FYI - ISA presses for data to shape cyber security policy, encourages use of NIST framework - The Internet Security Alliance Monday encouraged the Department of Commerce to work with private sector organizations to determine what's needed in terms of cost-effectiveness, incentives and prioritization to stimulate use of the NIST Framework. http://www.scmagazine.com/isa-says-better-information-is-needed-to-create-cyber-security-policy/article/416718/

FYI - Average cost of data breach is $6.5M - In a year already characterized by data breaches at recognizable healthcare organizations, such as CareFirst BlueCross BlueShield, and at major government entities, including the IRS, it's no surprise that victims' personal information is a hot commodity. http://www.scmagazine.com/ponemon-institute-and-ibm-release-annual-data-breach-cost-study/article/417017/

FYI - Google Reveals the Problem With Password Security Questions - Google analyzed hundreds of millions of password security questions and answers, revealing how startlingly easy it is for would-be hackers to get into someone else's account. http://abcnews.go.com/Technology/google-reveals-problem-password-security-questions/story?id=31204819

FYI - County sheriff has used stingray over 300 times with no warrant - San Bernardino Sheriff's Department doesn't tell judges it's using spy device. The sheriff in San Bernardino County—east of Los Angeles County—has deployed a stingray hundreds of times without a warrant, and under questionable judicial authority. http://arstechnica.com/tech-policy/2015/05/county-sheriff-has-used-stingray-over-300-times-with-no-warrant/

FYI - Spy agencies target mobile phones, app stores to implant spyware - Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows - Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows. http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546

FYI - 86 percent of websites contain at least one 'serious' vulnerability - While high-profile vulnerabilities, including Heartbleed and ShellShock, might have garnered more press than most other vulnerabilities for putting websites at-risk, in reality, these flaws are being patched and addressed more than other pressing vulnerabilities in web application software. http://www.scmagazine.com/whitehat-security-release-website-security-statistics-report/article/416402/

FYI - $19M breach settlement between MasterCard, Target terminated - A proposed $19 million breach settlement between Target and MasterCard has reportedly been terminated, since conditions of the deal were not met by an important deadline this week. www.scmagazine.com/target-mastercard-settlement-conditions-not-met-deal-fizzles/article/416285/ 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - St. Louis Federal Reserve forces password change after DNS attack - A branch of the U.S.'s central bank is forcing a password reset after a cyberattack briefly redirected visitors to parts of its website to bogus Web pages. http://www.computerworld.com/article/2923845/security/st-louis-federal-reserve-forces-password-change-after-dns-attack.html

FYI - Carefirst Blue Cross Breach Hits 1.1M - CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. http://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/

FYI - MSpy admits hacking and data theft - A company offering software that allows people to spy on others has admitted it has been hacked and had thousands of customer records leaked online. http://www.bbc.com/news/technology-32826678

FYI - University of London Computer Centre hit by cyber attack - The University of London Computer Centre (ULCC) was the subject of a cyber attack yesterday that may have left millions of students unable to access the organisation's IT services. http://www.computing.co.uk/ctg/news/2409906/university-of-london-computer-centre-hit-by-cyber-attack

FYI - Notice To Patients of Privacy Incident - Medical Management, LLC (“MML”), a medical billing company that provides coding or billing services to Grand View Health, is in the process of notifying affected individuals that some of their personal information may have been compromised by a former employee of MML. https://www.gvh.org/notice-to-patients-of-privacy-incident/

FYI - Hospitals in at least 3 states affected by employee data breach - Thousands of patients were alerted in hospitals across New York, New Jersey, and Pennsylvania that their medical records may have been compromised by an outside contractor. http://www.scmagazine.com/at-least-five-hospitals-affected-in-mml-breach/article/416396/

FYI - House lawmakers' information accessed in CareFirst BlueCross BlueShield breach - House lawmakers might have had some of their personal data compromised in the CareFirst BlueCross BlueShield data breach earlier this week. http://www.scmagazine.com/carefirst-bluecross-blueshield-breach-impacts-legislators-and-staffers/article/416286/

FYI - Ohio student hacks school computer, shares data of 113 students - An Ohio high school student in the Southwest Licking school district gained access to a district shared server and compromised the personal information of 113 students. http://www.scmagazine.com/student-data-compromised-in-breach-of-shared-school-district-server/article/416167/

FYI - Thousands of Bellevue Hospital Center patients notified of data breach - Bellevue Hospital Center operator New York City Health and Hospitals Corporation (HHC) is notifying roughly 3,300 patients that their personal information was included in a spreadsheet that was improperly emailed to an unauthorized recipient. http://www.scmagazine.com/thousands-of-bellevue-hospital-center-patients-notified-of-data-breach/article/416405/

FYI - IRS breach impacts more than 100,000 taxpayers - The Associated Press reported on Tuesday that attackers used an Internal Revenue Service (IRS) system called “Get Transcript” in order to obtain information belonging more than 100,000 taxpayers. http://www.scmagazine.com/report-irs-breach-impacts-more-than-100000-taxpayers/article/416740/

