FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - From NY To Bangladesh: Inside An Inexcusable Cyber Heist - A spelling error was the tipoff to last month's multimillion-dollar digital bank heist. But could multifactor authentication have prevented it in the first place? http://www.darkreading.com/attacks-breaches/from-ny-to-bangladesh-inside-an-inexcusable-cyber-heist/a/d-id/1324879

FYI - Six months in, chipped credit cards gaining acceptance with consumers, retailers - The six-month anniversary of chipped credit cards – becoming the standard for retailers – is coming up on April 1 and the general consensus in the industry on the rollout is “so far so good,” with a touch of “these things take time” thrown in. http://www.scmagazine.com/six-months-in-chipped-credit-cards-gaining-acceptance-with-consumers-retailers/article/485558/

FYI - Survey says companies unprepared for ransomware, phishing attacks - Tripwire released the results of a survey that was conducted earlier this month at the RSA Conference that asked 200 security pros how prepared their company is to face various cybercrimes and, for the most part, the answers were pessimistic. http://www.scmagazine.com/survey-says-companies-unprepared-for-ransomware-phishing-attacks/article/485850/

FYI - Dangerous New USB Trojan Discovered - 'USB Thief' could be used for targeted purposes, researchers at ESET say. The Internet and the growing interconnectedness of networks have made it incredibly easy for threat actors to deliver and propagate malware. But not all cyber threats are Internet-borne. http://www.darkreading.com/attacks-breaches/dangerous-new-usb-trojan-discovered/d/d-id/1324853

FYI - MedStar Health's refusal to admit it was hit with ransomware is logical, experts - MedStar Health's attempt to hide the type of attack that knocked its systems offline for the last few days in all likelihood informed the world of exactly what it was trying to hide: It was a ransomware attack. http://www.scmagazine.com/medstar-healths-refusal-to-admit-it-was-hit-with-ransomware-is-logical-experts/article/486427/

FYI - 10% of large companies do not use any cybersecurity framework - A survey of IT and security professionals found that 16% of organizations do not use any cybersecurity framework. http://www.scmagazine.com/report-10-of-large-companies-do-not-use-any-cybersecurity-framework/article/486731/

FYI - Nearly 1,500 vulnerabilities found in automated medical equipment - Security researchers have discovered 1,418 flaws in outdated medical equipment still in use by some healthcare providers. The vulnerabilities could allow hackers to remotely exploit systems. http://www.scmagazine.com/nearly-1500-vulnerabilities-found-in-automated-medical-equipment/article/486497/

FYI - Ukraine approves new cyber-security strategy - New standards and cyber-security strategy approved in Ukraine to thwart Russians hacking infrastructure as Russian software purchases halted. http://www.scmagazine.com/ukraine-approves-new-cyber-security-strategy/article/486498/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Water treatment plant hacked, chemical mix changed for tap supplies - Well, that's just a little scary - Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. http://www.theregister.co.uk/2016/03/24/water_utility_hacked/

FYI - Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection - A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up. http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/

FYI - Pentagon Cut Off Access to Personal Email to Fight Malicious Messages - Pentagon officials last week cut off employee access to private webmail after a malicious, pervasive email campaign was spotted. http://www.nextgov.com/cybersecurity/2016/03/pentagon-cut-access-personal-email-fight-malicious-messages/126902/

FYI - Data breach authority Verizon Enterprise breached; 1.5 million customers impacted - Known for its highly respected Data Breach Investigations Report, Verizon Enterprise Solutions has suffered its own data breach, after a cybercriminal was discovered selling information linked to 1.5 million of its customers. http://www.scmagazine.com/data-breach-authority-verizon-enterprise-breached-15-million-customers-impacted/article/485436/

FYI - Concordia University discovers keylogger security incident - A university in Montréal, Québec discovered keylogger devices on computer workstations used by students in university libraries. http://www.scmagazine.com/concordia-university-discovers-keylogger-security-incident/article/485609/

FYI - 3,000 Tidewater Community College workers victimized in W-2 scam - Tidewater Community College (TCC) in Norfolk, Va., reported that the tax information of all those employed at the school in 2015 was taken in a spear phishing scam. http://www.scmagazine.com/3000-tidewater-community-college-workers-victimized-in-w-2-scam/article/485805/

FYI - Pennsylvania police warn speeding ticket scam could spread malware - The Tredyffrin, Penn. Township Police Department is warning residents of an email scam that sends fake speeding citations via email and requests payment be made using an online site. http://www.scmagazine.com/pennsylvania-police-warn-an-app-may-have-been-hacked-to-send-fake-speeding-tickets/article/485695/

FYI - Verizon Acknowledges Breach of 'Basic' Customer Contact Data - Attackers used a flaw in Verizon’s enterprise-customer portal to grab client data from the company, which has made a name for itself as an expert in responding to breaches.
http://www.eweek.com/security/verizon-acknowledges-breach-of-basic-customer-contact-data.html
http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/

FYI - Chinese hackers rob over 18M user credentials via Japanese server - Over 18 million user credentials have been found on a server of a Japanese company who let Chinese hackers use it in their attacks. http://www.scmagazine.com/chinese-hackers-rob-over-18m-user-credentials-via-japanese-server/article/485980/

FYI - Truecaller app risks exposing info of 100 million users - A popular caller ID Android application that blocks incoming spam callers has a privacy flaw that threatens to expose the personal information of over 100 million users. http://www.scmagazine.com/truecaller-app-risks-exposing-info-of-100-million-users/article/485982/

FYI - Hacker exploits vulnerabilities to sneak bogus paint-drying game onto Steam store - A white-hat hacker reportedly sneaked his own video game onto Valve's online Steam store without undergoing the usual approval process, in order to point out alleged vulnerabilities in the system. http://www.scmagazine.com/hacker-exploits-vulnerabilities-to-sneak-bogus-paint-drying-game-onto-steam-store/article/486408/

FYI - FBI investigating attack against computer networks at U.S. law firms - The Federal Bureau of Investigation (FBI) and the Manhattan U.S. attorney's office are investigating an attack in which hackers accessed the computer networks at U.S. law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, according to a Wall Street Journal report. http://www.scmagazine.com/fbi-investigating-attack-against-computer-networks-at-us-law-firms/article/486419/

FYI - University of Central Florida facing more than $100K cost following breach - The University of Central Florida (UCF) released figures for how much it will cost to notify potential victims of a data breach it experienced last month. http://www.scmagazine.com/university-of-central-florida-facing-more-than-100k-cost-following-breach/article/486257/

FYI - Developer's 11 lines of deleted code 'breaks the internet' - Web development around the world was disrupted when a 28-year-old man deleted 11 lines of his code from npm. http://www.scmagazine.com/developers-11-lines-of-deleted-code-breaks-the-internet/article/486386/

FYI - Ransom notes reportedly spotted on MedStar computers - As MedStar Health said today it is still in the process of recovering from a cyberattack that took place two days ago, published reports said hospital staffers observed a ransom note appearing on some company computers. http://www.scmagazine.com/ransom-notes-reportedly-spotted-on-medstar-computers/article/486420/

FYI - Hacker leaks Norfolk Admirals customer data - A hacker Wednesday posted online the personal information of roughly 250 Norfolk Admirals hockey team customers. http://www.scmagazine.com/hacker-leaks-thousands-of-accounts-belonging-to-norfolk-admirals-customers/article/486509/

FYI - Data on 1K staffers and students at Kentucky State University exposed - Kentucky State University was hit with a data breach on March 22 when an employee, responding to an email supposedly from the school's president, sent off W-2s for employees and students. http://www.scmagazine.com/data-on-1k-staffers-and-students-at-kentucky-state-university-exposed/article/486507/

FYI - Founder of Oilpro.com charged with hacking into competitor's database - The Department of Justice (DOJ) announced the arrest of David Kent, founder of the Houston-based professional networking website Oilpro.com, on charges relating to computer hacking and wire fraud. http://www.scmagazine.com/founder-of-oilprocom-charged-with-hacking-into-competitors-database/article/486514/

FYI - Scammers phishing using fake Macy's delivery emails - Macy's is reportedly investigating a phishing scam that uses a fake Macy's delivery email notification for what is usually a non-existent order. http://www.scmagazine.com/better-business-bureau-warns-of-macys-phishing-scam/article/486728/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act
 
 The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 Access Rights Administration (2 of 5)
 
 System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.
 
 Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:
 
 ! An enrollment process to add new users to the system;
 
 ! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;
 
 ! An authentication process to identify the user during subsequent activities; and
 
 ! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.5 Cost Considerations
 
 A number of potential costs are associated with developing and implementing computer security policies. Overall, the major cost of policy is the cost of implementing the policy and its impacts upon the organization. For example, establishing a computer security program, accomplished through policy, does not come at negligible cost.
 
 Other costs may be those incurred through the policy development process. Numerous administrative and management activities may be required for drafting, reviewing, coordinating, clearing, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staffing and training - and can take time. In general, the costs to an organization for computer security policy development and implementation will depend upon how extensive the change needed to achieve a level of risk acceptable to management.