FYI - Financial Regulators Release New Appendix for Retail Payment Systems Booklet Appendix E: Mobile Financial Services - The Federal Financial Institutions Examination Council members today issued a revised Retail Payment Systems booklet, which is part of the FFIEC Information Technology Examination Handbook. The update consists of the addition of a new appendix, Appendix E: Mobile Financial Services. www.ffiec.gov/press/pr042916_2.htm

FYI - Hack a car in Michigan, go to prison for life if new bill becomes law - While some Canadian officials are worried about distracted driving in the future, such as drivers being too busy having sex in self-driving cars to be attentive to the vehicle’s “take over” command, Michigan lawmakers are so worried about car hacking that they’ve proposed making it punishable by life in prison. http://www.computerworld.com/article/3064381/security/hack-a-car-in-michigan-go-to-prison-for-life-if-new-bill-becomes-law.html

FYI - Gibraltar kids win UK CyberCenturion blue team hacker comp - A team of Gibraltar school kids have taken out the British CyberCenturion hacking competition at Bletchley Park. http://www.theregister.co.uk/2016/04/27/gibraltar_kids_win_uk_cybercenturion_blue_team_hacker_comp/

FYI - SWIFT warns customers of multiple cyber fraud cases - SWIFT, the global financial network that banks use to transfer billions of dollars every day, warned its customers on Monday that it was aware of "a number of recent cyber incidents" where attackers had sent fraudulent messages over its system. http://www.reuters.com/article/us-cyber-banking-swift-exclusive-idUSKCN0XM2DI

FYI - German nuclear plant infected with computer viruses, operator says - A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said. http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS

FYI - DHS seeks better private-public sharing of cyber threat information - The Department of Homeland Security wants private-sector companies to get under the agency’s information-sharing umbrella in order to better manage and mitigate cyber risks to critical infrastructure. http://federalnewsradio.com/cybersecurity/2016/04/dhs-seeks-better-private-public-sharing-cyber-threat-information/

FYI - Oversight leaders to probe Social Security defenses - The House Oversight Committee is evaluating cybersecurity practices at the Social Security Administration after a November audit found security weakness to be a “significant deficiency” at the agency. http://thehill.com/policy/cybersecurity/278213-oversight-leaders-to-probe-social-security-defenses

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - BWL in limbo from cyberattack -Utility has had to shut down systems, phone lines, but customer accounts remain secure - For the second time in just more than three years, the Lansing Board of Water & Light faces an emergency that limits its ability to serve customers. http://www.lansingstatejournal.com/story/news/2016/04/27/cyber-attack-bwl-keeps-fbi-silent/83590820/

FYI - Pwnedlist vulnerability exposed 866M accounts - A Michigan school district network engineer discovered a security vulnerability affecting the pwnedlist.com service that exposed 866 million account credentials. http://www.scmagazine.com/pwnedlist-vulnerability-exposed-866m-accounts/article/493722/

FYI - 1,206 Solano Community College employees victimized in W-2 data breach - Solano Community College in Fairfield, Calif., was hit with a spearphishing attack led to the W-2 information for about 1,200 staffers being compromised. http://www.scmagazine.com/1206-solano-community-college-employees-victimized-in-w-2-data-breach/article/493732/

FYI - Some U.S. Bancorp workers' W-2 info exposed in ADP data breach - At least one major corporation that uses ADP as its payroll vendor had some of its employees W-2 tax information compromised. http://www.scmagazine.com/some-us-bancorp-workers-w-2-info-exposed-in-adp-data-breach/article/494044/

FYI - Tampa airport to conduct major IT security audit following apparent breach - Authorities at Tampa International Airport have expedited and expanded a sweeping assessment of its network security, following the resignation of an IT consultant who was allegedly found to have shared system passwords with unauthorized parties, the Tampa Tribune has reported. http://www.scmagazine.com/tampa-airport-to-conduct-major-it-security-audit-following-apparent-breach/article/494033/

FYI - Gmail, Yahoo email credentials among millions found on the dark web - Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker. http://www.scmagazine.com/updated-gmail-yahoo-email-credentials-among-millions-found-on-the-dark-web/article/494384/

FYI - Anonymous 'Operation Icarus' launches DDoS attack against Bank of Greece - Anonymous Tuesday launched a DDoS attack against the Bank of Greece marking the start of what the group said will be a 30-day campaign targeting central banks across the world. http://www.scmagazine.com/anonymous-attacks-bank-of-greece-in-campaign-against-global-banking-cartel/article/494353/

