FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Patch-crazy Aust Govt fought off EVERY hacker since 2013 - Breached, but nothing exfiltrated, chuffs spy chief - Australian Signals Directorate deputy director Steve Day says hackers have failed to extract any sensitive information from Federal Government agencies for the last two years despite successfully breaching several networks. http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/

FYI - Multinational firm paid ransom in bitcoins to hackers who broke into systems - The Brisbane-based company paid a ransom to the hackers but contacted police after it was attacked again and an executive’s child targeted online - Hackers extorted an international company based in Brisbane for a ransom paid out in bitcoin but then escalated their demands by threatening online attacks on a senior employee’s child, Queensland police have said. http://www.theguardian.com/technology/2015/jun/04/hackers-extorted-multinational-firm-in-australia-and-threatened-employee

FYI - Garage doors vulnerable to hacking from children's toy - Hundreds of garage doors could be vulnerable to a recent hack that uses a modified children's toy to test thousands of lock combinations in seconds. http://www.scmagazine.com/samy-kamkar-devises-garage-door-hack/article/419020/

FYI - California Senate OKs requiring warrants to search smartphones, tablets - The state Senate on Wednesday approved a bill that would require law enforcement in California to obtain a search warrant or wiretap order before searching a person’s smartphone, laptop or other electronic device or accessing information stored on remote servers. http://www.latimes.com/local/political/la-me-pc-senate-warrants-search-smartphones-20150603-story.html

FYI - After breaches, higher-ed schools adopt two-factor authentication - Payday didn't go as planned on January 2, 2014, for some Boston University employees. On that day, about a dozen faculty members discovered their paychecks had not been deposited into their bank accounts. Instead, thieves had changed the victims’ direct deposit information and rerouted their pay. http://www.computerworld.com/article/2931843/security0/after-breaches-higher-ed-schools-adopt-two-factor-authentication.html

FYI - GAO - Information Technology: Additional Actions and Oversight Urgently Needed to Reduce Waste and Improve Performance in Acquisitions and Operations. http://www.gao.gov/products/GAO-15-675T

FYI - Assess business risk before entering cyber insurance market - A speaker at SC Congress Toronto advised attendees looking to absorb potential breach costs through cyber insurance, to have a clear understanding of the risk management side of their business before trying to find a broker. http://www.scmagazine.com/sc-congress-toronto-assess-business-risk-before-entering-cyber-insurance-market/article/419964/

FYI - 75 percent of companies have significant risk exposure - A misallocation of resources may account for nearly 75 percent of the respondents in RSA's inaugural Cybersecurity Poverty Index believing that their companies have significant cybersecurity risk exposure, results of the survey indicated. http://www.scmagazine.com/more-than-400-security-pros-measured-their-security-programs-against-nist-framework/article/419974/

FYI - Social engineering exploits 'hardwired' human behaviors - People carrying out social engineering attacks will exploit the fact that, as humans, we behave in ways that are very hardwired, Fincher said. Those behaviors include following authority, doing things because other people are doing them, and acting fast when we believe something might be for a limited time only. http://www.scmagazine.com/sc-congress-toronto-social-engineering-exploits-hardwired-human-behaviors/article/420211/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - As federal agency reels from massive data breach, Chinese hackers blamed - The data breach, said to be one of the biggest in the federal government's history, affects around four million former and current civil servants. The US government is badly leaking data. And China, the prime suspect in the latest data breach, isn't helping. http://www.zdnet.com/article/as-federal-agency-reels-from-massive-data-breach-chinese-hackers-suspected/

FYI - Hack exposes personal data of 4 million federal workers - The FBI says it's probing a data breach at the US agency responsible for conducting security clearance background checks. A cyberattack on the US government's personnel office compromised the data of up to 4 million current and former federal employees, officials said Thursday. http://www.cnet.com/news/hack-exposes-personal-data-of-4-million-federal-workers/

FYI - AeroGrow says malware likely compromised payment card data - Colorado-based AeroGrow International, Inc. is notifying an undisclosed number of individuals who shopped on its website – AeroGarden.com – that malware was likely used to infiltrate AeroGrow's online servers, and that payment card data may have been compromised. http://www.scmagazine.com/aerogrow-says-malware-likely-compromised-payment-card-data/article/419227/

FYI - US Army website offline after hack by Syrian Electronic Army - The US Army took its official website down Monday as a precaution after it was compromised by a group of hackers that supports Syria's embattled president. http://www.cnet.com/news/us-army-website-offline-after-hack-by-syrian-electronic-army/

