FYI - Banking industry security protocol falters in third-party vendor contracts - Nearly a third of banking organizations do not require their third-party vendors to notify them in the event of an information security breach, according to a recent study on the banking sector's cybersecurity practices. http://www.scmagazine.com/new-york-state-department-of-financial-services-issues-report/article/409562/

FYI - Google Wallet now backed by FDIC - Now that search engine giant Google has received Federal Deposit Insurance Company (FDIC) backing for its mobile payments app Google Wallet, according to a Yahoo Finance report, cash stashed with the Google platform – which allows users to pay for in-store or online retail purchases or transfer funds via an Android phone – will be insured up to $250,000. http://www.scmagazine.com/google-wallet-now-backed-by-fdic/article/410421/

FYI - Hackers Could Commandeer New Planes Through Passenger Wi-Fi - Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable. http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/

FYI - Verizon Data Breach Study Finds Little Change in Attack Patterns - Major risks remain, but there's been little change in the threat landscape since 2014, Verizon reports. Also, mobile platforms aren't the preferred attack vector. http://www.eweek.com/security/verizon-data-breach-study-finds-little-change-in-attack-patterns.html

FYI - China to Require Backdoors in Foreign Hardware, Software - Foreign companies selling equipment to Chinese banks will also be required to disclose source code and submit to audits, the New York Times reports. The Chinese government recently implemented new rules requiring foreign companies that sell computer equipment to Chinese banks to disclose source code, submit to audits and build backdoors into both hardware and software, according to the New York Times. http://www.esecurityplanet.com/network-security/china-to-require-backdoors-in-foreign-hardware-software.html

FYI - Iranian Hackers Eye U.S. Grid - Cyber-savvy agents are stepping up their efforts to ID critical infrastructure that may compromise national security. Iranian hackers are trying to identify computer systems that control infrastructure in the United States, such as the electrical grid, presumably with an eye towards damaging those systems, according to a new report from a cyber security firm and a think tank in Washington, D.C. http://www.thedailybeast.com/articles/2015/04/16/report-iranian-hackers-eye-u-s-grid.html

FYI - Miscreants rummage in lawyers' silky drawers at will, despite warnings - 173 UK law firms found hackers had their fingers in briefs last year - UK data privacy watchdogs at the ICO investigated 173 UK law firms for reported breaches of the Data Protection Act (DPA) last year. http://www.theregister.co.uk/2015/04/16/law_office_breaches_rife_foia/

FYI - Health Data Breaches: 29 Million U.S. Records Exposed in Four Years - More than 29 million U.S. health records were compromised in data breaches between 2010 and 2013, according to a study published this week in the Journal of the American Medical Association (JAMA). http://www.nbcnews.com/tech/security/health-data-breaches-29-million-u-s-records-exposed-four-n342051

FYI - Average organization has 4,000 instances of exposed credentials stored in the cloud - Companies are moving their data and workflow over to the cloud with increasing fervor, according to new research. http://www.scmagazine.com/cloudlock-releases-cloud-study/article/409794/

FYI - Open Source Software use increasing in enterprises but without vulnerability monitoring - As companies increasingly integrate Open Source Software (OSS) into their business IT environments, they appear to be faltering in monitoring the software for vulnerabilities and creating official policies and procedures, a recent study found. http://www.scmagazine.com/black-duck-and-north-bridge-survey-companies-on-oss-use/article/410090/

FYI - Federal cyber workforce woefully inadequate, report says - Rigid hiring processes and low pay for specialized employees have kept the U.S. government from developing the type of cyber workforce it needs to keep up with growing attacks, according to an independent analysis. http://www.washingtonpost.com/blogs/federal-eye/wp/2015/04/14/federal-cyber-workforce-woefully-inadequate-report-says/

FYI - Naval Academy takes trophy at CDX 2015 - The U.S. Naval Academy is the winner of the 15th Annual Cyber Defense Exercise (CDX). http://www.federalnewsradio.com/412/3841248/Naval-Academy-takes-trophy-at-CDX-2015

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Minnesota university breach update, 160K students affected - Minnesota-based Metropolitan State University announced that approximately 160,000 current and former students, as well as 900 faculty members, were impacted in a “likely” December 2014 breach that was identified in January. http://www.scmagazine.com/minnesota-university-breach-update-160k-students-affected/article/409521/

FYI - VA Teleworkers Breached Security in China and India - The Department of Veterans Affairs allowed contractors to access the agency’s network using personally owned laptops while traveling abroad in China and India, according to a federal inspector. http://www.nextgov.com/cybersecurity/2015/04/inspector-va-teleworkers-breached-security-china-and-india/110269/

FYI - HSBC mortgage customer info was publicly accessible on the internet - An undisclosed number of current and former mortgage customers of HSBC Finance Corp. in the U.S. are being notified that their personal information was inadvertently made publicly accessible on the internet. http://www.scmagazine.com/hsbc-mortgage-customer-info-was-publicly-accessible-on-the-internet/article/409758/

FYI - Data at risk for 9,000 individuals following unauthorized access to SRI Inc. website - Indiana-based SRI Incorporated – which conducts tax sales, deed sales and foreclosure sales relating to the recoupment of delinquent tax for local governments – is notifying roughly 9,000 individuals that their personal information may be at risk. http://www.scmagazine.com/data-at-risk-for-9000-individuals-following-unauthorized-access-to-sri-inc-website/article/409793/

FYI - Jokers, hackers, and airline safety - A security researcher joked about hacking a plane and was picked up by the FBI. They didn't think it was one bit funny. -A security researcher and founder and CTO of One World Labs, is well known for speaking his mind on airlines not taking in-flight networking security seriously. http://www.zdnet.com/article/jokes-hackers-and-airline-safety/ 

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)

BACKGROUND

Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.

PROCEDURES TO ADDRESS SPOOFING

Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.

Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.

Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1)  Compromise of customer information and transactions over the wireless network;

2)  Disruption of wireless service from radio transmissions of other wireless devices;

3)  Intrusion into the institution's network through wireless network connections; and

4)  Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1)  Financial loss due to the execution of unauthorized transactions;

2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3)  Negative media attention, resulting in harm to the institution's reputation; and

4)  Loss of customer confidence.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.3 Interruption of Operations

HGA's building facilities and physical plant are several decades old and are frequently under repair or renovation. As a result, power, air conditioning, and LAN or WAN connectivity for the server are typically interrupted several times a year for periods of up to one work day. For example, on several occasions, construction workers have inadvertently severed power or network cables. Fires, floods, storms, and other natural disasters can also interrupt computer operations, as can equipment malfunctions.

Another threat of small likelihood, but significant potential impact, is that of a malicious or disgruntled employee or outsider seeking to disrupt time-critical processing (e.g., payroll) by deleting necessary inputs or system accounts, misconfiguring access controls, planting computer viruses, or stealing or sabotaging computers or related equipment. Such interruptions, depending upon when they occur, can prevent time and attendance data from getting processed and transferred to the mainframe before the payroll processing deadline.

20.3.4 Disclosure or Brokerage of Information

Other kinds of threats may be stimulated by the growing market for information about an organization's employees or internal activities. Individuals who have legitimate work-related reasons for access to the master employee database may attempt to disclose such information to other employees or contractors or to sell it to private investigators, employment recruiters, the press, or other organizations. HGA considers such threats to be moderately likely and of low to high potential impact, depending on the type of information involved.