organization has the technology in place to deal with the most common cyber problems that they face. https://www.scmagazine.com/almost-all-organizations-lack-the-technology-to-defend-against-cyberattacks-tripwire/article/638345/

New Mexico close to data breach bill - New Mexico's House of Representatives passed a data breach bill on Wednesday night by a unanimous vote. https://www.scmagazine.com/new-mexico-close-to-data-breach-bill/article/638424/

Homeland Security Chairman: We're in the Fight of Our Digital Lives - The chairman of the House of Representatives Homeland Security Committee, Republican Michael McCaul, didn't mince words to describe threats to the country's cyber-security during a keynote here. http://www.eweek.com/security/homeland-security-chairman-were-in-the-fight-of-our-digital-lives.html

NIST Wants To Know How Utility Companies Can Deter Hackers - A new federal effort aims to help energy companies protect themselves from hackers trying to shut down the power grid. http://www.nextgov.com/cybersecurity/2017/02/nist-wants-know-how-utility-companies-deter-hackers/135555/

Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents - Or switch it off, bin it, bury it, whatever's necessary - Germany's Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal surveillance device. http://www.theregister.co.uk/2017/02/17/cayla_doll_banned_in_germany/

Reworked N.Y. Cybersecurity Regulation Takes Effect in March - New York's controversial new cybersecurity regulation will come into effect March 1, imposing new rules on the banking and insurance sectors with the aim of better protecting institutions and consumers against cyberattacks. http://www.bankinfosecurity.com/reworked-ny-cybersecurity-regulation-takes-effect-in-march-a-9733

Malware targeting banks contains apparent false flags designed to frame Russians - Malware samples recovered from watering hole attacks that have recently targeted banks across the globe contain false flags that fraudulently suggest Russian actors are behind the campaign, even though the most likely culprit remains the North Korea-linked APT Lazarus Group, BAE Systems reported in a Monday blog post. https://www.scmagazine.com/malware-targeting-banks-contains-apparent-false-flags-designed-to-frame-russians/article/639223/

Lawsuit claims employee who moved to rival firm stole confidential info - Court filings have accused ticketing company Ticketmaster of using information stolen from a rival firm's computers to spy on its activities. The information was allegedly stolen by a previous employee of the firm, who now works for Ticketmaster. https://www.scmagazine.com/lawsuit-claims-employee-who-moved-to-rival-firm-stole-confidential-info/article/639212/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Israeli soldiers hit by Android malware from cyberespionage group - More than 100 soldiers from the Israel Defense Forces had their Android phones infected with malware by a cyberespionage group. http://computerworld.com/article/3171148/security/israeli-soldiers-hit-by-android-malware-from-cyberespionage-group.html

Trump fundraising website hacked - A fundraising website of President Donald Trump was defaced on Feb. 19, according to a post on Graham Cluley's security news site. https://www.scmagazine.com/trump-fundraising-website-hacked/article/639220/

17K affected in W-2 data breach at American Senior Communities - American Senior Communities reported that several employees have had their federal tax returns rejected by the IRS with the government stating they were duplicates. This is most likely due to a company payroll worker falling for a W-2 phishing scam in January resulting in cybercriminals filing false returns using the stolen data. https://www.scmagazine.com/17k-affected-in-w-2-data-breach-at-american-senior-communities/article/639225/

400K patient records lost in January health care breaches - Insider threats dominated Protenus' Health Care Breach Barometer with just over half of the compromised patient records that were lost in January being the result of either malicious or unintentional action by an insider. https://www.scmagazine.com/400k-patient-records-lost-in-january-health-care-breaches/article/639385/

Yahoo reveals more breachiness to users victimized by forged cookies - Some accounts may have been accessed with forged cookies as recently as 2016. https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-breachiness-to-users-victimized-by-forged-cookies/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
Board and Management Oversight - Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.
  
  Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
  
  To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
  
  1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
  
  2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
  
  3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
  
  4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 MALICIOUS CODE
 
 Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.
 
 Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.
 
 Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.4.2.3 Configuration Management
 
 From a security point of view, configuration management provides assurance that the system in operation is the correct version (configuration) of the system and that any changes to be made are reviewed for security implications. Configuration management can be used to help ensure that changes take place in an identifiable and controlled environment and that they do not unintentionally harm any of the system's properties, including its security. Some organizations, particularly those with very large systems (such as the federal government), use a configuration control board for configuration management. When such a board exists, it is helpful to have a computer security expert participate. In any case, it is useful to have computer security officers participate in system management decision-making.
 
 Changes to the system can have security implications because they may introduce or remove vulnerabilities and because significant changes may require updating the contingency plan, risk analysis, or accreditation.
 
 9.4.2.4 Trade Literature/Publications/Electronic News
 
 In addition to monitoring the system, it is useful to monitor external sources for information. Such sources as trade literature, both printed and electronic, have information about security vulnerabilities, patches, and other areas that impact security. The Forum of Incident Response Teams (FIRST) has an electronic mailing list that receives information on threats, vulnerabilities, and patches.
 
 9.5 Interdependencies
 
 Assurance is an issue for every control and safeguard discussed in this Handbook. Are user ID and access privileges kept up to date? Has the contingency plan been tested? Can the audit trail be tampered with? One important point to be reemphasized here is that assurance is not only for technical controls, but for operational controls as well. Although the chapter focused on information systems assurance, it is also important to have assurance that management controls are working well. Is the security program effective? Are policies understood and followed? As noted in the introduction to this chapter, the need for assurance is more widespread than people often realize.
 
 Life Cycle. Assurance is closely linked to the planning for security in the system life cycle. Systems can be designed to facilitate various kinds of testing against specified security requirements. By planning for such testing early in the process, costs can be reduced; in some cases, without proper planning, some kinds of assurance cannot be otherwise obtained.
 
 9.6 Cost Considerations
 
 There are many methods of obtaining assurance that security features work as anticipated. Since assurance methods tend to be qualitative rather than quantitative, they will need to be evaluated. Assurance can also be quite expensive, especially if extensive testing is done. It is useful to evaluate the amount of assurance received for the cost to make a best-value decision. In general, personnel costs drive up the cost of assurance. Automated tools are generally limited to addressing specific problems, but they tend to be less expensive.