FYI - Eataly NYC confirms data breach - The global Italian food market Eataly confirmed that it was the victim of a data breach earlier this year that could have compromised the data of all payment cards used over a nearly four-month period. http://www.scmagazine.com/mario-batalis-eately-compromised-in-cyber-attack/article/419082/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)
 
 Responding to E-Mail and Internet-Related Fraudulent Schemes
 Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:
 
 !  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
 !  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
 !  Increasing suspicious activity monitoring and employing additional identity verification controls;
 !  Offering customers assistance when fraud is detected in connection with customer accounts;
 !  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
 !  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.
 
 Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
 To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:
 
 !  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
 !  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
 !  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
 !  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
 !  Monitoring for fraudulent Web sites using variations of the financial institution's name;
 !  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
 !  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.
 
 This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.
 
 Security Risks 
 
 The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 
 
 Data Privacy and Confidentiality 
 
 Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 
 
 Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.3 Protection Against Interruption of Operations  (1 of 2)

HGA's policies regarding continuity of operations are derived from requirements stated in OMB Circular A-130. HGA requires various organizations within it to develop contingency plans, test them annually, and establish appropriate administrative and operational procedures for supporting them. The plans must identify the facilities, equipment, supplies, procedures, and personnel needed to ensure reasonable continuity of operations under a broad range of adverse circumstances.

COG Contingency Planning

COG (Computer Operations Group) is responsible for developing and maintaining a contingency plan that sets forth the procedures and facilities to be used when physical plant failures, natural disasters, or major equipment malfunctions occur sufficient to disrupt the normal use of HGA's PCs, LAN, server, router, printers, and other associated equipment.

The plan prioritizes applications that rely on these resources, indicating those that should be suspended if available automated functions or capacities are temporarily degraded. COG personnel have identified system software and hardware components that are compatible with those used by two nearby agencies. HGA has signed an agreement with those agencies, whereby they have committed to reserving spare computational and storage capacities sufficient to support HGA's system-based operations for a few days during an emergency.

No communication devices or network interfaces may be connected to HGA's systems without written approval of the COG Manager. The COG staff is responsible for installing all known security-related software patches in a timely manner and for maintaining spare or redundant PCs, servers, storage devices, and LAN interfaces to ensure that at least 100 people can simultaneously perform word processing tasks at all times.

To protect against accidental corruption or loss of data, COG personnel back up the LAN server's disks onto magnetic tape every night and transport the tapes weekly to a sister agency for storage. HGA's policies also stipulate that all PC users are responsible for backing up weekly any significant data stored on their PC's local hard disks. For the past several years, COG has issued a yearly memorandum reminding PC users of this responsibility. COG also strongly encourages them to store significant data on the LAN server instead of on their PC's hard disk so that such data will be backed up automatically during COG's LAN server backups.

To prevent more limited computer equipment malfunctions from interrupting routine business operations; COG maintains an inventory of approximately ten fully equipped spare PC's, a spare LAN server, and several spare disk drives for the server. COG also keeps thousands of feet of LAN cable on hand. If a segment of the LAN cable that runs through the ceilings and walls of HGA's buildings fails or is accidentally severed, COG technicians will run temporary LAN cabling along the floors of hallways and offices, typically restoring service within a few hours for as long as needed until the cable failure is located and repaired.

To protect against PC virus contamination, HGA authorizes only System Administrators approved by the COG Manager to install licensed, Copyright 2015ed PC software packages that appear on the COG-approved list. PC software applications are generally installed only on the server. (These stipulations are part of an HGA assurance strategy that relies on the quality of the engineering practices of vendors to provide software that is adequately robust and trustworthy.) Only the COG Manager is authorized to add packages to the approved list. COG procedures also stipulate that every month System Administrators should run virus-detection and other security-configuration validation utilities on the server and, on a spot-check basis, on a number of PCs. If they find a virus, they must immediately notify the agency team that handles computer security incidents.

COG is also responsible for reviewing audit logs generated by the server, identifying audit records indicative of security violations, and reporting such indications to the Incident-Handling Team. The COG Manager assigns these duties to specific members of the staff and ensures that they are implemented as intended.

The COG Manager is responsible for assessing adverse circumstances and for providing recommendations to HGA's Director. Based on these and other sources of input, the Director will determine whether the circumstances are dire enough to merit activating various sets of procedures called for in the contingency plan.