FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - OPM breach diverges into finger-pointing and dispute over initial detection - First it was one colossal Office of Personnel Management (OPM) breach, and then it was two. While the U.S. government and law enforcement sort through lost data and grapple with the total breadth of the breaches, Congress has its own work ahead. http://www.scmagazine.com/opm-breach-detection-and-breadth-remains-murky/article/420788/

FYI - IRS Security Summit yields recommendations to fight fraud - Less than three months after convening a security summit that included the Internal Revenue Service (IRS), tax preparation companies, software firms and state government administrators, IRS Commissioner John Koskinen unveiled a series of recommendations and solutions proffered by the group to fight identity theft tax refund fraud. http://www.scmagazine.com/public-and-private-orgs-collaborated-to-help-irs-tighten-security/article/420502/

FYI - Stung, White House orders rapid cybersecurity fixes - The White House has ordered federal agencies to take immediate steps to make some basic cybersecurity fixes. The move follows a massive breach of government employee records. http://www.computerworld.com/article/2935990/security0/stung-white-house-orders-rapid-cybersecurity-fixes.html

FYI - Despite billions spent, US federal agencies struggle with cybersecurity - Data breaches such as the ones at the Office of Personnel Management, Internal Revenue Service, and State Department show government networks remain dangerously exposed. Federal government spending on cybersecurity has increased substantially over the past several years, but a return on that investment remains elusive. http://www.csmonitor.com/World/Passcode/2015/0610/Despite-billions-spent-US-federal-agencies-struggle-with-cybersecurity

FYI - Catching Up on the OPM Breach - What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter. http://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/

FYI - Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0 - The nation-state malware used to hack the Russian security firm Kaspersky Lab, as well as hotels associated with Iranian nuclear negotiations, used a digital certificate stolen from one of the world’s top electronics makers: Foxconn. http://www.wired.com/2015/06/foxconn-hack-kaspersky-duqu-2/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - None of us is safe: Major cybersecurity company hacked - Kaspersky Lab detected a sophisticated and expensive hack it says was carried out by a country. That's what Moscow-based Kaspersky Lab said Wednesday when it announced its systems had been attacked, most likely by hackers working on behalf of a country. http://www.cnet.com/news/none-of-us-are-safe-major-cybersecurity-company-hacked/

FYI - Hacked data on millions of US gov't workers was unencrypted - A union representing U.S. government workers says it believes detailed personal information on millions of current and former federal employees that was stolen by hackers was not encrypted. http://www.computerworld.com/article/2935132/cybercrime-hacking/hacked-data-on-millions-of-us-govt-workers-was-unencrypted.html

FYI - OPM hackers tried to breach other fed networks - The full scope of the massive data breach at the Office of Personnel Management might be even larger than first reported, though early indications show the attack was likely contained to OPM servers. http://www.federaltimes.com/story/government/cybersecurity/2015/06/09/opm-hack-other-networks/28749945/

FYI - Attackers stole data in Bundestag breach - Attackers stole data after they accessed the internal server of the Bundestag, Germany's lower house of parliament, according to a report from Deutsche Welle. http://www.scmagazine.com/breach-of-germanys-lower-house-of-parliament-worse-than-believed/article/420485/

FYI - Payment card breach at Holiday Valley Resort - New York-based Holiday Valley Resort announced that malware may have compromised payment cards used at any of the resort's point-of-sale (POS) devices between October 2014 and June. http://www.scmagazine.com/payment-card-breach-at-holiday-valley-resort/article/420490/

FYI - Suspicious activity on LastPass network, data compromised - LastPass announced Monday that suspicious activity was identified on its network on Friday – as a result, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. http://www.scmagazine.com/lastpass-blocked-suspicious-activity-after-compromise/article/420790/

FYI - Contractor laptops stolen, data on thousands of North Shore-LIJ patients at risk - New York-based North Shore-LIJ Health System is notifying roughly 18,000 patients that five laptop computers – four of which contained their personal information – were stolen in September 2014 from the offices of Global Care Delivery (GCD), a Texas-based contractor. http://www.scmagazine.com/contractor-laptops-stolen-data-on-thousands-of-north-shore-lij-patients-at-risk/article/420755/

