FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Feds' cyber security woes can't all be blamed on legacy systems - Creaky systems that can't use the latest encryption are merely one item in a cyber security mess that took decades to create. The legacy computer systems at the Office of Personnel Management were too old and creaky to use encryption or sufficiently protect data. That argument surfaced in a House Oversight and Government Reform Committee hearing, but there are plenty of other security issues to take the blame. http://www.zdnet.com/article/feds-cyber-security-woes-cant-all-be-blamed-on-legacy-systems/

FYI - Canadian police arrest nine men in 'romance fraud' scheme - Canadian police arrested nine suspects earlier this week in connection to a romance fraud ring that cost victims $1.5 million. http://www.scmagazine.com/dating-site-victims-lose-15-million-in-scam/article/421775/

FYI - Secret Service agent pleads guilty for pocketing $820K from Silk Road - A former Secret Service agent agreed Wednesday to plead guilty to stealing $820,000 worth of Bitcoin during the Silk Road investigation. http://www.scmagazine.com/us-agent-arrested-during-silk-road-investigation-agrees-to-plea/article/421798/

FYI - Three NM teens indicted for cyberattack on baby formula website - Three New Mexico teens were indicted after instigating a cyber attack against the Enfamil baby formula website from their school computer. They're facing felony charges of computer abuse and conspiracy, according to the Albuquerque Journal. http://www.scmagazine.com/three-teens-face-felony-charges-for-calling-hackers-to-overload-enfamil-website/article/421977/

FYI - Hackers had access to security clearance data for a year - The U.S. government still isn't saying how much data it fears was stolen - Hackers who breached a database containing highly personal information on government employees with security clearances had access to the system for about a year before being discovered, The Washington Post reported on Friday. http://www.computerworld.com/article/2938654/cybercrime-hacking/hackers-had-access-to-security-clearance-data-for-a-year.html

FYI - Rewards worth £30,000 offered in search for cyber stars of the future - The SANS Institute has launched an open Cyber Aptitude Assessment competition that will offer high ranking applicants access to cyber 'boot camp' training worth £30,000. http://www.v3.co.uk/v3-uk/news/2413902/rewards-worth-gbp30-000-offered-in-search-for-cyber-stars-of-the-future

FYI - Pentagon seeks to hold its IT users more accountable for cyber missteps - The Defense Department has no shortage of regulations designed to encourage and enforce good cybersecurity behavior on its own networks. But DoD’s chief information officer said as of now, there are too few consequences for users who run afoul of those rules. That’s about to change. http://federalnewsradio.com/defense/2015/06/pentagon-seeks-to-hold-its-it-users-more-accountable-for-cyber-missteps/

FYI - Privacy advocates applaud Supreme Court ruling on hotel registry searches - The Supreme Court has deemed a Los Angeles ordinance, which legalizes warrantless police demands to inspect hotel and motel guest registries, unconstitutional – a decision which could influence law enforcement protocol in other cities subjecting noncompliant hoteliers to arrest of penalty. http://www.scmagazine.com/supreme-court-says-las-warrantless-hotel-registry-searches-unconstitutional/article/422391/

FYI - Michigan State Audit finds several department systems vulnerable - Michigan's Department of Technology, Management and Budget (DTMB) failed to establish effective security management and access controls for several departments leaving systems used to process child welfare information, food assistance programs, and cash management as well as others used in administering state benefits vulnerable to unauthorized access, according to a report released by the state's Office of the Auditor General. http://www.scmagazine.com/michigan-audit-finds-federal-information-child-welfare-and-more-at-risk/article/422393/

FYI - GAO - Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies.  http://www.gao.gov/products/GAO-15-725T

FYI - Security incidents in finance sector 300 percent more frequent than other industries - Organizations in the financial services sector encounter security incidents about 300 percent more frequently than those in other industries. http://www.scmagazine.com/financial-services-firms-see-three-times-more-security-incidents-than-other-sectors/article/422655/

FYI - OPM breach possibly compromises more than 32 million current and former employees' PII - Office of Personnel Management (OPM) Director Katherine Archuleta isn't talking, or at least she's not providing concrete figures for the second, and possibly historically large, data breach at her agency. http://www.scmagazine.com/archuleta-testifies-on-opm-breaches-in-front-of-house-committee/article/422664/

FYI - US government log-ins, passwords easy to find on the open Web, researcher says - A CIA-backed technology company says it's spotted credentials connected with the departments of Defense, Justice, Treasury and Energy, as well as the CIA itself. http://www.cnet.com/news/us-government-logins-passwords-easy-to-find-on-open-web-researcher-says/

FYI - 61 percent of critical infrastructure execs confident systems could detect attack in less than a day - Nearly all critical infrastructure industry executives recognize that their organizations are targets for cybercriminals, and almost half think their systems could detect a cyber attack on a critical system within 24 hours. http://www.scmagazine.com/critical-infrastructure-execs-recognize-companies-are-targets-believe-their-systems-can-quickly-detect-attacks/article/422676/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage - The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel. http://www.darkreading.com/application-security/houston-astros-breach-a-wake-up-call-on-industrial-cyber-espionage/d/d-id/1320947

