FYI - What it will take for today's CISOs to become tomorrow's COOs and CEOs - The next generation security leaders need to understand how the business works at all levels, but if they can do this, they may become invaluable partners in business. https://www.scmagazine.com/what-it-will-take-for-todays-cisos-to-become-tomorrows-coos-and-ceos/article/659487/

Trump signs cybersecurity executive order - After letting it languish somewhere in the recesses of a beleaguered White House for more than three months, Donald Trump today signed a Cybersecurity Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, meant to bring efficiency, clarity and additional protections to government IT systems.
https://www.scmagazine.com/trump-signs-cybersecurity-executive-order/article/656801/
http://computerworld.com/article/3196358/security/trumps-cybersecurity-order-pushes-us-government-to-the-cloud.html

U.S. Cyber Command is not “optimized” today to combat information operations orchestrated by foreign powers, NSA Director and U.S. Cyber Command head Adm. Michael Rogers said during a Senate Armed Services Committee hearing Tuesday. https://www.cyberscoop.com/cyber-command-head-not-prepared-counter-info-operations/

Dude hit with $300K bill for faking his hours, hacking boss's website - When your fake invoice strategy is black numbers on a black background, you're gonna fail.
http://www.theregister.co.uk/2017/05/11/dude_whacked_with_us300k_bill_for_faking_his_hours_hacking_bosss_website/
https://www.scmagazine.com/california-man-ordered-to-pay-319k-in-damages-for-hacking-former-employer/article/661194/

PATCH Act introduced to improve federal cybersecurity and transparency - In the wake of the high-profile WanaCryptor ransomware attack, a bipartisan group of elected officials from both Congressional Houses have introduced the Protecting our Ability To Counter Hacking (PATCH) Act to improve cybersecurity and transparency at the federal level. https://www.scmagazine.com/patch-act-introduced-to-improve-federal-cybersecurity-and-transparency/article/662541/

Unraveling mobile banking malware, Check Point - Banking malware targeting mobile users requires little tech know-how to develop and operate, so it stands as a insistent battle for security professionals. https://www.scmagazine.com/unraveling-mobile-banking-malware-check-point/article/662300/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 7,000 affected in Bronx Lebanon Hospital Data Breach - Bronx Lebanon Hospital Center in New York City was breached exposing the medical records of thousands. https://www.scmagazine.com/7000-affected-in-bronx-lebanon-hospital-data-breach/article/656792/

NSA tools behind worldwide WanaCryptOr ransomware attack - A ransomware attack leveraging alleged NSA hacking tools that began hitting the U.K. National Health System earlier today, has spread globally, impacting FedEx and Spanish telecom Telefonica, and locking up tens of thousands of computers in 74 countries. https://www.scmagazine.com/nsa-tools-behind-worldwide-wanacryptor-ransomware-attack/article/661380/

Millions of identities stolen from education platform Edmodo - The account details of millions of subscribers to the education platform Edmodo have not only been stolen but witnessed to be for sale on the dark web, according to a post on Motherboard. https://www.scmagazine.com/millions-of-identities-stolen-from-education-platform-edmodo/article/661351/

Brooks Brothers site hit with year-long data breach - Men's fashion retailer Brooks Brothers is alerting customers who made purchases at some of its locations of a potential breach. https://www.scmagazine.com/brooks-brothers-site-hit-with-year-long-data-breach/article/661499/

Data of 1.9M Bell Canada customers compromised - Bell Canada on Monday announced that an unknown attacker had gained access to customer information. https://www.scmagazine.com/data-of-19m-bell-canada-customers-compromised/article/661895/

DocuSign's stolen emails lead to phishing attacks - Threat actors are using stolen DocuSign customer emails in a phishing campaign to spread malicious Word Documents. https://www.scmagazine.com/docusigns-stolen-emails-lead-to-phishing-attacks/article/662092/

Bank of France customers targeted in phishing campaign - Cyber-criminals are attempting to steal credentials from French companies and consumers, yet the campaign is falsely attributed to the Bank of France. https://www.scmagazine.com/bank-of-france-customers-targeted-in-phishing-campaign/article/661865/

3,500 affected in Coney Island hospital data breach - A data breach at NYC Health + Hospitals/Coney Island hospital may have compromised the information of nearly 3,500 patients. https://www.scmagazine.com/coney-island-hospital-data-breach-affects-3500/article/662453/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound Capacity, Business Continuity and Contingency Planning Practices for E-Banking
 
 1. All e-banking services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.
 
 2. A risk assessment for each critical e-banking service and application, including the potential implications of any business disruption on the bank's credit, market, liquidity, legal, operational and reputation risk should be conducted.
 
 3. Performance criteria for each critical e-banking service and application should be established, and service levels should be monitored against such criteria.  Appropriate measures should be taken to ensure that e-banking systems can handle high and low transaction volume and that systems performance and capacity is consistent with the bank's expectations for future growth in e-banking.
 
 4. Consideration should be given to developing processing alternatives for managing demand when e-banking systems appear to be reaching defined capacity checkpoints.
 
 5. E-banking business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.
 
 6. E-banking contingency plans should set out a process for restoring or replacing e-banking processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-banking systems and applications in the event of a business disruption.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ELECTRONIC AND PAPER - BASED MEDIA HANDLING
  
  DISPOSAL
  
  Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.
  
  Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.
  
  TRANSIT
  
  Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:
  
  ! Restrictions on the carriers used and procedures to verify the identity of couriers,
  ! Requirements for appropriate packaging to protect the media from damage,
  ! Use of encryption for transmission of sensitive information,
  ! Security reviews or independent security reports of receiving companies, and
  ! Use of nondisclosure agreements between couriers and third parties.
  
  Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.5 Interdependencies
 
 User issues are tied to topics throughout this handbook.
 
 Training and Awareness is a critical part of addressing the user issues of computer security.
 
 Identification and Authentication and Access Controls in a computer system can only prevent people from doing what the computer is instructed they are not allowed to do, as stipulated by Policy. The recognition by computer security experts that much more harm comes from people doing what they are allowed to do, but should not do, points to the importance of considering user issues in the computer security picture, and the importance of Auditing.
 
 Policy, particularly its compliance component, is closely linked to personnel issues. A deterrent effect arises among users when they are aware that their misconduct, intentional or unintentional, will be detected.
 
 These controls also depend on manager's (1) selecting the right type and level of access for their employees and (2) informing system managers of which employees need accounts and what type and level of access they require, and (3) promptly informing system managers of changes to access requirements. Otherwise, accounts and accesses can be granted to or maintained for people who should not have them.