FYI - Federal Reserve Board announces termination of enforcement action with Jack Henry & Associates, Inc. www.federalreserve.gov/newsevents/press/enforcement/20160426a.htm

FYI - 34 Percent of C-Level Executives Are Never Updated on Security Incidents - According to the results of a recent survey of 597 U.S. IT and IT security professionals, 34 percent of respondents said C-level executives are never updated on security incidents, 36 percent said they're only updated on a need-to-know basis, 23 said they're only updated annually, and just 7 percent said they're updated weekly or monthly. http://www.esecurityplanet.com/network-security/34-percent-of-c-level-executives-are-never-updated-on-security-incidents.html

FYI - Widespread neglect puts NASA’s networks in jeopardy - The most heralded federal agency is in serious risk of a major cyber attack and no one seems to care. http://federalnewsradio.com/cybersecurity/2016/03/widespread-neglect-puts-nasas-networks-jeopardy/

FYI - DHS, DISA cyber chiefs: Network monitoring is still 'a challenge' - Sprawling organizations and layered networks pose hurdles to agencies attempting to be proactive about cybersecurity, federal officials told the Security Through Innovation Summit. http://fedscoop.com/dhs-disa-cybersecurity-chiefs-cdm-is-still-a-challenge

FYI - DHS gives cyber hunters a better type of license - It took the Homeland Security Department three days to own the computer networks of three agencies. http://federalnewsradio.com/cybersecurity/2016/04/dhs-gives-cyber-hunters-better-type-license/

FYI - Retailers believe breach detection is sufficient, but gap yawns wide - Retailers believe they can detect a data breach in a week or less, while another report showed it takes them on average 197 days to spot advanced threats. http://www.scmagazine.com/retailers-believe-breach-detection-is-sufficient-but-gap-yawns-wide/article/492357/

FYI - 73% of global brands and organisations hit with DDoS attack in 2015 - With the bombardment of DDoS attacks fairly consistent worldwide throughout 2015, it's no longer a matter of if or when attacks might happen, but how often and how for long. http://www.scmagazine.com/73-of-global-brands-and-organisations-hit-with-ddos-attack-in-2015/article/492461/

FYI - Mining company's data is more valuable than gold - Hackers posted employee data and private documents belonging to Goldcorp, a publicly listed gold-mining company, on a paste site. http://www.scmagazine.com/mining-companys-data-is-more-valuable-than-gold/article/492955/

FYI - Ransomware rampant, but chinks found in its armor - To say that a day does not pass without a ransomware attack being perpetrated upon an organization somewhere the United States is no hyperbolic statement. http://www.scmagazine.com/ransomware-rampant-but-chinks-found-in-its-armor/article/492947/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Records of 93.4M Mexican voter discovered in public database - Researcher claimed to have discovered 93.4 million Mexican voter registration records for the entire country representing all the voters in Mexico in a publicly accessible and unprotected database which has since been taken down. http://www.scmagazine.com/researcher-claims-to-have-discovered-entire-mexican-voter-registration-database/article/491597/

FYI - Hacked filipino voter records made public - Filipino voting records which were breached earlier this month have now been made public and searchable. http://www.scmagazine.com/hacked-filipino-voter-records-made-public/article/491730/

FYI - Was Spotify breached? Account info shows up on Pastebin - Spotify may have experienced a security breach, security pros, said after it was reported that a list of customer account credentials was discovered on Pastebin. http://www.scmagazine.com/spotify-denies-compromise-after-user-info-found-on-pastebin/article/492056/

FYI - Bangladesh banking hack due to SWIFT vulnerability - A report from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) indicated the group was aware that malware was targeting its system when $81 million was stolen from a Bangladesh bank in March. http://www.scmagazine.com/bangladesh-banking-hack-due-to-swift-vulnerability/article/491854/

FYI - Possible 1.4GB data breach at Qatar National Bank - The Qatar National Bank is investigating a possible massive data breach with more than 15,000 files, or 1.4GB of data, being compromised. http://www.scmagazine.com/possible-14gb-data-breach-at-qatar-national-bank/article/492348/

FYI - Over 7M Minecraft mobile credentials exposed after Lifeboat data breach - A division of Hydreon Corporation, Lifeboat runs servers for Minecraft Pocket Edition—the smartphone version of the immensely popular video game Minecraft. http://www.scmagazine.com/over-7m-minecraft-mobile-credentials-exposed-after-lifeboat-data-breach/article/492634/

FYI - SWIFT confirms additional cyberattacks on its messaging system - The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has issued a warning to its customers that its financial messaging system has undergone repeated attacks similar to those that lead to $81 million from a Bangladesh bank. http://www.scmagazine.com/swift-confirms-additional-cyberattacks-on-its-messaging-system/article/492464/

FYI - LuckyPet data breach compromises online payment info - Seattle-based pet store LuckyPet notified the California State Attorney General's office of a data breach that compromised online customer information. http://www.scmagazine.com/luckypet-data-breach-compromises-online-payment-info/article/492470/

FYI - Malware in nuclear power plant prompts plant shutdown - Malware discovered at a nuclear power plant in Germany raised concerns public concerns and prompted the German electric utilities company RWE AG to shut down the power plant as a precaution. http://www.scmagazine.com/malware-in-nuclear-power-plant-prompts-plant-shutdown/article/492618/

FYI - Cyberattack knocks Lansing utility offline - The Lansing, Mich., Board of Water & Light (BWL) expects to be fully back online today after suffering a cyberattack earlier this week that knocked the utility's internal computer systems offline. http://www.scmagazine.com/cyberattack-knocks-lansing-utility-offline/article/492887/

FYI - Ohio firearms dealer website breach compromises customer names, state ID data - An Ohio-based firearms dealer, notified California's Attorney General that the company experienced a data breach that compromised its customers' name and state identification information. http://www.scmagazine.com/ohio-firearms-dealer-website-breach-compromises-customer-names-state-id-data/article/492927/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)
 
 Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
 
 Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 
 
 Consumer Leasing Act (Regulation M)
 
 The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

FFIEC IT SECURITY -

We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 6.2.3 Central Enforcement and Oversight
 
 Besides helping an organization improve the economy and efficiency of its computer security program, a centralized program can include an independent evaluation or enforcement function to ensure that organizational subunits are cost-effectively securing resources and following applicable policy. While the Office of the Inspector General (OIG) and external organizations, such as the General Accounting Office (GAO), also perform a valuable evaluation role, they operate outside the regular management channels.
 
 There are several reasons for having an oversight function within the regular management channel. First, computer security is an important component in the management of organizational resources. This is a responsibility that cannot be transferred or abandoned. Second, maintaining an internal oversight function allows an organization to find and correct problems without the potential embarrassment of an IG or GAO audit or investigation. Third, the organization may find different problems from those that an outside organization may find. The organization understands its assets, threats, systems, and procedures better than an external organization; additionally, people may have a tendency to be more candid with insiders.