FYI - Former Jacobi Medical Center employee improperly emails patient data - During the same assessment that revealed a recent Bellevue Hospital Center breach, New York City Health and Hospitals Corporation (HHC) identified a separate incident involving a former Jacobi Medical Center employee improperly emailing personal information on roughly 90,000 patients. http://www.scmagazine.com/former-jacobi-medical-center-employee-improperly-emails-patient-data/article/416590/

FYI - Beacon Health System notifies patients of possible data compromise - Indiana-based Beacon Health System is notifying an undisclosed number of patients that their personal information may have been compromised by unauthorized individuals who gained access to employee email accounts. http://www.scmagazine.com/beacon-health-system-notifies-patients-of-possible-data-compromise/article/416853/

FYI - Cyberattack on Penn State exposes passwords of 18K people - The university's president apologizes for a "sophisticated" security breach that it says involved an attack launched from China. Pennsylvania State University's College of Engineering revealed Friday that it has been the target of two "highly sophisticated" cyberattacks over the last two years. http://www.cnet.com/news/penn-state-cyberattack-exposes-passwords-from-18k-people/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)
 
 E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
 
 In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.
 
 The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
 
 Risk Mitigation Components - Wireless Internet Devices
 
 For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.
 
 As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.
 
 The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.2 Protection Against Payroll Fraud and Errors: Time and Attendance Application (1 of 2)

The time and attendance application plays a major role in protecting against payroll fraud and errors. Since the time and attendance application is a component of a larger automated payroll process, many of its functional and security requirements have been derived from both governmentwide and HGA-specific policies related to payroll and leave. For example, HGA must protect personal information in accordance with the Privacy Act. Depending on the specific type of information, it should normally be viewable only by the individual concerned, the individual's supervisors, and personnel and payroll department employees. Such information should also be timely and accurate.

Each week, employees must sign and submit a time sheet that identifies the number of hours they have worked and the amount of leave they have taken. The Time and Attendance Clerk enters the data for a given group of employees and runs an application on the LAN server to verify the data's validity and to ensure that only authorized users with access to the Time and Attendance Clerk's functions can enter time and attendance data. The application performs these security checks by using the LAN server's access control and identification and authentication (I&A) mechanisms. The application compares the data with a limited database of employee information to detect incorrect employee identifiers, implausible numbers of hours worked, and so forth. After correcting any detected errors, the clerk runs another application that formats the time and attendance data into a report, flagging exception/out-of-bound conditions (e.g., negative leave balances).

Department supervisors are responsible for reviewing the correctness of the time sheets of the employees under their supervision and indicating their approval by initialing the time sheets. If they detect significant irregularities and indications of fraud in such data, they must report their findings to the Payroll Office before submitting the time sheets for processing. In keeping with the principle of separation of duty, all data on time sheets and corrections on the sheets that may affect pay, leave, retirement, or other benefits of an individual must be reviewed for validity by at least two authorized individuals (other than the affected individual).

Protection Against Unauthorized Execution

Only users with access to Time and Attendance Supervisor functions may approve and submit time and attendance data -- or subsequent corrections thereof -- to the mainframe. Supervisors may not approve their own time and attendance data.

Only the System Administrator has been granted access to assign a special access control privilege to server programs. As a result, the server's operating system is designed to prevent a bogus time and attendance application created by any other user from communicating with the WAN and, hence, with the mainframe.

The time and attendance application is supposed to be configured so that the clerk and supervisor functions can only be carried out from specific PCs attached to the LAN and only during normal working hours. Administrators are not authorized to exercise functions of the time and attendance application apart from those concerned with configuring the accounts, passwords, and access permissions for clerks and supervisors. Administrators are expressly prohibited by policy from entering, modifying, or submitting time and attendance data via the time and attendance application or other mechanisms.

Protection against unauthorized execution of the time and attendance application depends on I&A and access controls. While the time and attendance application is accessible from any PC, unlike most programs run by PC users, it does not execute directly on the PC's processor. Instead, it executes on the server, while the PC behaves as a terminal, relaying the user's keystrokes to the server and displaying text and graphics sent from the server. The reason for this approach is that common PC systems do not provide I&A and access controls and, therefore, cannot protect against unauthorized time and attendance program execution. Any individual who has access to the PC could run any program stored there.

Another possible approach is for the time and attendance program to perform I&A and access control on its own by requesting and validating a password before beginning each time and attendance session. This approach, however, can be defeated easily by a moderately skilled programming attack, and was judged inadequate by HGA during the application's early design phase.

Recall that the server is a more powerful computer equipped with a multiuser operating system that includes password-based I&A and access controls. Designing the time and attendance application program so that it executes on the server under the control of the server's operating system provides a more effective safeguard against unauthorized execution than executing it on the user's PC.