FYI - Confusion reigns as Bundestag malware clean-up staggers on - Watchdog fears it would be easier to throw away whole IT system and start again - A malware infestation at the Bundestag is proving harder to clean up than first predicted, with several unconfirmed local reports going as far as suggesting that techies might have to rebuild the entire network from scratch. http://www.theregister.co.uk/2015/06/12/bundestag_malware_outbreak_confusion/

FYI - FBI, Justice Department investigate Cardinals in Astros hack - The FBI and Justice Department are investigating whether employees with the St. Louis Cardinals are responsible for hacking into and stealing information from computer systems belonging to the Houston Astros, a Tuesday report posted to the Major League Baseball (MLB) website said.
http://www.scmagazine.com/st-louis-cards-workers-eyed-for-hacking-astros-stealing-info/article/421047/
http://www.cnet.com/news/hackers-in-the-outfield-cardinals-probed-for-allegedly-hacking-astros/

FYI - North Dakota Workforce Safety Institute experiences a breach - Approximately 43,000 incident reports and 13,000 payroll reports were compromised in a breach of a North Dakota Workforce and Safety Institute (WSI) server, after the North Dakota Information Technology Department (ITD) detected unusual activity on a server. http://www.scmagazine.com/north-dakota-wsi-experiences-breach-thousands-at-risk/article/421053/

FYI - Medical Information Engineering's network breached; undisclosed number of patients compromised - Medical Information Engineering (MIE), a Fort Wayne, Ind.-based medical software company, is notifying customers of a cybersecurity incident that provided unauthorized access to its network and some patients' personal health information. http://www.scmagazine.com/personal-health-information-compromised-in-mie-breach/article/421033/

FYI - Magazine publisher loses $1.5 million in phishing attack - Bonnier Publications, the publisher behind Saveur and Popular Science, might have lost up to $1.5 million in a successful phishing attack in May. http://www.scmagazine.com/bonnier-publications-falls-victim-to-chinese-phishing-email/article/421271/

FYI - Unauthorized access gained to Heartland Dental databases - Illinois-based Heartland Dental is notifying an undisclosed number of individuals that unauthorized access was gained to a limited portion of its IT systems, and that personal data may have been compromised. http://www.scmagazine.com/unauthorized-access-gained-to-heartland-dental-databases/article/421161/

FYI - Lingerie seller's ecommerce server compromised, credit cards at risk - Lingerie seller is notifying an undisclosed number of individuals that its ecommerce server was compromised and that personal information may have been misappropriated. http://www.scmagazine.com/lingerie-sellers-ecommerce-server-compromised-credit-cards-at-risk/article/421523/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 1 of 4)
 
 Purpose and Background
 
 This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services.1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers.  While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
 
 Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address.  This guidance covers four elements of a risk management process: risk assessment, selection of
 service providers, contract review, and monitoring of service providers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Data Integrity 
 
 Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  
 
 Authentication 
 
 Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.3 Protection Against Interruption of Operations  (2 of 2)

Division Contingency Planning

HGA's divisions also must develop and maintain their own contingency plans. The plans must identify critical business functions, the system resources and applications on which they depend, and the maximum acceptable periods of interruption that these functions can tolerate without significant reduction in HGA's ability to fulfill its mission. The head of each division is responsible for ensuring that the division's contingency plan and associated support activities are adequate.

For each major application used by multiple divisions, a chief of a single division must be designated as the application owner. The designated official (supported by his or her staff) is responsible for addressing that application in the contingency plan and for coordinating with other divisions that use the application.

If a division relies exclusively on computer resources maintained by COG (Computer Operations Group) (e.g., the LAN), it need not duplicate COG's contingency plan, but is responsible for reviewing the adequacy of that plan. If COG's plan does not adequately address the division's needs, the division must communicate its concerns to the COG Director. In either situation, the division must make known the criticality of its applications to the COG. If the division relies on computer resources or services that are not provided by COG, the division is responsible for (1) developing its own contingency plan or (2) ensuring that the contingency plans of other organizations (e.g., the WAN service provider) provide adequate protection against service disruptions.