FYI - US court agrees with feds: Warrants aren’t needed for cell-site location data - Data placed suspects near a string of Radio Shack and T-Mobile store robberies. Another federal appeals court is siding with the Obama administration's position that court warrants are not required to track a suspect's cell-site location. http://arstechnica.com/tech-policy/2016/04/us-court-agrees-with-feds-warrants-arent-needed-for-cell-site-location-data/

FYI - New GozNym banking malware steals millions in just days - A new banking trojan named GozNym is actively hitting U.S. and Canadian banks and has already taken about $4 million from two dozen North American banks. http://www.scmagazine.com/new-goznym-banking-malware-steals-millions-in-just-days/article/489933/

FYI - The anatomy of an spearphishing scam, or how to steal $100M with a fake email - A lawsuit filed on April 14 by U.S. Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million. http://www.scmagazine.com/the-anatomy-of-an-spearphishing-scam-or-how-to-steal-100m-with-a-fake-email/article/490217/

FYI - MIT develops new cybersecurity AI platform - Researchers at the Massachusetts Institute of Technology (MIT) have published a paper on a new artificial intelligence platform called AI2 that uses human input combined with machine learning to reduce false positives and increase its ability to predict cyberattacks. http://www.scmagazine.com/mit-develops-new-cybersecurity-ai-platform/article/490516/

FYI - Hacker behind Hacking Team breach publishes how-to guide - The hacker who claimed responsibility for breaching Hacking Team last year published an explainer guide detailing his process in executing the attack. http://www.scmagazine.com/hacker-behind-hacking-team-breach-publishes-how-to-guide/article/490541/

FYI - Most orgs couldn't quickly detect breach, study - A recent survey found that only 21 percent of 209 respondents from a research panel said they were able to “almost immediately” detect a breach while 34 percent said they could detect a breach within a day. http://www.scmagazine.com/study-finds-orgs-may-shift-focus-from-perimeter-to-database-security/article/491467/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyberattack brings down Newark Police Dept. systems - A cyberattack on the Newark Police Department brought down systems used to track and analyze crime data and to dispatch officers.
http://www.scmagazine.com/newark-pd-hit-with-cyberattack-systems-down-for-three-days/article/490359/
http://www.nj.com/essex/index.ssf/2016/04/cyber_attack_shuts_down_newark_police_computer_sys.html#incart_river_index

FYI - Hacker taps congressman's cellphone, investigation called for - Showing a U.S. Congressman that his mobile phone is not entirely secure may be the best way to encourage the government to take quick action on a cyber security issue. http://www.scmagazine.com/hacker-taps-congressmans-cellphone-investigation-called-for/article/490826/

FYI - Educational network Janet hit with DDoS attacks - A wave of DDoS attacks were launched against the education network Janet yesterday morning. http://www.scmagazine.com/educational-network-janet-hit-with-ddos-attacks/article/490643/

FYI - Stolen laptop puts data of CVS customers in Alabama at risk - The personal information of an undisclosed number of CVS customers at a branch in Calera, Ala., is at risk after a laptop was stolen from one of its vendors. http://www.scmagazine.com/stolen-laptop-puts-data-of-cvs-customers-in-alabama-at-risk/article/490650/

FYI - Australia's prime minister confirms Australian Bureau of Meteorology attack - Although China last year vehemently denied a cyberattack on the Australian Bureau of Meteorology and government officials maintained a stony silence, Australian Prime Minister Malcolm Turnbull confirmed that the bureau was indeed a target of attack. http://www.scmagazine.com/turnbull-confirms-aussie-weather-service-attack-unveils-230m-cyber-strategy/article/491280/  

FYI - 18,000 possibly affected by Archdiocese of Denver data breach - A database maintained by a third-party vendor for The Archdiocese of Denver containing the personal identifiable information of 18,000 former and current employees and their dependents was accessed by an unauthorized person in October 2015, several of the victims have already reported having their information used for fraudulent purposes. http://www.scmagazine.com/18000-possibly-affected-by-archdiocese-of-denver-data-breach/article/491295/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
 
 Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
 
 Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 Access Rights Administration (5 of 5)
 
 The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:
 
 ! The specific access devices that can be used to access the network;
 
 ! Hardware and software changes the user can make to their access device;
 
 ! The purpose and scope of network activity;
 
 ! Network services that can be used, and those that cannot be used;
 
 ! Information that is allowable and not allowable for transmission using each allowable service;
 
 ! Bans on attempting to break into accounts, crack passwords, or disrupt service;
 
 ! Responsibilities for secure operation; and
 
 ! Consequences of noncompliance.
 
 Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.
 
 Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.
 
 Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 6.2.2 Efficient, Economic Coordination of Information
 
 A central computer security program helps to coordinate and manage effective use of security-related resources throughout the organization. The most important of these resources are normally information and financial resources.
 
 Sound and timely information is necessary for managers to accomplish their tasks effectively. However, most organizations have trouble collecting information from myriad sources and effectively processing and distributing it within the organization. This section discusses some of the sources and efficient uses of computer security information.
 
 Within the federal government, many organizations such as the Office of Management and Budget, the General Services Administration, the National Institute of Standards and Technology, and the National Telecommunications and Information Administration, provide information on computer, telecommunications, or information resources. This information includes security-related policy, regulations, standards, and guidance. A portion of the information is channeled through the senior designated official for each agency.  Agencies are expected to have mechanisms in place to distribute the information the senior designated official receives.
 
 Computer security-related information is also available from private and federal professional societies and groups. These groups will often provide the information as a public service, although some private groups charge a fee for it. However, even for information that is free or inexpensive, the costs associated with personnel gathering the information can be high.
  
 Internal security-related information, such as which procedures were effective, virus infections, security problems, and solutions, need to be shared within an organization. Often this information is specific to the operating environment and culture of the organization.
 
 A computer security program administered at the organization level can provide a way to collect the internal security-related information and distribute it as needed throughout the organization. Sometimes an organization can also share this information with external groups.
 
 Another use of an effective conduit of information is to increase the central computer security program's ability to influence external and internal policy decisions. If the central computer security program office can represent the entire organization, then its advice is more likely to be heeded by upper management and external organizations. However, to be effective, there should be excellent communication between the system-level computer security programs and the organization level. For example, if an organization were considering consolidating its mainframes into one site (or considering distributing the processing currently done at one site), personnel at the central program could provide initial opinions about the security implications. However, to speak authoritatively, central program personnel would have to actually know the security impacts of the proposed change -- information that would have to be obtained from the system-level computer security program.
 
 An organization's components may develop specialized expertise, which can be shared among components. For example, one operating unit may primarily use UNIX and have developed skills in UNIX security. A second operating unit (with only one UNIX machine), may concentrate on MVS security and rely on the first unit's knowledge and skills for its UNIX machine.
 
 Besides being able to help an organization use information more cost effectively, a computer security program can also help an organization better spend its scarce security dollars. Organizations can develop expertise and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing.
 
 Personnel at the central computer security program level can also develop their own areas of expertise. For example, they could sharpen their skills could in contingency planning and risk analysis to help the entire organization perform these vital security functions.
 Some Principal Security Program Interactions
 
 Besides allowing an organization to share expertise and, therefore, save money, a central computer security program can use its position to consolidate requirements so the organization can negotiate discounts based on volume purchasing of security hardware and software. It also facilitates such activities as strategic planning and organization-wide incident handling and security trend analysis.