FYI - After high-profile hacks, many companies still nonchalant about cybersecurity - Multiple surveys, including one recently released by defense contractor Raytheon found that the attention paid to large breaches at corporations such as Sony and Anthem hasn't significantly changed attitudes about information security. http://www.csmonitor.com/World/Passcode/2015/0219/After-high-profile-hacks-many-companies-still-nonchalant-about-cybersecurity

FYI - JPMorgan beefs up cybersecurity with ex-military officers - One of the largest financial institutions in the United States is hiring ex-military officers to beef up its cybersecurity in the wake of a massive hack last year. http://thehill.com/policy/cybersecurity/233188-jpmorgan-beefs-up-cybersecurity-with-ex-military-officers

FYI - Older vulnerabilities a top enabler of breaches, according to report - Organizations are not properly patching their systems and networks, according to the HP Cyber Risk Report 2015, which took a look back at the threat landscape in 2014 and noted that 44 percent of known breaches were possible due to vulnerabilities identified years ago. http://www.scmagazine.com/report-shows-organizations-dont-properly-patch-systems-networks/article/399708/

FYI - Business Continuity Planning Booklet Appendix J Update to FFIEC IT Examination Handbook Series - The Federal Financial Institutions Examination Council has issued an appendix to the Business Continuity Planning booklet of the FFIEC Information Technology Examination Handbook entitled "Strengthening the Resilience of Outsourced Technology Services."  www.fdic.gov/news/news/financial/2015/fil15009.pdf 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lenovo laptops ship with adware that hijacks HTTPS connections - Chinese hardware manufacturer Lenovo has come under fire for allegedly shipping consumer Windows laptops with software that hijacks secure website connections, as well as inserting ads into search results. http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/

FYI - Three Months Later, State Department Hasn’t Rooted Out Hackers - Amount of data lost in unclassified email network is unclear; Investigators point finger at Russia.
http://www.wsj.com/articles/three-months-later-state-department-hasnt-rooted-out-hackers-1424391453
http://www.scmagazine.com/hackers-still-meddling-in-state-dept-network-three-months-in/article/399417/

FYI - Possible database compromise prompts Canadian Bitcoin exchange to shut down - Canadian Bitcoin exchange CAVIRTEX is shutting down following a database compromise, the company announced on Tuesday. http://www.scmagazine.com/possible-database-compromise-prompts-canadian-bitcoin-exchange-to-shut-down/article/399176/

FYI - Thousands impacted in Texas health clinic system breach - Texas-based Lone Star Circle of Care is notifying roughly 8,700 individuals that their personal information was inadvertently placed publicly on the Lone Star Circle of Care website for nearly six months, and was accessed numerous times by unauthorized individuals. http://www.scmagazine.com/thousands-impacted-in-texas-health-clinic-system-breach/article/399681/

FYI - Illinois police department pays ransom after Cryptoware infection - The police department in a Chicago suburb paid an unknown hacker $500 to regain access to data on a police computer infected with ransomware. http://www.scmagazine.com/illinois-police-department-pays-ransom-after-cryptoware-infection/article/399677/

FYI - State Department Trashed 30,000 Log-in Key Fobs After Hack - The State Department over the past few months replaced some 30,000 network log-in fobs and digital tokens that employees had been using to access its systems remotely, after the agency's unclassified network was hacked, according to a department official. http://www.nextgov.com/cybersecurity/2015/02/state-trashed-30000-login-key-fobs-after-hack/105762/

FYI - Breach affects 10K motorists in U.K. - Nearly 10,000 motorists in the U.K. could be impacted by a breach that exposed details of their parking tickets online. http://www.scmagazine.com/breach-affects-10k-motorists-in-uk/article/399791/

FYI - California dentist announces theft of server containing patient information - The office of a dentist in California, Cathrine Steinborn, was burglarized and a server containing patient and responsible party information – including Social Security numbers – was stolen. http://www.scmagazine.com/california-dentist-announces-theft-of-server-containing-patient-information/article/399804/

FYI - Up to 18.8 million non-Anthem members possibly affected in breach - Anthem health insurance members might not be the only ones affected by the company's recent data breach. http://www.scmagazine.com/anthem-says-non-members-impacted-by-breach/article/400199/

FYI - Malware on Lime Crime website, payment cards compromised - Cosmetics company Lime Crime is notifying an undisclosed number of customers that unauthorized access was gained to its website server and malware designed to intercept customer data, including payment card information was installed – from October 2014 to February. http://www.scmagazine.com/malware-on-lime-crime-website-payment-cards-compromised/article/400192/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (5 of 12)

Notification Procedures

An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.

Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.

Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.

Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.6 Complying with Export Rules

The US government controls the export of cryptographic implementations. The rules governing export can be quite complex, since they consider multiple factors. In addition, cryptography is a rapidly changing field, and rules may change from time to time. Questions concerning the export of a particular implementation should be addressed to appropriate legal counsel.

19.4 Interdependencies

There are many interdependencies among cryptography and other security controls highlighted in this handbook. Cryptography both depends on other security safeguards and assists in providing them.

Physical Security. Physical protection of a cryptographic module is required to prevent -- or at least detect --- physical replacement or modification of the cryptographic system and the keys within it. In many environments (e.g., open offices, portable computers), the cryptographic module itself has to provide the desired levels of physical security. In other environments (e.g., closed communications facilities, steel-encased Cash-Issuing Terminals), a cryptographic module may be safely employed within a secured facility.

User Authentication. Cryptography can be used both to protect passwords that are stored in computer systems and to protect passwords that are communicated between computers. Furthermore, cryptographic-based authentication techniques may be used in conjunction with, or in place of, password-based techniques to provide stronger authentication of users.

Logical Access Control. In many cases, cryptographic software may be embedded within a host system, and it may not be feasible to provide extensive physical protection to the host system. In these cases, logical access control may provide a means of isolating the cryptographic software from other parts of the host system and for protecting the cryptographic software from tampering and the keys from replacement or disclosure. The use of such controls should provide the equivalent of physical protection.

Audit Trails. Cryptography may play a useful role in audit trails. For example, audit records may need to be signed. Cryptography may also be needed to protect audit records stored on computer systems from disclosure or modification. Audit trails are also used to help support electronic signatures.

Assurance. Assurance that a cryptographic module is properly and securely implemented is essential to the effective use of cryptography. NIST maintains validation programs for several of its standards for cryptography. Vendors can have their products validated for conformance to the standard through a rigorous set of tests. Such testing provides increased assurance that a module meets stated standards, and system designers, integrators, and users can have greater confidence that validated products conform to accepted standards.

A cryptographic system should be monitored and periodically audited to ensure that it is satisfying its security objectives. All parameters associated with correct operation of the cryptographic system should be reviewed, and operation of the system itself should be periodically tested and the results audited. Certain information, such as secret keys or private keys in public key systems, should not be subject to audit. However, nonsecret or nonprivate keys could be used in a simulated audit procedure.