FYI - Swiss defense department was victim of cyber attack - Following a presentation on cyberespionage to his government's Federal Intelligence Service, Swiss defense minister revealed that his department – the Federal Department of Defence, Civil Protection and Sports – came under cyber attack. http://www.scmagazine.com/swiss-defense-department-was-victim-of-cyber-attack/article/494178/

FYI - Brunswick Corp.'s 13,000 workers' W-2 data compromised - Brunswick Corp. was victimized by a spearsphishing scam that netted the W-2 information for possibly all 13,000 current and former company employees. http://www.scmagazine.com/brunswick-corps-13000-workers-w-2-data-compromised/article/494352/

FYI - Californian accounting breached tax and PII info exposed - An accounting and tax firm reported to the California Attorney General that the company's computer system was accessed by an unauthorized person resulting compromising its stored W-2 information. http://www.scmagazine.com/californian-accounting-breached-tax-and-pii-info-exposed/article/494373/

FYI - Spearphishing attack nets $495K from investment firm - An employee at a Troy, Mich., investment firm was tricked via a spearphishing attack into transferring almost $500,000 to a Hong Kong bank. http://www.scmagazine.com/spearphishing-attack-nets-495k-from-investment-firm/article/494645/

FYI - Charles Schwab data breach exposed client investment data - Charles Schwab informed some of its customers on May 4 that the company had noticed unusual login activity on their account, possibly due to an unauthorized person having obtained their account username and password. http://www.scmagazine.com/charles-schwab-data-breach-exposed-client-investment-data/article/494479/

FYI - Tribune Media's ProSportsDaily Forum site breached - Tribune Media's ProSportsDaily notified the California Attorney General's Office Wednesday of a data breach that compromised user information. http://www.scmagazine.com/prosportsdaily-forum-website-user-information-compromised/article/494474/

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:
 
 When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
 
 The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 
 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 AUTHENTICATION - Shared Secret Systems (Part 1 of 2)
 
 Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.
 
 A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.
 
 Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.
 
 Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.
 
 Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
 
 6.3 Elements of an Effective Central Computer Security Program
 
 For a central computer security program to be effective, it should be an established part of organization management. If system managers and applications owners do not need to consistently interact with the security program, then it can become an empty token of upper management's "commitment to security."
 
 Stable Program Management Function. A well-established program will have a program manager recognized within the organization as the central computer security program manager. In addition, the program will be staffed with able personnel, and links will be established between the program management function and computer security personnel in other parts of the organization. A computer security program is a complex function that needs a stable base from which to direct the management of such security resources as information and money. The benefits of an oversight function cannot be achieved if the computer security program is not recognized within an organization as having expertise and authority.
 
 Stable Resource Base. A well-established program will have a stable resource base in terms of personnel, funds, and other support. Without a stable resource base, it is impossible to plan and execute programs and projects effectively.
 
 Existence of Policy. Policy provides the foundation for the central computer security program and is the means for documenting and promulgating important decisions about computer security. A central computer security program should also publish standards, regulations, and guidelines that implement and expand on policy.
 
 Published Mission and Functions Statement. A published mission statement grounds the central computer security program into the unique operating environment of the organization. The statement clearly establishes the function of the computer security program and defines responsibilities for both the computer security program and other related programs and entities. Without such a statement, it is impossible to develop criteria for evaluating the effectiveness of the program.
 
 Long-Term Computer Security Strategy. A well-established program explores and develops long-term strategies to incorporate computer security into the next generation of information technology. Since the computer and telecommunications field moves rapidly, it is essential to plan for future operating environments.
 
 Compliance Program. A central computer security program needs to address compliance with national policies and requirements, as well as organization-specific requirements. National requirements include those prescribed under the Computer Security Act of 1987, OMB Circular A-130, the FIRMR, and Federal Information Processing Standards.
 
 Intraorganizational Liaison. Many offices within an organization can affect computer security. The Information Resources Management organization and physical security office are two obvious examples. However, computer security often overlaps with other offices, such as safety, reliability and quality assurance, internal control, or the Office of the Inspector General. An effective program should have established relationships with these groups in order to integrate computer security into the organization's management. The relationships should encompass more than just the sharing of information; the offices should influence each other.
  
 Liaison with External Groups. There are many sources of computer security information, such as NIST's Computer Security Program Managers' Forum, computer security clearinghouse, and the Forum of Incident Response and Security Teams (FIRST). An established program will be knowledgeable of and will take advantage of external sources of information. It will also be a provider of information.