FYI - Cyberattack knocks Canadian government websites offline - Public Safety Minister Steven Blaney says no personal information was compromised during the attack claimed by Anonymous in retaliation for Bill C-51. The federal government’s networks were hit with a large-scale cyberattack on Wednesday, shutting down websites and internal networks for hours. http://www.thestar.com/news/canada/2015/06/17/canadian-government-websites-hit-with-massive-outage.html

FYI - Banking trojan besieges Bundestag … for the second time - Swatbanker malware appearance seems politically motivated - Online banking trojan Swatbanker has been brought into play in a second round of attacks against the German Bundestag, reports security software firm G DATA. http://www.theregister.co.uk/2015/06/17/banking_trojan_hits_bundestag/

FYI - FBI investigating series of fiber cuts in San Francisco Bay Area - The FBI is looking into a series of deliberate cuts of fiber optic cables in the San Francisco Bay Area. http://www.computerworld.com/article/2936269/cybercrime-hacking/fbi-investigating-series-of-fiber-cuts-in-san-francisco-bay-area.html

FYI - UC Irvine Medical Center announces breach affecting 4,859 patients - University of California (UC) Irvine Medical Center is notifying nearly 5,000 patients that an employee accessed their records without a job-related purpose between June 2011 and March. http://www.scmagazine.com/uc-irvine-medical-center-announces-breach-affecting-4859-patients/article/421645/

FYI - Hack grounds handful of Polish airline's flights - The Polish airline LOT had to ground several planes, temporarily stranding 1,400 passengers at Chopin airport in Warsaw after the airline's ground computers were attacked by hackers. http://www.scmagazine.com/hackers-infiltrated-the-ground-systems-of-lot/article/422135/

FYI - Thousands of Montefiore patients notified of breach, eight suspects indicted - A former employee with New York-based Montefiore Medical Center was indicted along with seven others on Friday for their alleged roles in an operation to steal patient data and use the information to purchase thousands of dollars in goods at retailers and department stores throughout Manhattan. http://www.scmagazine.com/former-monefiore-employee-among-eight-indicted-for-stealing-data-making-purchases/article/422102/

FYI - Polish airline LOT was grounded after 'IT attack' took hold - An unspecified IT attack has left 1,400 passengers of Polish flag carrier LOT Polish Airlines stuck in Warsaw, after the company discovered it was unable to file flight plans for its departing aircraft. http://www.theregister.co.uk/2015/06/22/polish_airline_lot_flights_delayed_it_attack_pwns_flight_planning/

FYI - All Airlines Have the Security Hole That Grounded Polish Planes - More than 10 airplanes were grounded on Sunday after hackers apparently got into computer systems responsible for issuing flight plans to pilots of Poland’s state-owned LOT airline. http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/

FYI - Targeted attacks rise, cyber attackers spreading through networks, report says - Lateral movement and reconnaissance detections observed in a report show a sharp upturn in targeted attacks that have penetrated the perimeter. http://www.scmagazine.com/once-in-attackers-spread-out-through-networks-research-shows/article/422382/

FYI - Dungarees website attacked, payment cards potentially compromised - Missouri-based work wear and accessories retailer Dungarees is notifying an undisclosed number of customers that its website was attacked, and credit and debit card information may have been compromised. http://www.scmagazine.com/dungarees-website-attacked-payment-cards-potentially-compromised/article/422373/

FYI - Hershey Park investigates potential payment card breach - Pennsylvania-based Hershey Park is investigating a potential payment card breach. http://www.scmagazine.com/hershey-park-investigates-potential-payment-card-breach/article/422668/

FYI - COA Network breached, all customer data treated as potentially compromised - COA Network, Inc. – a New Jersey company that provides virtual telephone systems and content management systems – detected a pattern of irregular activity affecting its computer systems, and is treating all customer information as being potentially compromised. http://www.scmagazine.com/coa-network-breached-all-customer-data-treated-as-potentially-compromised/article/422637/

FYI - Indiana town judge says attackers gained access to classified court records - Attackers gained access to Clarksville Town Court classified records on June 23, potentially compromising information such as names, addresses, dates of birth, and Social Security numbers, James Guilfoyle, Clarksville Town Court judge, said in a statement emailed to SCMagazine.com on Thursday. http://www.scmagazine.com/indiana-town-judge-says-attackers-gained-access-to-classified-court-records/article/422932/

Return to the top of the newsletter

WEB SITE COMPLIANCE -

Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Data Integrity 
 
 Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  
 
 Authentication 
 
 Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.4 Protection Against Disclosure or Brokerage of Information

HGA's protection against information disclosure is based on a need-to-know policy and on personnel hiring and screening practices. The need-to-know policy states that time and attendance information should be made accessible only to HGA employees and contractors whose assigned professional responsibilities require it. Such information must be protected against access from all other individuals, including other HGA employees. Appropriate hiring and screening practices can lessen the risk that an untrustworthy individual will be assigned such responsibilities.

The need-to-know policy is supported by a collection of physical, procedural, and automated safeguards, including the following: